The need for this came about recently at my new job. The place has no patch management software in place and is incredibly far behind and failing compliance in their security audits. I threw in a WSUS server, thinking it would be fairly easy since I had done it before in new environments without ever having a hitch. Well, let me tell you, this was no picnic. There were previously 4 seperate WSUS servers for different OUs… Stupid. Anyway, it took me some time to remove the GPOs and remnants of the ols SUS servers. They hadn’t been used in over 4 years and none of the current staff knew they ever existed anyway.
I cleaned everything up(or so I thought), and installed WSUS clean on our utility server(running Server 03). synchronized with Microsoft and approved all critical updates. I put in a GPO on the domain linked to the OUs containing anything that wasn’t a server, since I wasn’t up for going through checking server updates and they don’t have a test environment. (There are well over 100 servers here, I don’t want to patch them all with a faulty patch and lose my job in less than a month)… Aanyway, only about 20/500 PCs joined, I tried everything from PSEXECing gpupdate /force, remotely installing the newest windows update client, and a couple other things. nothing was working. I went over the Group Policies dozens of times. Why wasn’t it working? I still have yet to figure it out, but I do have a workaround.
The settings for the clients that I wanted were as follows:
WSUS Server http://wsus:8530
Download and install every thrusday at 11pm
The registry keys for these settings are at:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
and
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
This is what I put in the .bat file:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t reg_sz /d "http://wsus:8350" /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t reg_sz /d "http://wsus:8350" /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer /t reg_dword /d 1 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /t reg_dword /d 4 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t reg_dword /d 0 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v ScheduledInstallDay /t reg_dword /d 5 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v ScheduledInstallTime /t reg_dword /d 23 /f
I set the script to run at Computer startup via GPO, and voila, They are all joining. Now I need to figure out the cause of all my pain. Here are a couple more resources that may help with other questions. Leave a comment if you have any questions and I’ll do my best to answer it.
Automatic Updates Registry Values