How to Configure Group Policy for WSUS in Windows Server 2016

Photo of author

By Victor Ashiedu

Published

Configure Group Policy for Windows Updates Server 2016 (WSUS Server 2016)

This guide teaches you how to configure Group Policy for Windows Updates Server 2016 (WSUS Server 2016).

After installing WSUS, you may use Group Policy to determine how clients receive updates. This guide provides a complete steps by step of the process.

Requirements for Group Policy for Windows Updates Server 2016

To complete the steps in this guide you require the following:

  1. A WSUS Server with post WSUS Configuration Wizard completed.
  2. Windows Domain Controller

Steps to Configure Group Policy for Windows Updates Server 2016 (WSUS Server 2016)

High-level-steps to configure Group Policy for Windows Updates Server 2016:

  1. Create a new GPO
  2. Link the GPO to an AD Container
  3. Configure the GPO

Here are the detailed steps

Create a Group Policy Object for Windows Updates Server 2016

Create a Group Policy Object for Windows Updates Server 2016

The first step is to create the GPO. Here are the steps:

  • Login to your domain controller and open Server Manager
  • From Server Manager, click Tools. Then select Group Policy Management.
Create a Group Policy Object for Windows Updates Server 2016
  • When Group Policy Management opens, expand your domain. Then expand Group Policy Objects container.
  • To create a new GPO, drag and drop Default Domain Policy to Group Policy Objects container.
group policy windows updates server 2016
  • At the Copy GPO prompt, click OK. The GPO will be copied to a new one. Click OK.
group policy windows updates server 2016
group policy windows updates server 2016
  • Right-click Copy of Default Domain Policy GPO. Then select Rename. Give the GPO a descriptive name. See mine in the second image below.
Link the GPO to an Active Directory Container

After creating the Group Policy object, the next step is to link it to an AD container. You can link a GPO to one of the following AD containers: Site, Domain or Organizational Units (OU).

You can link a GPO to Site, Domain or Organizational Units (OU).

When you link a GPO to a container, all eligible objects within the container will apply the policies configured in the GPO.

In this demo, I will link the GPO for Windows Server Update Service to the domain.

Here are the steps:

  • Drag the GPO from the Group Policy Objects container to the AD container you wish to link it. In this example, I will drag mine to my domain (iTechGuides.local).
  • You will then be prompted to confirm that you wish to link the GPO to the container. To confirm, click OK. The GPO is linked and will now appear beneath the container (See the second image below – after the advert).

Configure Group Policy Object for Windows Updates Server 2016

Configure Group Policy Object for Windows Updates Server 2016

The next step is to configure the GPO to apply Windows updates the way you want it or your organization’s policy demands.

Here are the steps:

  • Right-click the new GPO you linked to an AD container in the last section. Then select Edit.
Configure Group Policy Object for Windows Updates Server 2016
  • When Group Policy Management Editor opens, expand Computer Configuration container. Then expand Policies and navigate to Administrative Templates\Windows Components. Finally, click Windows Update. The default view is Extended but I like to change mine to Standard. It is a matter of preference.

Now the fun begins!

  • Locate and double-click a Configure Automatic Updates policy.
  • To enable the policy, select Enabled.
  • Then beneath Options:, Configure automatic updating select one of the following:
    > 2 – Notify for download and auto install
    > 3 – Auto download and notify for install (Default)
    > 4 – Auto download and schedule the install
    > 5 – Allow local admin to choose setting

Read what each of these settings means and what they do. The info on the details pane of the GPO explains each setting in detail.

From my personal experience, options 3 (default) or 4 work for most organizations.

  • Also set the day and time you wish to install updates. Use the Scheduled install day and Scheduled install time to determine when the clients will install the updates.
group policy windows updates server 2016
  • When you finish, click OK.
  • The next important group policy for Windows updates Server 2016 is Specify intranet Microsoft update service location. This is where you specify your WSUS Server. Locate this policy and open it.
group policy windows updates server 2016
  • To enable this policy, select Enabled. Then on the Options section of the policy, enter your WSUS server in the Set the intranet update service for detecting updates field. Also add the server to the Set the intranet statistics server field. Use the format shown in the image below.
group policy windows updates server 2016
  • When you finish modifying the policy, click OK.
  • There is one more important group policy for Windows updates Server 2016 – Specify deadlines for automatic updates and restart. Configure this policy to force computers to apply update and restart. Locate and open this policy.
  • To enable this policy, select Enabled. Then on the Options sections, select the deadline(in days) that a computer will be forced to install Quality updates and Feature updates. You can allow up to 30 days installation deadline. You can also determine restart Grace period (in days) – up to a max of 7 days. When you finish, click OK.

Conclusion

After you configure these policies, computers are expected to accept the policies and appear in the WSUS console. A computer may take up to 30 minutes to show up in WSUS console.

To force a computer to apply the polices immediately: open command prompt from the computer. Then type this command and press enter.

gpupdate /force

I hope you found this Itechguide helpful. If it was helpful please spare a few minutes to share your thoughts with [discourse_topic_url].

Again, if you were not clear with the steps in this and you have some questions, please reply to this article’s topic at [discourse_topic_url]. Be rest assured that our team and other forum members will respond to you as soon as possible.

To read the full steps to install and configure Windows Server Update Service in Server 2016, click WSUS Windows Server 2016: Installation and Configuration.

However, if you want more Windows Server guides, visit our Windows Server page.

We go the extra mile to deliver the highest quality content for our readers. Read our Content Writing, Content Review, and Anti-Plagiarism policies to learn more.

About the Author

Photo of author

Victor Ashiedu

Victor is the founder of InfoPress Media, publishers of ilifeguides.com and itechguides.com. With 20+ years of experience in IT infrastructure, his expertise spans Windows, Linux, and DevOps. Explore his contributions on Itechguides.com for insightful how-to guides and product reviews.

Suggested Articles

2 thoughts on “How to Configure Group Policy for WSUS in Windows Server 2016”

  1. Victor,
    Great Article! I have one question. How do notifications work with the settings from your article? Do you need to set gpo’s for notification?
    Thanks

    Johnny

    Reply

Leave a comment

Send this to a friend