Windows 10 Updates with WSUS

Medicine Cabinet

Connecting Windows 10 Computers

For the Windows 10 clients to be able to download and install updates from WSUS, they must be configured so that they do not download patches off the Internet but rather use the internal WSUS. Nothing has changed in Windows 10 compared with its predecessors. WSUS does not automatically distribute the patches to clients. Instead, it only downloads the updates from the Internet and makes them available as soon as you approve the installation. The clients get the patches from the WSUS server and install them automatically, depending on the local settings or the settings in the Group Policy. These settings are part of the basic principles for the distribution of Windows 10 updates. You can configure the automatic updates in the Group Policy Management Editor below Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update .

Workstations can be configured so that they automatically download and install updates from WSUS. The first option for this is Specify intranet Microsoft update service location . Enable this option to connect Windows servers and workstations to WSUS. Since WSUS is a web application, you need to use an HTTP address to specify the server name: http://Servername:Port . WSUS can, as previously mentioned, also use HTTPS. The second important option is the update behavior, which you can determine via Configure Automatic Updates . The following options are available:

  • Notify for download and notify for install : Windows notifies users before downloading and installing the update.
  • Auto download and notify for install : The client will automatically download the updates; however, installation does not automatically take place. This setting is suitable for servers.
  • Auto download and schedule the install : The client is automatically provided with the necessary updates and installs these at a specified time. If the clients are not switched on at this time, Windows starts updating at the next launch.
  • Allow local admin to choose setting : Allows local administrators to select the configuration settings themselves.

Checking the Connection to WSUS

To check whether a computer is successfully connected to WSUS and the settings are working in your Group Policy, just run rsop.msc as an administrator on the computer. The settings for the Group Policies are shown in the window. After configuring the Group Policy, it may take some time for the workstations and servers to connect to WSUS and appear in the WSUS management interface. On the individual computers, you can force an immediate connection to WSUS at the command prompt by entering:

wuauclt.exe /detectnow

If the client is not yet connected, enter

gpupdate /force

and then:

wuauclt.exe /reportnow /detectnow

As soon as a Windows 10 computer is connected to WSUS, the Check online for updates from Microsoft Update link appears in the local update management tool. This link does not appear without a connection to WSUS, because updates are otherwise installed over the Internet.

In the WSUS console, you can select and approve several updates in a single step via the context menu. Select the Windows 10 group here. Some Windows 10 upgrades are also available via the All Updates menu item (i.e., the ability to run function updates on Windows 10 computers). With some updates, such as Windows 10 v1607, you need to confirm the license terms centrally only once. As soon as updates for Windows 10 become available, the Windows 10 computer starts searching for them and installs them in line with the configured policies. It can of course take a few minutes for the installation to complete. Information relating to this will appear when you double-click on a computer in the Windows 10 computer group. You can see here whether or not it was possible to install the updates.

Configuring Group Policies for Windows 10

If you have installed the new ADMX files for Windows 10 v1607 on the DCs, you can complete the adjustments for Windows 10. The Computer Configuration | Policies | Administrative Templates | Windows Components | Delivery Optimization menu item plays a special role here. In particular, you need to adjust the Download Mode and the bandwidth so that Windows 10 computers can efficiently download updates without using too much bandwidth.

The Bypass option can be a useful Download Mode and applies to Windows 10 computers that are not connected to WSUS. Enabling the Bypass option means that the new download mode is passed over and BITS technology is still used. This option also fixes download problems for Windows 10 without the use of WSUS and prevents Windows 10 machines hogging your network's entire bandwidth and Internet connection during updates. However, you should also check and adjust the values (all KBps) in Maximum Download Bandwidth , Max Upload Bandwidth , and Minimum Background QoS .

To protect the WSUS server, Windows computers can also pass on updates to each other. You thus have the option of controlling the distribution of Windows 10 machine updates to other computers at the same Active Directory site. On request, you can create separate groups (e.g., for small offices). During the corresponding configuration, Windows 10 machines exchange updates between these groups without WSUS. More on this later.

Microsoft has completely changed the management of updates in Windows 10. You can roll back installed updates via group policies in Windows 10 Pro and Enterprise editions, which mainly affects new features and regular updates, but not security patches. You will find the setting in Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update | Defer Upgrades and Updates . These options are only available if you have installed the new Windows 10 Group Policy templates (Figure 2).

Figure 2: Specifying the behavior of the client in the Group Policies during the update.

This field lets you choose to install Windows 10 updates with new features with a delay of up to 180 days. To do this, set the Select when Feature Updates are received value to Current Branch for Business and, for example, 180 days. This is the maximum delay period.

Turn off auto-restart for updates during active hours can be set for Windows 10 so that the computer does not reboot within the specified times. Additionally, you can prevent Windows 10 and Server 2016 from installing drivers via Windows updates by selecting Do not include drivers with Windows Updates in the Computer Settings | Administrative Templates | Windows Components | Windows Update settings.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus