Using WSUS without Active Directory

Windows Software Update Server (WSUS) is a great product that can be used to push out updates to your Windows computers. If you are deploying it in an Active Directory domain, you can use a GPO to quickly and easily configure your computers to use Automatic Updates and look to the WSUS server for those updates. But what if you are not using AD, can you still use WSUS? Yes.....



WSUS works just as well in Non-AD enviroments although the configuration is a bit more work on the client side. In order to control the behaviour of Automatic Updates and point the computers to the WSUS server there are a number of registry entries that have to be modified and/or created. To begin, open up regedit and drill down to:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\WindowsUpdate

These five settings control the WSUS enviroment.

WUServer: Defines the location of the WSUS Server
- RegString - http://wsus_server_name

WUStatus: Defines the location of the WSUS Status Server
- RegString - http://wsus_server_name

TargetGroupEnabled: Enables (1) or disables (0) client side targeting
- Reg_DWORD - 1 or 0

TargetGroup: Defines the name of the target group
- Reg_String - Groupname

ElevateNonAdmins: Enables (1) or disables (0) non-admin users from controlling what updates get installed.
- Reg_DWORD - 1 or 0


The next set of options configures Automatic Updates on the client. These options are located in the registry under

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\WindowsUpdate\AU

There are alot of options but I am only going to cover the main ones.

AUOptions: Automatically download and schedule installation.
- Reg_DWORD - 4

ScheduledInstallDay: The day of the week to install the downloaded hotfxes, 0 = everday.
- Reg_DWORD - 0

ScheduledInstallTime: The time of day to install the downloaded hotfixes, n = hour (0-23)
- Reg_DWORD - 3 (3:00 AM)

DetectionFrequencyEnabled: Enables (1) or disables (0) the detection frequency interval
- Reg_DWORD - 1

DetectionFrequency: Specifies the detection frequency interval, n=hours (0-22)
- Reg_DWORD - 22

NoAutoRebootWithLoggedOnUsers: Prevents Automatic Updates from rebooting the computer if a user is logged in. If set to 1 the user will be prompted to reboot, if set to 0 the user will be warned that the PC is rebooting in 5 minutes.
- Reg_DWORD - 1

UseWUServer: This must be present and set to 1 in order for the WSUS Enviroment values to be used.
- Reg_DWORD - 1

These are the main options that need/should be set, however there are many more options you can configure.

On the client, run "wuauclt.exe /detectnow" after making the registry changes to connect to the WSUS server.

See the attached reg file for an example.

SOURCE: http://technet2.microsoft.com/Window....mspx?mfr=true

Attached Files

wsus_client.reg (766 Bytes, 40 views)