In order to implement a WSUS infrastructure a compatible version of Automatic Updates must be installed on the client computers. The updated software, referred to as the WSUS client, allows clients to download the updates from a WSUS server instead of using the Windows Update.

The updated version of Automatic Updates can run on any of the following platforms:

• Microsoft Windows XP Professional
• Microsoft Windows Server 2003 (All editions)

Installing a compatible version of automatic updates

The process that is use to install the WSUS client will depend on the operating system and service pack version that is installed on client computers. If all clients are running Windows XP Professional with Service Pack 2, no installation is required because the WSUS client is already installed.

If client computers are not running Service Pack 2, or they are running a different version of Windows, the WSUS client can be installed through self-update. When WSUS is installed, IIS is automatically configured to distribute the updated version of Automatic Update when each client computer contacts the WSUS server.

The self-update method is supported by the following clients:

• Windows XP with SP1 or SP2
• Windows Server 2003

The self-updating client software is not available if client computers are running Windows XP with no service packs. Assuming that there is not a Software Update Services (SUS) server on the network already, you must first install the SUS client software on the computers. This will add the self-updating client software. When the client connects to the WSUS server, the SUS client will be updated to the WSUS server.

The SUS client software (WUAU22.msi) can be downloaded from the Microsoft Web site. You can deploy the software locally on each client computer or it can be deployed from a central location using Active Directory. The following steps outline how the client can be deployed using a group policy object:

1. Click Start, point to Administrative Tools, and click Active Directory Users And Computers.
2. Right click the appropriate organizational unit and click Properties.
3. From the Group Policy tab, select an existing GPO and click Edit or click New to create a new GPO.
4. Under Computer Configuration, select Software Settings as shown in the figure.

1. Right click Software Installation, point to New, and click Package.
2. Locate the WUAU22.msi file and click Open.
3. The Deploy Software window appears. Click Assigned and click OK.

Configuring automatic updates

Once the updated version of Automatic Updates has been deployed to client computers, you can configure the client software. The settings can be configured through the Local Security Policy on each computer or if your network uses Active Directory, you can deploy settings using group policy.

Using Active Directory to configure WSUS clients

Before you can deploy any settings through a Group Policy Object (GPO) you must first load the Automatic Update policy settings. This should be done when Software Update Services is installed. If not, open the appropriate GPO, under the Computer Configuration or User Configuration, right click the Administrative Templates folder and click Add/Remove Templates. Click Add and locate the Automatic Updates ADM file (wuau.adm) which is located in the Windows\inf directory. Select the adm file and click Open.

You can find the Windows Update settings within a GPO by navigating to Computer Configuration/ Administrative Templates/ Windows Components/ Windows Update folder. Within the details pane, double click Configure Automatic Updates and click Enabled. The details pane will display the options listed below:

• Configure Automatic Updates
• Specify Intranet Microsoft update service location
• Enable client-side targeting
• Reschedule Automate Update scheduled installations
• No auto-restart for scheduled update installation options
• Automatic Update detection frequency
• Allow Automatic Update immediate installation
• Delay restart for schedule installations
• Re-prompt for restart with scheduled installations
• Allow non-administrators to receive update notifications
• Remove links and access to Windows Update

At a bare minimum, you need to configure the first two options to enable Automatic Updates and point the client computers to the WSUS server. The first setting, Configure Automatic Updates, is used to enable or disable automatic updates. If it is enabled you can select one of the following settings as to how updates are downloaded and if the administrator is notified:

• Notify for download and notify for install - A logged on administrative user will be notified before updates are downloaded and again before updates are installed.
• Auto download and notify for install (this is the default) - Updates are automatically downloaded. A logged on administrative user is notified before updates are installed.
• Auto download and schedule the install - Updates are automatically downloaded and installed on a pre-configured schedule.
• Allow local admin to choose setting - Local administrators are permitted to configure their own settings using the Automatic Updates setting in the Control Panel.

You also need to point the client computers to the WSUS server on the network. This can also be done through the Windows Update container within a GPO. Double click the Specify intranet Microsoft update service location option and click Enabled. In the Set update service for detecting updates field, type in the Universal Resource Locator (URL) to the WSUS server. Type in the same URL in the Set the intranet statistics server field.

The WSUS settings configure through the GPO will now be automatically deployed to the client computers. Group policy settings are automatically refreshed at a certain interval so the changes may not take effect immediately. To manually refresh the settings, use the gpupdate /force command on the client computers. The remaining settings that can be configured through a GPO are:

• Enable client-side targeting - This setting is used to enable client computers to self-populate computer groups that exist on the WSUS server.
• Reschedule Automate Update scheduled installations - This setting is used to define how long to wait after system startup before proceeding with an installation when a scheduled install has been missed. If this option is disabled, the installation will occur at the next scheduled day and time.
• No auto-restart for scheduled update installation options - This setting is used to configure whether or not the computer is automatically restarted after an update is installed. If this option is enabled, the user currently logged in will be notified to restart the computer.
• Automatic Update detection frequency - This setting defines the frequency at which Windows will check for available updates.
• Allow Automatic Update immediate installation - This setting defines whether updates that do not interrupt Windows services or restart Windows should be installed automatically.
• Delay restart for schedule installations - This setting will determine how long Automatic Updates will wait before performing a scheduled restart.
• Re-prompt for restart with scheduled installations - This setting will determine how long Automatic Updates will wait before prompting a user for a scheduled restart.
• Allow non-administrators to receive update notifications - This setting will determine whether non-administrative uses receive update notifications.