WSUS – Force immediate update installation on clients

I’ve seen heaps of guides about this topic, but all seem to miss a key point which makes the client download and install update immediately without any intervention on the client. That, my friends is the update deadline, which I’ll cover in this guide along with the other config parts.

Here are the main points that need to be covered to get this working:

Table of Contents

1       WSUS Server.

1.1         Server setup.

1.2         Computer Group.

1.3         Computer Update Setting.

1.4         Auto-Approval Rule.

2       Client Group Policy  (or GPEdit if you have a non-domain client).

2.1         Configure Automatic Updates.

2.2         Specify intranet Microsoft update service location.

2.3         Automatic Update detection frequency.

2.4         Enable client-side targeting.

3       Separate Staging area from Production environment (recommended).

 

1         WSUS Server

1.1       Server setup

Installation Windows 2008 R2 isn’t in the scope of this guide, but I’m assuming you have a vanilla server set up with Windows Updates installed (including .NET framework). Let’s begin:

• Install the Microsoft Report Viewer 2008 (not a requirement but needed for reports)
• Run the Server Manager > Roles > Add Roles
• Select Windows Server Update Services, add the required role services when prompted
  
• Proceed with the installation and after you click Finish, the WSUS Configuration Wizard will appear
• Configure your WSUS upstream server, languages, products, classifications and schedule according to your needs – and begin the initial synchronisation

1.2       Computer Group

Create a Client-side targeting group for the computers

• Run the WSUS console (Start > Admin Tools > WSUS)
• Expand the server node in the tree > Computers > All Computers
• Right-click ‘All Computers’ > Add Computer Group
• Give the computer group a name  – for example ‘STAGING-SERVER’ (you’ll enter this name in the GPO or GPEdit later)

1.3       Computer Update Setting

Define the way that WSUS client will receive their settings.

• Run the WSUS console (Start > Admin Tools > WSUS)
• Select Options > Computers
• Select ‘Use Group Policy or registry settings on computers’
  

1.4       Auto-Approval Rule

Create a rule to automatically approve all update when they are synchronised, and apply a deadline.

Please note that deadlines override any settings you have regarding reboot-delays, so be careful – Read more in this TechNet article

This is why I recommend creating a specific client-side targeting computer group. In high-available environments I would recommend you create a separate WSUS Server and OU for computers – see this diagram for a setup overview.

• Run the WSUS console (Start > Admin Tools > WSUS)
• Select Options > Automatic Approvals
• Click New Rule > tick ‘Set a deadline for the approval’
• Click the ‘all computers’ hyperlink in the Step2 box > select the computer group you added earlier (for example ‘STAGING-SERVER’)
• Click the hyperlink for the deadline in the Step2 box > days=0, time=00:01:00
• Specify a name (for example ‘Auto-approve with Deadline’) > click OK
  
• Create a Group Policy on the OU where the targeted computer objects are
• Open the Group Policy > expand the Computer Configuration node in the tree
  (or open GPEdit if manually configuring client settings)
• Navigate to Policies > Administrative Templates > Windows Components > Windows Updates
• Configure the following policies:

2         Client Group Policy

(or GPEdit if you have a non-domain client)

2.1       Configure Automatic Updates

2.2       Specify intranet Microsoft update service location

2.3       Automatic Update detection frequency

2.4       Enable client-side targeting

3         Separate Staging area from Production environment (recommended)

Due to the impact WSUS update deadlines have on reboot behaviour, the immediate update installation solution is not ideal for production systems. This solution is well suited for new system builds that require hundreds of updates straight away without intervention.
For this case, the GPO and target WSUS settings should be configured on a separate server, for the following reasons:

• Automatic Approval rules are a ‘per-server’ setting. Although you can set auto-approval rules for specific Computer Groups and you can link the GPO to a specific OU – if this group is deleted from the WSUS server, then the Automatic Approval rule defaults to ‘all computers’ regardless of group policy. This means that any computer contacting the WSUS server will have the deadline applied and will reboot automatically.

I recommend the setup below for the following benefits:

• Separated computer-targeting policies – no deadlines applied for Production computers (i.e. no chance of unexpected WSUS-initiated reboots)
• Staging WSUS server acts as a downstream server – products and classifications can be inherited from the Production WSUS server