WSUS or windows Server Update solutions is used on a local network to give or reject Windows updates and also security fixes. The benefits of this mechanism of transferring updates is the it enables you as lot or as small control end updates together you want. That all about choice. Therefore if you perform not want the windows 10 OS update rolling the end to your home windows 7 desktops, you have the ability to prevent that.

For Server 2012 R2 it’s rather easy to download WSUS. Begin up the Server Manager, click Add roles and also features, and under Server Roles and Windows Server update Services pick WID Database and also WSUS Services. Install the WSUS server role.

You are watching: What are the two ous that gpo21a is linked to?

Once installed,start up WSUS and you need to be greeted by the WSUS Server configuration Wizard. If that is no the case you have the right to start it manually from the WSUS Options.

There room a couple of things you have to note prior to you start.

Join the development program if girlfriend wish. I generally opt out.

Choose the upstream server. If this is your just WSUS server top top the network you will synchronize your updates indigenous Microsoft. Otherwise you deserve to opt for an additional WSUS server on her network.

Set a proxy server if you require to.

Then you will attach to the upstream server through clicking start Connecting button. This process can take a while and also it deserve to actually failure on your an initial try. It is in patient, grab a coffee or something.

Choose the language the you desire all your updates in.

Choose i m sorry OS or Microsoft software you want to get updates for.

Pick which types of updates girlfriend want. Usually I pick critical, definition, and security updates.

Configure the Sync Schedule. This sets the moment at i m sorry WSUS checks for new updates and also pulls them under from Microsoft. Ns generally set this for after service hours.

You can now begin the initial sync of home windows Updates for the commodities you selected, walk ahead and also grab a lengthy lunch, this have the right to take a while.

Now you can collection a pair of other choices in the WSUS application. I prefer to collection the automatic Approvals. This method I’m not granting hundreds of updates every week. I set the an important and protection updates for home windows 7 desktops to automatically approve. You can also set it up for a particular group that computers. Girlfriend can set this team up either manually or via group Policy. I will cover the group policy technique later in the post.

Next walk to computers in WSUS options and choose Use team Policy or registry setups on computers. This option allows you to use group policy to set the computer system group membership. This is the wanted method. Nearby it, the following time the sync operation it have to pull all the update down. Please keep in mind that generally throughout initial setup, once I ran the manual sync that would more often than no fail. I had actually to wait because that WSUS to traction the updates automatically on it’s scheduled evening run.

Now friend will have actually to create two group Policy Objects. One of the GPOs will be used to set the neighborhood update server and other Windows upgrade options. The various other GPO will certainly be provided to log users off prior to the update being used on the computers. The reason I perform this is that the computer system will not restart after the updates are driven if over there are any kind of users logged into the computer. The restart is a necessary part of the update.

Here room the points you want to consider when developing these GPOs; when will you be applying these updates, what time the day, which work of the week? These space all inquiries you have to be questioning yourself. For instance on my network i schedule my updates for every Wednesday at 10 afternoon or 22:00. On that very same Wednesday night at 9:30 PM all users space logged off every machine on the network. Friend don’t desire to interfere v your employees yet you also don’t want the computer to rest from a poor patch or upgrade on a Friday morning. You want to stop spending the entire Friday and also parts that the weekend fixing broken software.

Let’s develop the windows Update plan first:

Open increase the policy Manager one of two people on the server or via Remote administration Tools.

Create a brand-new policy and name the something prefer WSUS_Desktops. This will certainly be the desktop update policy and also will reside in the OU where all the Network computers are.

Link the brand-new policy come the appropriate OU, that is a good practice to check a policy prior to rolling that out, for this reason maybe very first link the GPU to a check OU, or collection Item Level Targeting for the moment being. This is just how I carry out it on my network.

In the brand-new GPO navigate come Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows Update.

Open up Windows update to see the policies in there.

I just care around 5 of those policies. Girlfriend can obtain away v using as few as 2 to press Windows update via WSUS utilizing a GPO.

Configure automatic Updates, this policy setup sets up how the updates are downloaded and how they are scheduled to install. I use option 4 – Auto download and schedule the install. i schedule the download time for every Wednesday at 22:00 or 10pm. Enable it and set the options as necessary for your environment.

Specify intranet Microsoft update service location, this policy setup points the computers to the server wherein you set up the WSUS application. Please input the http address of the WSUS server and port, for instance http://server-name:8530. You don’t need to use a FQDN. If you require to find the port number for your WSUS circumstances remote into the server wherein WSUS resides, open IIS Manager, and also select Sites, in the best pane you will check out all the to run websites and which harbor they space on.

Enable the policy and input the deal with in the two fields under the alternatives pane, same deal with for both the intranet upgrade service and also the statistics server.

Automatic updates detection frequency, this sets the interval at which the desktop computer computers check ago with the WSUS server to check out if there are any new windows updates. Default is 22 hours, this setting is optional.

Turn off the upgrade to the latest variation of Windows through Windows Update, this will prevent the dreaded home windows 10 upgrade from showing up on your home windows desktop. This is optional yet a wise selection if you select to allow it.

Enable client-side targeting, this policy setup has only one purpose, that is to set the target team in WSUS. Every little thing you the team name, this is what the computer systems that use this team policy will be sorted under in WSUS. Do not forget to readjust the automatic Approvals in WSUS come this group and make sure all the auto approvals are pointing to the right computer group name. The plan will not auto create the group in WUSUS, you have to manually produce it. As soon as you develop it the computer systems will it is in auto added to the group.

One point to think about is that you could want to adjust the protection Filtering because that the GPO. I adjusted mine come Domain Computers and removed Authenticated Users, since this policy only targets the machines and not the users this make sense. Once the plan is in location for few minutes, you can run the gpupdate command in command line on your test desktop to attempt and update the group policies ~ above said computer.

Then girlfriend can inspect to see which upgrade server the computer is pointing come by running the following command with elevated privileges ~ above the check desktop…

REG ask “HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate”

This will display you the WUServer property, i beg your pardon is the Windows update server address.

If this value or property is not existing then climate the group policy has actually not been used yet, you could need come reboot. Alternatively you can shot to manually it is registered the computer with the server making use of the adhering to command, wuauclt /detectnow.

Once you have that working, currently you can create a group policy to log users off before the updates role out each week. This is vital as the computer systems might no reboot if users space still logged on to the desktops throughout the update process. Users have to log turn off so that the policy deserve to reboot the PCs and roll out succeeding Windows Updates.

See more: Phil Collins Only You Know And I Know And I Know (Extended Remix)

Create a brand-new policy and also name it something along the lines of customers Log Off. Connect this GPO to the ideal OU, one where all the network individuals reside. Again you might want to check the policy an initial before deploying that to anyone in your Domain. Open up the GPO to User Configuration, Preferences, Control panel Settings, Scheduled Tasks.

Create a brand-new task and call that something follow me the currently of “Log off Notify”. This task will notify users 15 minutes prior to logging them off to have them conserve their work-related as no to lose it. The task must look comparable to the following.