Endpoint Services, WSUS, Configuring WSUS Clients

How to configure clients to use the Technology Services WSUS Service.

Systems

Windows Server Update Services (WSUS)

Affected Customers

University of Illinois IT Pros leveraging Technology Services Windows Server Update Services (WSUS)

General Information

Group Policy Objects (GPOs) can be used to configure client computers to use the Technology Services WSUS service, and to determine which updates they will receive.

Note: WSUS does not provide Office 365 updates. IT units must leverage additional GPOs to configure endpoints to receive Office 365 updates or transition to leveraging MECM for Office updates. Please review Microsoft's documentation for additional information: Configure update settings for Microsoft 365 Apps

Clients will need to be on-campus, or use the VPN, in order to receive GPO policies; however, they do not subsequently require use of the VPN to access the WSUS service while off-campus.

Security-Provided GPOs

The EPS team and the Technology Services Security group together maintain a relatively extensive list of GPOs that IT Pros can apply to their AD OUs in order to simplify the process of configuring clients to utilize the EPS WSUS service. Follow these steps to link one or more of these existing policies to an OU:

Note: MECM can conflict with WSUS GPOs.
Please review the following article for more information: Endpoint Services, MECM, Software Updates

    1. Open the Group Policy Management Console
    2. Right-click on the OU you'd like to link to a WSUS GPO
    3. Click Link Existing GPO
    4. Search for the desired WSUS GPO(s):
  • DEPT_UseCITESWSUSServer_3AMUpdate_Security
  • DEPT_UseCITESWSUSServer_9AMUpdate_Security
  • DEPT_UseCITESWSUSServer_5PMUpdate_Security
  • DEPT_SetWSUSGroup-Upgrades_Security
  • DEPT_SetWSUSGroup-Upgrades10only_Security
  • DEPT_SetWSUSGroup-AllServicePacks_Security
  • DEPT_SetWSUSGroup-AllUpdates_Security
  • DEPT_SetWSUSGroup-AppServicePacks_Security
  • DEPT_SetWSUSGroup-Baseline_Security
  • DEPT_SetWSUSGroup-OSServicePacks_Security

At a minimum, IT units must link a single "DEPT_UseCITESWSUSServer_" GPO to receive ALL updates that are applicable to an endpoint from WSUS. Additionally, multiple "DEPT_SetWSUSGroup-" GPOs may be linked to limit the targeting groups for updates that an endpoint receives.

Creating Your Own GPOs

For IT Pros who choose to create their own WSUS GPOs, the following GPO settings must be configured at Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update:

  • Configure Automatic Updates
  • Specify intranet Microsoft update service location - https://wsus.cites.illinois.edu

Additionally, the following client-side targeting groups are configured on the EPS WSUS server and may be used to determine which updates clients will receive. Updates that are classified by Microsoft as Critical, Definition, or Security updates are auto-approved for immediate release; all other updates are held until Thursday morning.

    • All Updates: This group will receive all updates from Microsoft including all of the critical updates, definitions, and security updates with the exception of driver updates.

    • Application Service Packs: This group will receive all of the critical updates, definitions, and security updates in addition to service packs for applications.

    • OS Service Packs: This group will receive all of the critical updates, definitions, and security updates in addition to service packs for the Operating System. Additionally, this group will receive updates for Internet Explorer as well as the .NET framework due to their thorough integration into the operating system on many computers. This group does not receive Skype for Business updates.

    • Upgrades: This group will all receive feature updates (aka upgrades) for Windows 11 and 10 features and functionality, dependent upon hardware compatibility. 

    • Upgrades Windows 10 only: This group is specifically for Windows 10 devices. Devices in this group will receive feature updates (aka upgrades) for Windows 10 features and functionality. 

    • All Service Packs: This group will receive all of the critical updates, definitions, and security updates in addition to the updates from the Application Service Packs and the OS Service Packs groups.

  • Baseline: This group will only receive all of the critical updates, definitions, and security updates. This does not include any application or OS service pack.
  • All Updates Minus Previews: This group will only receive all of the Updates and Tools minus the Preview of Monthly Quality Roll-up for Windows updates. 

To request further information or support please contact the EPS team.


Contact the EPS team



Keywords:
eps wsus windows endpoint techs-eps-wsus "windows update" gpo 
Doc ID:
91607
Owned by:
EPS Distribution List in University of Illinois Technology Services
Created:
2019-05-07
Updated:
2024-10-21
Sites:
University of Illinois Technology Services