Example configurations
Scenario Recommended configuration
Force updates and restarts at a specific time. For example:

  • Install updates on Friday nights at 11PM
  • Force a restart soon after installation
Use the Configure Automatic Updates policy:

  • Enable the policy
  • Use option #4 – Auto download and schedule the install
  • Deselect “Install during automatic maintenance”
  • Set “6 – Every Friday” for the scheduled install day
  • Set “23:00” for the scheduled install time

Use the Always automatically restart at the scheduled time policy:

  • Enable the policy
  • Configure the timer to the desired value (default is 15 minutes)
Stagger installs and restarts across different hours and days on different machines. Start with the same configuration as the above scenario.

Set different scheduled install days and times for different groups which you don’t want rebooting at the same time.

Force updates at a specific day and time, but preserve the default Windows 8 restart behavior Start with the same configuration as the above scenarios, but do not enable the Always automatically restart at the scheduled time policy.

 

Verify the client update is controlled by the GP

 

Open the control panel, system and security, windows update. in the main page, if you see the” You receive updates: Managed by your system administrator” like below, means it is controlled by group policy.

WSUS_client1

Or if you go to “change settings” on the left hand side, see “some settings are managed by your system administrator” and the selection is greyed out.

WSUS_client2

Synchronize automatically:  The maximum synchronizations per day is 24.

Approve and deadline

Approving updates:

One of the advantages of using WSUS is that you control which updates clients receive and when clients receive those updates. This gives you an opportunity to test the updates and then roll them out to the computer groups.

Deadline:

You can specify a deadline when you approve an update or set of updates on the WSUS server. Setting a deadline causes clients to install the update at a specific time.

  • If the client contacts the server after the update deadline has passed, it tries to install the update as soon as possible.
  • If you wish computers to install an update immediately, you can specify a deadline in the past.
  • If an update has a deadline and requires a restart and the computer has not been restarted, the system reboots at the time of the deadline.

 

Viewing Reports

To see detailed information about updates, computers, and synchronization, you can run the WSUS built-in reports(requires Microsoft Report Viewer Redistributable 2008)

.
WSUS includes the following Reports:

Update Status Summary: Shows detailed information about every update that you choose to report on, the computer groups that an update has been approved for, and the number of computers the update was installed on.
Update Detailed Status: Shows detailed information about every update that you choose to report on, the computer groups that an update has been approved for, and the number of computers the update was installed on. It also shows the update status for all
computers.
Update Tabular Status: Similar to the Update Status Summary report and the Update Detailed Status report, but uses a table format that can be exported.
Update Tabular Status for Approved Updates: Shows all approved updates in a table format that can be exported.

Computer reports:

• Computer Status Summary: Displays update information for every computer within the organization.
• Computer Detailed Status: Displays each update installed on each computer.
• Computer Tabular Status: Displays information similar to the Computer Status Summary and Computer Detailed Status, but uses a table format that can be exported.
• Computer Tabular Status for Approved Updates: Shows all approved updates in a table format that can be exported.

Synchronization Reports:

• Synchronization Results: Displays the results of the last synchronization.

 

Administrating WSUS with Commands

 

WSUSutil.exe (located in the %drive%\Program Files\Update Services\Tools folder on your WSUS server) allows you to manage the WSUS from the command line.

Some of the options include:

• export: Exports the update metadata to an export package file.
• import: Imports the update metadata from an export package file.
• movecontent: Changes the file system location where the WSUS server stores update files and optionally copies any update files from the old location to the new location.
• reset: Checks that every update metadata row in the database has corresponding update files stored in the file system.
• deleteunneededrevisions: Purges the update metadata for unnecessary update revisions from the database.

PowerShell:

• Add-WsusComputer: Adds an already registered specified client computer to a specified target group.
• Approve-WsusUpdate: Approves an update to be applied to clients.
• Deny-WsusUpdate: Declines the update for deployment.
• Get-WsusClassification: Gets the list of all WSUS classifications currently available in the system.
• Get-WsusComputer: Gets the WSUS computer object that represents the client computer.
• Get-WsusProduct: Gets the list of all products currently available on WSUS by category.
• Get-WsusServer: Gets the value of the WSUS update server object.
• Get-WsusUpdate: Gets the WSUS update object with details about the update.
• Invoke-WsusServerCleanup: Performs the process of cleanup on a specified WSUS server.
• Set-WsusClassification: Sets whether the classifications of updates that WSUS synchronizes are enabled or disabled.
• Set-WsusProduct: Sets whether the product representing the category of updates to synchronize is enabled or disabled.
• Set-WsusServerSynchronization: Sets whether the WSUS server synchronizes from Microsoft Update or from an upstream server and uses the upstream server properties.

Get-Command *-Wsus* cmdlet: list all the cmdlets that are available.

To find more about the syntax, use the Get-Help <cmdletname>

From client computer

To show the installed list of updates:

wmic qfe list

For a specific update, note the double quotation is needed:

wmic qfe list | find "KB5022502"