Using UD Central WSUS

There are two steps required to allow a client to use the Central WSUS service. You must first request client-side target groups, then use group or local policies to direct the client computers to obtain updates from the IT Central WSUS server.

Basic components of WSUS

  • WSUS Server: This is the machine that gathers and distributes updates, patches, etc. In our implementation, it is https://nss-wsus.win.udel.edu
  • Release Groups: Each computer belongs to one release group. Each release group follows a schedule to release various categories of patches and updates for all computers in that group.
    • Each Client-side target group is a member of one release group.
  • Client-Side Target Groups:
    • These groups are set up by the WSUS administrators on the WSUS server as requested by IT Pros.
    • A computer can only be in one group, and the group membership is determined by the target group setting applied by group or local policy on that computer.
    • If the client-side target group is either not specified by group policy or mis-specified (i.e., spelling errors, etc.), then the computer will be shown in an Unassigned Computers group.
    • Once the computer joins a client-side target group, it can only be moved or deleted by the WSUS administrator. If it is deleted, then it will join whatever target group is specified, otherwise the value is ignored.
  • WSUS Mailing List: A mailing list maintained by WSUS administrators to communicate about patch issues, and discuss service pack/rollup releases communication on patching issues (wsus-admins@udel.edu).
  • WSUS User List:
    • These are the UDelNet IDs of IT Pros who can access reporting site and are members of the WSUS mailing list.
    • Changes to list membership should be submitted when client-side target groups are requested or through a request to askit@udel.edu
  • WSUS Reporting Site: This site is where live data can be found on patching status by target or release group, https://metal1.nss.udel.edu/cig-bin/win_requests/wsus.cgi

 

Requesting one or more client-side target groups

In order to request a client-side target group, a unit must first have a win.udel.edu domain Organization Unit (OU).

  • OU Administrators can request a single client target group (named for the OU) or multiple groups within that OU. For example, the CSS group includes CSS-Servers and CSS-Workstations, which have different settings at the client. This is handy for organization reasons, since clicking on CSS in the reporting tool will list all machines in both groups. Target groups will be grouped by prefix, so if you have multiple prefixes they cannot be reported on together.
  • To request client-side target groups, the OU Administrator should send a note to askit@udel.edu with the following information:
    • the name of the OU and the requested client-target groups; the name must follow the format OU-(descriptor), for example, CSS-Workstations
    • the release group for each of the client-side target groups (immediate, rapid, delayed, or lab-based)
    • The UDelNet IDs of the departmental IT staff who should be added to the wsus-admins@udel.edu mailing list and have access to the reporting data.

 

Pointing clients to https://nss-wsus.win.udel.edu for updates

In order to “point” a client the Central WSUS server, the local group policy needs to be changed.  This can be done manually on the client or through group policy.  Descriptions of each setting can be obtained in the group policy editor or group policy management editor by clicking on the setting. Settings are as follows:

  • Turn off access to Windows Update Features – Disabled (fixes Win8 bug)
  • Allow Automatic Updates immediate installation – Enabled (optional)
    Note: Only applies to updates that do not affect windows operation or require a restart.
  • Configure Automatic Updates – Enabled (required)
    Notes about Configure Automatic Updates options:
    • 4 – Auto download and schedule the install: appropriate for most workstations. 
    • You may wish to choose option 2 for servers to control updating and rebooting.
    • Schedule updates appropriately for your unit.
  • Enable client-side targeting – Enabled (Required)
    Note: you must supply target group as requested in the form, OU or OU-subgroup.
  • No auto-restart with logged on users for scheduled automatic update installation – Enabled (optional)
  • Specify intranet Microsoft update service location – Enabled (Required)
    Set both to: https://nss-wsus.win.udel.edu
  • Turn on recommended updates via Automatic Updates – Enabled (Optional)

WSUS server

 

Manually checking for Updates directly from Microsoft

While the clients will be set to point to https://nss-wsus.win.udel.edu, clients can also obtain updates directly from Microsoft at any time by opening up Windows Update control panel applet and clicking on Check online for updates from Microsoft Update.

Details

Article ID: 379
Created
Fri 7/19/19 1:19 PM
Modified
Thu 12/10/20 10:44 AM