Configuring WSUS and Other Update Options in Windows 7

Objectives: Learn how to use Group Policy Editor to configure updates in Windows 7.

Prerequisites: you have to know what are updates and what is WSUS.

Key terms: group policy editor, Windows Update, Windows 7, configuration

---

 WSUS Configuration

By default, each Windows client contacts the Microsoft servers on Internet for updates. We can use local group policies to connect our Windows 7 to the Windows Server Update Services server and download updates from it.  As we know, WSUS server resides locally within our network and allows us to connect to it from our client without having to go through the Internet to get updates. So, we will open Group Policy Editor by entering gpedit.msc in our search bar. In Editor, we will navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.

 

Group Policy Editor

As we can see, using Group Policy we can manage almost all of the same settings that we can manage in the Windows Update console. There are few important policies we need to configure to be able to connect to and download updates from the local update server. The first one is “Specify intranet Microsoft update service location”. If we open this policy, we can enable it and specify the location of the WSUS server.

 

Update Server Location

In our case the WSUS server is available at “http://w2k9”. The update server and the statistics server are usually the same server. The next thing we can configure is the “Configure Automatic Updates” policy.

 

Automatic Updates Options

In our case we have configured automatic download and notify for installation every day at 5 pm.  Other options are:

• Notify for download and notify for install
• Auto download and schedule the install (with this we configure the schedule of when to apply updates)
• Allow local admin to choose setting

If we disable the “Configure Automatic Updates” policy, the automatic updates are not used. In this case users can only go to the Windows Update website and then manually download and install updates. If that policy is enabled, users cannot change the configured settings through the Windows Update console. Some of the other group policies are:

• Enable client-side targeting policy – enables us to allow clients to add themselves automatically to target computer groups on the WSUS server.
• Reschedule Automatic Updates Scheduled Installations policy – enables us to set the installation to occur between 1 and 60 minutes after the system starts up.
• No Auto-Restart For Scheduled Automatic Updates and Installations policy – allows Automatic Updates to disregard a required restart when a user is logged on. The will receive a notification about the restart but is not required to restart the machine.
• Automatic Updates detection frequency policy – specifies the time period for clients to wait before checking for updates.
• Allow Automatic Updates immediate installation policy – specifies whether Automatic Updates should automatically install certain updates that do not interrupt Windows Services and don’t force a restart.
• Delay restart of schedule installations policy – specifies how long Automatic Updates waits before performing a restart. If not configured, the system waits 5 minutes before restarting. This policy only applies when update installations are scheduled.
• Re-prompt for restart with scheduled installations policy – specifies how long Automatic Updates waits before prompting the user for a scheduled restart. If not configured, the system prompts every 10 minutes.
• Allow non-administrators to receive update notifications policy – allows us to deliver update notifications when a non-administrator user is logged on to the computer.
• Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box policy – when enabled, the install update option will not be displayed. In this case, users will be unable to choose not to install the updates, and updates will be installed when they try to shutdown the computer.

In our case we will also enable the “Turn on Software Notifications” policy, and also “Turn on recommended updates via Automatic Updates” policy. If we now open Windows Update console, we will notice that the interface looks a little different. It now tells us that we receive updates “managed by your system administrator”. That basically means we are contacting a local update server.

 

Windows Update Console

Now, we can actually force Windows updates in Windows 7 to contact the Microsoft update server on the Internet, while the local policy stays the same. We can do that if we click on the “Check online for updates from Windows Update” option on Windows Update console.

 

Check Online Option

We can also use elevated command prompt to check for updates. To do that we can enter the command

wuauclt /detectnow

The Windows updates automatic updates command line tool (wuauclt) will contact the local Windows update server and try to register for updates and then download available updates. WSUS server will scan the client to check to see what updates it has installed and what updates it needs. At the WSUS server we could see the status of our Windows 7 client computer, but that’s a topic for another article.