By default, Windows computers, both the server and client version, download updates from Microsoft's Windows Update servers on the internet. In order to configure Windows hosts to take updates from an internal WSUS server, you need to update the configuration of the Windows Update Client that is built into Windows.
The easiest method of configuring the Windows Update Client is to use Group Policy. You create a Group Policy Object (GPO), configure the policy with server names, and so on, and then assign the policy.
You can apply a single GPO to the domain as a whole (configuring Windows Update Client on every domain-joined host) or apply policies at the site or OU level, depending on the complexity of your WSUS implementation. A small company located in a single site might apply just one policy at the domain level. Large multinational organizations may have multiple WSUS servers around the globe and might need multiple Windows Update policies applied throughout a large multi-forest network.
You run this recipe from your client host, CL1, as configured by the Installing RSAT Tools on Windows 10 and Windows Server 2019 recipe.
- Create the WSUS server URL using the properties returned from the
Get-WsusServercmdlet:$WSUSServer = Get-WsusServer -Name WSUS1.Reskit.Org -Port 8530 $FS = "http{2}://{0}:{1}" $N = $WSUSServer.Name $P = 8530 # default port $WSUSServerURL = $FS -f $n, $p, ('','s')[$WSUSServer.UseSecureConnection] $WSUSServerURL - Create a GPO and link it to the domain:
$PolicyName = 'Reskit WSUS Policy' New-GPO -Name $PolicyName New-GPLink -Name $PolicyName -Target 'DC=RESKIT,DC=Org'
- Add registry key settings to the Group Policy to assign the WSUS server:
# Set computer to use WSUS not WU: $KEY1 = 'HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU' $RVHT1 = @{ Name = $PolicyName Key = $KEY1 ValueName = 'UseWUServer' Type = 'DWORD' Value = 1} Set-GPRegistryValue @RVHT1 | Out-Null # Set AU options: $KEY2 = 'HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU' $RVHT2 = @{ Name = $PolicyName Key = $KEY2 ValueName = 'AUOptions' Type = 'DWORD' Value = 2} Set-GPRegistryValue @RVHT2 | Out-Null # Set WSUS Server URL: $KEY3 = 'HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate' $RVHT3 = @{ Name = $PolicyName Key = $KEY3 ValueName = 'WUServer' Type = 'String' Value = $WSUSServerURL} Set-GPRegistryValue @RVHT3 | Out-Null # Set WU Status server URL: $KEY4 = 'HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate' $RVHT4 = @{ Name = $PolicyName Key = $KEY4 ValueName = 'WUStatusServer' Type = 'String' Value = $WSUSServerURL} Set-GPRegistryValue @RVHT4 | Out-Null - Get a report on the GPO and view it:
$RHT = @{ Name = $PolicyName ReportType = 'Html' Path = 'C:FooOut.htm'} Get-GPOReport @RHT Invoke-Item -Path $RHT.Path
In step 1, you instantiate a WSUS server object that is used in later steps in the recipe. Then you use that object to create the URL that Windows Update Clients use to contact your WSUS server. There is no output from this step.
In step 2, you create a new GPO policy (Reskit WSUS Policy) and assign that policy to the Reskit.Org domain. This means that every domain-joined computer in the Reskit.Org domain is to get updates from WSUS1.Reskit.Org. This step produces output like this:
In step 4, you set values for the WSUS policy GPO. This configures the GPO with the necessary information to enable Windows Update to make use of WSUS in the organization. There is no output from this step.
In step 5, you view a GPO report of the WSUS policy GPO, which looks like this:
In step 2, you created the WSUS policy and linked it to the domain. For very large organizations, separate policies may be appropriate, each linked to separate OUs or sites in your AD. You may even wish, for very large organizations, multiple WSUS implementations around the world.
In step 3, you configured the GPO object with 4 registry-based settings. The recipe used Out-Null to limit the amount of output. If you experiment with this recipe, consider removing the pipe to null to see the output generated.