This is the second part of a two-part article on Installing and Configuring WSUS 3.0. The first part can be found here

Configuring WSUS 3.0

The WSUS 3.0 configuration wizard will be run immediately after installation or at a later time. If you want to change the configuration later, you run WSUS Server Configuration Wizard from the Options page of the WSUS 3.0 Admin console.

Choose the upstream server

1. Click Next in the Before you begin section. We don’t have to worry about this since we have no proxy server or corporate firewalls to configure.
2. In the next screen I opted out of the Microsoft Improvement Program.
3. On the Choose Upstream Server page, select the source from which this server will get its updates (Microsoft Updates or another WSUS server). I chose Synchronize from Microsoft Updates.
4. This installation assumes no proxy server configuration and a single upstream server so you are finished with this step, just click Next

Connect to the upstream server

1. Click the Start Connecting button, which will save and upload your settings and then download information about available updates, products and classifications.
2. If there are problems with the connection, use the Stop Connecting button.
3. After a successful connection, click Next then go on to the Choose Languages page and click Next.
4. In the Choose Products and Chose Classifications sections I chose items most pertinent to my clients environments
5. In the Configure Sync Schedule page I chose to synchronize on a schedule - around 2am for my WSUS server. Click Next and you’ll see that although you’ve scheduled a scan later, the server will do an immediate initial synchronization with the Microsoft Update site. Remember, the initial sync operation will take some time. Click Next and then Finish.

Creating Computer Groups

While your WSUS server is synchronizing, you can go ahead and plan out what computer groups you’d like to set up in the WSUS Admin console. This will depend on your environment. Maybe you’d like to group your update clients in a manner similar to your AD OU’s or maybe by floors or physical locations? It might also be a good idea to have a test group to vet out any new updates. If the test group okay’s the updates, they are clear to push to the remainder of your organization.

Creating groups is very easy. Open the WSUS Admin console, locate the Computers node, right-click and select Add Computer Group. Name your Computer group and click OK.

Configure Client Updates

There are two methods of ensuring Automatic Update clients are receiving updates from your WSUS server. The first is by using Group Policy and the second is by configuring client registry’s or Local Group Policy Object. Since I’m using AD, I will use the former Group Policy method.

First of all, you must upgrade all XP clients to SP2 if not already done so as SP has the latest compatible version of Automatic Updates that syncs with WSUS. Vista clients require no upgrade. As for Windows 2000 or 98, you’re on your own.

After ensuring all clients are either Vista or XP SP2, I’m going to create a GPO to configure client updating

Microsoft recommends that you not use the Default Domain Policy to configure client updates so I went ahead and created a new one (WSUS Domain Policy) and added it to my Admin MMC console. I’m controlling my WSUS Policy from my DC but you can use any system you want really. However, you need to ensure that the WSUS Administrative Template is loaded. To do that simply click the Administrative node, either one will do, then from the main menu select Action, click Add/Remove Templates, click Add, and select wuau.adm. In the Add/Remove Templates dialog box, click Close. You might already have the Administrative template, if so, that’s one less step for you.

To configure Automatic client updates we’ll need to edit the WSUS Domain Policy I created earlier. Simply follow these steps:

Configure Automatic Updates

1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components and then click Windows Update.
2. In the details pane, click Configure Automatic Updates
3. Click Enabled. You will also see several Update options. I won’t go into the details of each one. They are self-explanatory. I chose to Auto download and schedule the install so as to keep things as automated as possible.

Next, we’ll need to specify the location where the clients attempt to download updates, specifically our WSUS 3.0 server.

Specify intranet Microsoft Update service location

1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components and then click Windows Update.
2. In the details pane, click Specify Intranet Microsoft update service location
3. Click Enabled and type the HTTP(S) URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http(s)://servername in both boxes where servername is the name of the server. If the port is not 80 for HTTP or 443 for HTTPS, you should add the port number: https://servername:portnumber

Automatic Update detection frequency

The specifics of this policy deal with how often clients check for new updates. It’s in the same node as the two above examples. I’ve set mine to check every 12 hours.

Command-line Options

Usage of the command line can come in handy sometimes. To immediately enforce any Group Policy updates, simply type:

gpupdate /force.

To force a client to detect its’ assigned WSUS Intranet server, type:

wuauclt.exe /detectnow.

In addition, if you are using client-side targeting to assign group computer membership type the following to initiate detection and update group membership:

wuauclt.exe /resetauthorization /detectnow

Conclusion

I’ve touched upon one simple implementation of WSUS 3.0 - there are many other, more complex scenarios however. This is definitely a product that Windows IT Administrators can put to good use, with minimal effort.