How to Setup, Manage, and Maintain WSUS
Create Required AD Groups
Create at least these groups. Yes, you want to create a deny for each of the rings – it is always good for troubleshooting if you need it and much harder to figure out where to remove the computer or GPO from if you do not have the deny group. Do not forget, deny takes precedence over everything so if you add a group to deny for troubleshooting, you are 100% guaranteed that it will not be applied. The Deny groups will likely all sit empty.
ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Apply
ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Deny
ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Apply
ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Deny
ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Apply
ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Deny
ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Apply
ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Deny
Note: We are not creating a group for both the “WSUS – Workstations – Ring 2 – Broad” and the “WSUS – Servers – Ring 4 – Manual” as they will be the treated as defaults unless the system is a member of another group that overwrites the default.
Apply Scoping to GPOs
You will need to apply your new AD groups to your GPOs
- WSUS – Workstations – Ring 1 – Test-Workstations
- In the Scope tab, remove Authenticated users and add:
ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Apply
- Go to the Delegation tab and add Authenticated Users with Read permission.
- Click on the Advanced button and add:
ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Deny
with deny permissions on “Apply group policy”
- In the Scope tab, remove Authenticated users and add:
- WSUS – Servers – Ring 1 – Test-Servers
- In the Scope tab, remove Authenticated users and add:
ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Apply
- Go to the Delegation tab and add Authenticated Users with Read permission.
- Click on the Advanced button and add:
ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Deny
with deny permissions on “Apply group policy”
- In the Scope tab, remove Authenticated users and add:
- WSUS – Servers – Ring 2 – Automatic 4AM
- In the Scope tab, remove Authenticated users and add:
ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Apply
- Go to the Delegation tab and add Authenticated Users with Read permission.
- Click on the Advanced button and add:
ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Deny
with deny permissions on “Apply group policy”
- In the Scope tab, remove Authenticated users and add:
- WSUS – Servers – Ring 3 – Automatic 2AM
- In the Scope tab, remove Authenticated users and add:
ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Apply
- Go to the Delegation tab and add Authenticated Users with Read permission.
- Click on the Advanced button and add:
ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Deny
with deny permissions on “Apply group policy”
- In the Scope tab, remove Authenticated users and add:
Now, depending on how you have your network, you may want to apply the other GPOs to OUs or create Security Groups and make computers members of them instead. Either way works, or a combination of both. I will explain a combination of both.
Location GPOs
Scenario 1:
You have a single WSUS server, or you want all systems to pull from a single WSUS server.
Link the “WSUS – Location” GPO at the domain level. This will ensure that all devices attached to the domain will look at this WSUS Server for updates.
Scenario 2:
You have 2 WSUS servers, one located at head office, the other located at a satellite office. When a system is at the head office, you want the computer to pull updates from the main WSUS server. When a system is at the satellite office, you want the computer to pull from the local WSUS server in the satellite office.
Link the “WSUS – Location – Head Office” GPO at the domain level. This will ensure that all devices attached to the domain will look at the head office WSUS Server by default for updates.
You must have AD Sites & Services configured correctly as a logical network to reflect the physical network. You can then expose the Site Level in GPMC by right clicking “Sites” under the forest, choosing “Show Sites”, and selecting all sites.
Now in GPMC, you can link the “WSUS – Location – Satellite Office” GPO to the satellite site location.
This way when a user travels to another site temporarily or permanently, they will receive updates locally from the downstream server rather than traversing your site links.
Large Sites
Do not forget, a single WSUS server (with appropriately sized hardware) can service up to 100,000 clients using the WID with the default configured limit of 30,000 clients. That’s a LOT of client machines connecting to 1 WSUS server!
If you have a large site, and your hardware is not handling a single WSUS server well, consider splitting up your WSUS deployment to include multiple downstream servers within the same site. This way you can combine a GPO that is either linked to a separate OU or scoped to a domain local group that will contain systems that will use this server over the upstream server within the same site. With GPO ordering, linking to sites, and scoping to domain local security groups, you can develop a WSUS deployment to scale the largest environments. In addition, you can use load balancing and high availability options for WSUS by utilizing a shared remote SQL database (although there is a better alternative of using downstream servers instead of a high availability node. Do you really think a Windows Update store has a reason to be high availability?).
Linking your GPOs
If you have your computers in a single OU or single OU Structure, apply both the GPOs to this OU.
- WSUS – Workstations – Ring 1 – Test-Workstations
- WSUS – Workstations – Ring 2 – Broad
If you have your servers in a single OU or single OU Structure, apply the GPOs to this OU
- WSUS – Servers – Ring 1 – Test-Servers
- WSUS – Servers – Ring 2 – Automatic 4AM
- WSUS – Servers – Ring 3 – Automatic 2AM
- WSUS – Servers – Ring 4 – Manual
Do not forget the Domain Controllers OU is separate. For Domain Controllers, it is best to set them up in Ring 2 and Ring 3, so they restart at different times so apply both of those GPOs to the Domain Controllers OU. Optionally, add Ring 4 as well.
- WSUS – Servers – Ring 2 – Automatic 4AM
- WSUS – Servers – Ring 3 – Automatic 2AM
- WSUS – Servers – Ring 4 – Manual (Optional)
Ordering Your GPOs
Ordering your GPOs is VERY important. If you do not order them properly, they will not apply properly, and you will take a lot of time troubleshooting why things are not working the way you would like them to work.
In GPMC, click on one of the OUs you have applied these policies to. This will show the Linked Group Policy Objects tab with the link order. In this window, the group policies will apply from the bottom to the top.
We want our rings to apply in reverse order (Ring 4 first, Ring 3 second, Ring 2 third, and Ring 1 forth) meaning that the numbered order must be in the correctly numbered ring order, anywhere within the overall order.
Link Order | GPO |
1 | Some GPO that will apply after all WSUS ones |
2 | WSUS – Servers – Ring 1 – Test-Servers |
3 | WSUS – Servers – Ring 2 – Automatic 4AM |
4 | WSUS – Servers – Ring 3 – Automatic 2AM |
5 | WSUS – Servers – Ring 4 – Manual |
6 | Some GPO that will apply before all the WSUS ones |
Highlight a GPO policy and use the arrows on the left to move the highlighted policy up or down with the single arrows. The double arrows will move to the highlighted policy to the top or to the bottom of the list.
Now all your computers attached to the domain will check these new locations for Windows Update (care of the GPO at the domain root), and then the appropriate policies for checking frequency, install methods, and others will apply at the lower levels combining to produce a great GPO inheritance setup.