Microsoft update server location in gpo

Not an IT pro? Resources for IT Professionals. Sign in. United States English. Ask a question. Quick access. For additional settings that configure when Feature and Quality updates are received, see Configure Windows Update for Business. Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service.

The Automatic Updates client will search this service for updates that apply to the computers on your network. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.

If the setting is set to Enabled , the Automatic Updates client connects to the specified intranet Microsoft update service or alternate download server , instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them. If the setting is set to Disabled or Not Configured , and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.

The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service. The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata.

This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server. If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates. The option to "Download files with no Url Specifies the hours that Windows will use to determine how long to wait before checking for available updates.

The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours.

If the setting is set to Enabled , Windows will check for available updates at the specified interval. If the setting is set to Disabled or Not Configured , Windows will check for available updates at the default interval of 22 hours. The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. Any background update scans, downloads and installations will continue to work as configured. The other options are 80 and ; no other ports are supported.

As Windows clients refresh their computer policies the default Group Policy refresh setting is 90 minutes and when a computer restarts , computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.

The following procedures use the groups from Table 1 in Build deployment rings for Windows client updates as examples. You can use computer groups to target a subset of devices that have specific quality and feature updates.

These groups represent your deployment rings, as controlled by WSUS. Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.

From there, you can use the following procedure to add computers to their correct groups. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.

Select both computers, right-click the selection, and then click Change Membership. Because they were assigned to a group, the computers are no longer in the Unassigned Computers group. If you select the Ring 2 Pilot Business Users computer group, you will see both computers there. Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature. In the search results, select the computers, right-click the selection, and then click Change Membership.

For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group.

This process is called client-side targeting. This option is exclusively either-or. Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:. When using client-side targeting, consider giving security groups the same names as your deployment rings. This is the name of the deployment ring in WSUS to which these computers will be added.

WSUS respects the client device's servicing branch. Dual scan happens due to the WUfB policies that people put into place without understanding what they do - they just sound good at the time the admin is reading it. The alternative URL gives a location if the client can't find the update files on the wsus server, where should it go next?

If left blank, it goes to Microsoft. Ok that really didn't answer what I was after - It seems in our setup with WSUS updates are getting pushed out to PCs from Microsoft the day they are released or that night so right now I am not controlling when updates get pushed out. Though from what you are saying that isn't the correct way to handle it. So what are we missing? Ok I did some more reading and believe the reason our systems are in dual scan mode is we have a gpo set.

What you can do in the meantime If you need to unblock this scenario immediately, then we recommend the following workaround applied to all managed clients:. This configuration does not allow for any update content to be installed via Windows Update, so if this is a key requirement for your deployment, then our recommendation is to wait for the update to coming in a few months.