Deploy WSUS And Manage Clients Without Active Directory

You  may have a small group of Windows computers in Workgroup setup because you do not have or plan to have full [easyazon_link identifier=”1449320023″ locale=”US” tag=”wn0d5-20″] Active Directory [/easyazon_link] for this small group of Windows computers. You still would like to manage their state of patching and do not spend too much, you would like to use the free Microsoft patching solution WSUS.

Good news is that this is possible to enroll Windows computers into WSUS without need of [easyazon_link identifier=”1514397765″ locale=”US” tag=”wn0d5-20″] Active Directory [/easyazon_link] and you can manage the patching for this small group of computers.

Here is my Batch script that will modify registry and add the desired settings to point to [easyazon_link identifier=”159749027X” locale=”US” tag=”wn0d5-20″] WSUS [/easyazon_link] and enroll the computers into specific TARGET group “TEAM-1”. Before you run in on your Windows 7 or Windows 8.x computer make sure to change the WSUS IP address and rename the TARGET group to your desired TargetGroup Name.

Copy and save as WSUS-Enroll.bat

@ECHO OFF &SETLOCAL disableDelayedExpansion # Target WSUS url reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /D "http://10.10.10.5:8530/"; # Target WSUS Reporting server reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /D "http://10.10.10.5:8530/"; # Target WSUS Computer Group reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetGroup" /D "TEAM-1" # Use Client Side Targeting reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetGroupEnabled" /D 1 /t reg_dword # Download Updates and Notify User reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /D 3 /t reg_dword # Logged on user has option to reboot or not computer reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /D 1 /t reg_dword # Enable Automatic Windows Updates reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /D 0 /t reg_dword # The WSUS Server is not used unless this key is set reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /D 1 /t reg_dword wuauclt.exe /resetauthorization /detectnow wuauclt.exe /reportnow /detectnow

The script will modify the registry on the target computer and point and enroll the computer into WSUS server. In case you want to remove the computer from this and remove the settings here is the WSUS-remove.bat file for your use so you can put all back as it was before.

@ECHO OFF &SETLOCAL disableDelayedExpansion reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f wuauclt.exe /resetauthorization /detectnow wuauclt.exe /reportnow /detectnow

Once your run WSUS-remove.bat – it will modify the registry on computer and remove all the settings that were used to enroll the computer into WSUS. All settings will be back as before and you can continued patching your system via MS Update manually or whatever way you have used before.

Here is some reference link on the Registry settings used in the script and what they mean – KB933844

[easyazon_image align=”none” height=”160″ identifier=”1514397765″ locale=”US” src=”http://blog.technotesdesk.com/wp-content/uploads/2015/08/51KhHsi3Y0L._SL160_.jpg” tag=”wn0d5-20″ width=”112″]