How to Setup, Manage, and Maintain WSUS: Part 5 – Linking your GPOs – Inheritance is your friend!

by | Last updated 2023.02.17 | Published on 2018.06.01 | Guides, WSUS

Create Required AD Groups

Create at least these groups. Yes, you want to create a deny for each of the rings – it is always good for troubleshooting if you need it and much harder to figure out where to remove the computer or GPO from if you do not have the deny group. Do not forget, deny takes precedence over everything so if you add a group to deny for troubleshooting, you are 100% guaranteed that it will not be applied. The Deny groups will likely all sit empty.

  • ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Apply
  • ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Deny
  • ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Apply
  • ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Deny
  • ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Apply
  • ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Deny
  • ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Apply
  • ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Deny

Note: We are not creating a group for both the “WSUS – Workstations – Ring 2 – Broad” and the “WSUS – Servers – Ring 4 – Manual” as they will be the treated as defaults unless the system is a member of another group that overwrites the default.

Apply Scoping to GPOs

You will need to apply your new AD groups to your GPOs

  1. WSUS – Workstations – Ring 1 – Test-Workstations
    1. In the Scope tab, remove Authenticated users and add:
      ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Apply
    2. Go to the Delegation tab and add Authenticated Users with Read permission.
    3. Click on the Advanced button and add:
      ACL_GPO.WSUS - Workstations - Ring 1 - Test-Workstations_Deny
      with deny permissions on “Apply group policy”
  2. WSUS – Servers – Ring 1 – Test-Servers
    1. In the Scope tab, remove Authenticated users and add:
      ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Apply
    2. Go to the Delegation tab and add Authenticated Users with Read permission.
    3. Click on the Advanced button and add:
      ACL_GPO.WSUS - Servers - Ring 1 - Test-Servers_Deny
      with deny permissions on “Apply group policy”
  3. WSUS – Servers – Ring 2 – Automatic 4AM
    1. In the Scope tab, remove Authenticated users and add:
      ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Apply
    2. Go to the Delegation tab and add Authenticated Users with Read permission.
    3. Click on the Advanced button and add:
      ACL_GPO.WSUS - Servers - Ring 2 (4AM) - Automatic_Deny
      with deny permissions on “Apply group policy”
  4. WSUS – Servers – Ring 3 – Automatic 2AM
    1. In the Scope tab, remove Authenticated users and add:
      ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Apply
    2. Go to the Delegation tab and add Authenticated Users with Read permission.
    3. Click on the Advanced button and add:
      ACL_GPO.WSUS - Servers - Ring 3 (2AM) - Automatic_Deny
      with deny permissions on “Apply group policy”

Now, depending on how you have your network, you may want to apply the other GPOs to OUs or create Security Groups and make computers members of them instead. Either way works, or a combination of both. I will explain a combination of both.

Location GPOs

Scenario 1:

You have a single WSUS server, or you want all systems to pull from a single WSUS server.

Link the “WSUS – Location” GPO at the domain level. This will ensure that all devices attached to the domain will look at this WSUS Server for updates.

Scenario 2:

You have 2 WSUS servers, one located at head office, the other located at a satellite office. When a system is at the head office, you want the computer to pull updates from the main WSUS server. When a system is at the satellite office, you want the computer to pull from the local WSUS server in the satellite office.

Link the “WSUS – Location – Head Office” GPO at the domain level. This will ensure that all devices attached to the domain will look at the head office WSUS Server by default for updates.

You must have AD Sites & Services configured correctly as a logical network to reflect the physical network. You can then expose the Site Level in GPMC by right clicking “Sites” under the forest, choosing “Show Sites”, and selecting all sites.

Now in GPMC, you can link the “WSUS – Location – Satellite Office” GPO to the satellite site location.

This way when a user travels to another site temporarily or permanently, they will receive updates locally from the downstream server rather than traversing your site links.

Large Sites

Do not forget, a single WSUS server (with appropriately sized hardware) can service up to 100,000 clients using the WID with the default configured limit of 30,000 clients. That’s a LOT of client machines connecting to 1 WSUS server!

If you have a large site, and your hardware is not handling a single WSUS server well, consider splitting up your WSUS deployment to include multiple downstream servers within the same site. This way you can combine a GPO that is either linked to a separate OU or scoped to a domain local group that will contain systems that will use this server over the upstream server within the same site. With GPO ordering, linking to sites, and scoping to domain local security groups, you can develop a WSUS deployment to scale the largest environments. In addition, you can use load balancing and high availability options for WSUS by utilizing a shared remote SQL database (although there is a better alternative of using downstream servers instead of a high availability node. Do you really think a Windows Update store has a reason to be high availability?).

Linking your GPOs

If you have your computers in a single OU or single OU Structure, apply both the GPOs to this OU.

  • WSUS – Workstations – Ring 1 – Test-Workstations
  • WSUS – Workstations – Ring 2 – Broad

If you have your servers in a single OU or single OU Structure, apply the GPOs to this OU

  • WSUS – Servers – Ring 1 – Test-Servers
  • WSUS – Servers – Ring 2 – Automatic 4AM
  • WSUS – Servers – Ring 3 – Automatic 2AM
  • WSUS – Servers – Ring 4 – Manual

Do not forget the Domain Controllers OU is separate. For Domain Controllers, it is best to set them up in Ring 2 and Ring 3, so they restart at different times so apply both of those GPOs to the Domain Controllers OU. Optionally, add Ring 4 as well.

  • WSUS – Servers – Ring 2 – Automatic 4AM
  • WSUS – Servers – Ring 3 – Automatic 2AM
  • WSUS – Servers – Ring 4 – Manual (Optional)

Ordering Your GPOs

Ordering your GPOs is VERY important. If you do not order them properly, they will not apply properly, and you will take a lot of time troubleshooting why things are not working the way you would like them to work.

In GPMC, click on one of the OUs you have applied these policies to. This will show the Linked Group Policy Objects tab with the link order. In this window, the group policies will apply from the bottom to the top.

We want our rings to apply in reverse order (Ring 4 first, Ring 3 second, Ring 2 third, and Ring 1 forth) meaning that the numbered order must be in the correctly numbered ring order, anywhere within the overall order.

Link Order GPO
1 Some GPO that will apply after all WSUS ones
2 WSUS – Servers – Ring 1 – Test-Servers
3 WSUS – Servers – Ring 2 – Automatic 4AM
4 WSUS – Servers – Ring 3 – Automatic 2AM
5 WSUS – Servers – Ring 4 – Manual
6 Some GPO that will apply before all the WSUS ones

 

Highlight a GPO policy and use the arrows on the left to move the highlighted policy up or down with the single arrows. The double arrows will move to the highlighted policy to the top or to the bottom of the list.

Now all your computers attached to the domain will check these new locations for Windows Update (care of the GPO at the domain root), and then the appropriate policies for checking frequency, install methods, and others will apply at the lower levels combining to produce a great GPO inheritance setup.

How To Fix WSUS Synchronization Errors

How To Fix WSUS Synchronization Errors

Sometimes WSUS has issues synchronizing with the upstream server – usually Microsoft, but it can be a local upstream server. Why these errors happen can be for many reasons.Microsoft requires several websites to be accessible through the firewall to synchronize. These...

How to Prepare for On-Prem WSUS UUP Updates

How to Prepare for On-Prem WSUS UUP Updates

Quality updates are coming on March 28 for on-premises Windows 11, version 22H2 devices. The updates are coming via the Unified Update Platform (UUP) which interoperates with WSUS and Microsoft Configuration Manager. UUP quality updates are cumulative, including all...