Share via

Best Practices with Windows Server Update Services

Applies To: Windows Server Update Services

This section provides best practices for managing updates through WSUS.

Use Group Policy to Update Multiple Computers

If you have set up Active Directory in your network, you can configure one or multiple computers simultaneously, by including them in a Group Policy object (GPO), and then configuring that GPO with WSUS settings. Microsoft recommends that you create a new Group Policy object (GPO) that contains only WSUS settings. Link this WSUS GPO to an Active Directory container appropriate for your environment. In a simple environment, you might link a single WSUS GPO to the domain. In a more complex environment, you might link multiple WSUS GPOs to several organizational units (OUs), which will enable you to apply different WSUS policy settings to different types of computers.


Microsoft recommends that you do not edit the Default Domain or Default Domain Controller GPOs.

Typically, when you configure WSUS through Group Policy (in an Active Directory network environment), you set up your client computers to connect to a WSUS server and download updates once a day. By default, this is every 22 hours (minus a random time offset, described later in this topic) at which time the approval actions you specified for the new updates (for example, installation, detection, or removal) run on the client computer.

However, if you are aware of and want to protect computers against immediate security threats, you might want to set up more a more frequent schedule for computers to contact the WSUS server, download, and install updates.

To specify how and when computers are updated through Group Policy

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  2. In the details pane of Group Policy Object Editor, configure the appropriate policies. See the following table for examples of the policies you might want to set.

Policies for Configuring Automatic Updates Behavior

Policy Description

Configure Automatic Updates

By enabling this setting you enable your computer to receive updates through Automatic Updates on a computer or computer group. To complete this setting, you must then select one of the following four options:

  • Notify before downloading any updates and notify again before installing them.

  • Download the updates automatically and notify when they are ready to be installed (default setting)

  • Automatically download updates and install them on the schedule specified below

  • Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates

No auto-restart for scheduled Automatic Updates installations

Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.

Automatic Updates detection frequency

Configures the frequency with which computers contact the WSUS server. The exact time between contact will actually be the number of hours you specify here, minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour contact frequency, then all client computers to which this policy is applied will check for updates anywhere between 16 and 20 hours. If you leave this policy set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.

Allow Automatic Updates immediate installation

Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

It will take a few minutes before the new policies you have configured take effect. It will be about 20 minutes after Group Policy refreshes (applies any new settings to the client computer). By default, computer Group Policy refreshes in the background every 90 minutes, with a random offset of 0 to 30 minutes. If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type: gpupdate /force.

For more information about Group Policy, see Group Policy at For more information about options for setting up and configuring your client computers in both Active Directory and non-Active Directory network environments, see Deploying Microsoft Windows Server Update Services at

Schedule Update Installations when there is Little Chance for Lost Productivity

In managing the process of updating computers (which includes WSUS servers), one of your main goals is to have any planned downtime occur when there is little chance for lost productivity. The following are suggestions for accomplishing this:

  • To update WSUS servers or specific computers efficiently, put the WSUS servers or computers in their own computer group, and deploy to that group with a deadline set for a time when it is feasible for the WSUS servers or computers to be down (for example, on Sunday at 3:00 A.M).

  • Deploy updates by using a deadline in the future. For example, set the WSUS servers or computers with a scheduled installation at a time when it is feasible for them to be briefly offline (for example, on Sunday at 3:00 A.M).

  • Configure client computers or WSUS servers through Group Policy to immediately install updates that do not require a restart. (Before you approve an update for installation, you can read the Description field in the properties for an update in order to determine whether the update will require restarting the computer. You can view the properties for an update by selecting it in the list of updates on the Updates page in the WSUS console.) Enable the policy to install immediately any updates that do not require a computer restart, so that they are installed every day. Computers can then install any updates that do not interrupt service when they are ready to install (that is, scheduling for Sunday morning installation would be unnecessary). The tile of this policy is Allow Automatic Updates immediate installation (see the table earlier in this topic for more information).

For maximum control over when your servers are restarted as necessitated by an update installation, set Group Policy to Download the updates automatically and notify when they are ready to be installed, and then create a script that enables to you accept and install the updates and then restart the computer on demand

Some updates require a computer restart after they are installed (and, by default, will restart computers 5 minutes after they are installed.) By not restarting your servers after installing these updates, you leave them at risk. However, depending on your network configuration, it might also risky to restart your servers automatically, since many other resources in your network could depend on a single server. In this case, it might not be feasible to schedule automatic scheduled restarts of your server.

There are a couple of Group Policies that enable you to configure when a computer is restarted. However, when talking about servers, these policies have some limitations over control:

  • No auto-restart for scheduled Automatic Updates installations—this policy will prevent automatic restarts of your server, and will enable manual restart—however, you have to log on to the server and then initiate the restart. This might not be practical if your server is typically unattended.

  • Delay restart for scheduled installations—this policy can delay the time between the update installation and the computer restart, however, the maximum time you can set here is 30 minutes.

If these are issues for you, consider the following procedure:

  1. Use Group Policy to configure automatic download, and manual installation of the updates. To do this, you would enable the Configure Automatic Updates Group Policy setting by selecting the Download the updates automatically and notify when they are ready to be installed option.

  2. Create a script to automate installing the updates and then restarting of your server. This script would have the effect of a “button” you would push to initiate all this, therefore the updates install and the server restarts when you run the script. You can do this at the most appropriate time. For more information about creating scripts to automate Automatic Updates tasks (for example downloading and installing updates on server and client computers), see Windows Update Agent Software Developer's Kit (