Deploy WSUS and manage clients without Active Directory

You  may have a small group of Windows computers in Workgroup setup because you do not have or plan to have full Active Directory for this small group of Windows computers. You still would like to manage their state of patching and do not spend too much, you would like to use the free Microsoft patching solution WSUS.

Good news is that this is possible to enroll Windows computers into WSUS without need of Active Directory and you can manage the patching for this small group of computers.

Here is my Batch script that will modify registry and add the desired settings to point to WSUS and enroll the computers into specific TARGET group “TEAM-1”. Before you run in on your Windows 7 or Windows 8.x computer make sure to change the WSUS IP address and rename the TARGET group to your desired TargetGroup Name.

Copy and save as WSUS-Enroll.bat

@ECHO OFF &SETLOCAL disableDelayedExpansion

# Target WSUS url
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /D "http://10.10.10.5:8530/";

# Target WSUS Reporting server
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /D "http://10.10.10.5:8530/";

# Target WSUS Computer Group
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetGroup" /D "TEAM-1"

# Use Client Side Targeting
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "TargetGroupEnabled" /D 1 /t reg_dword

# Download Updates and Notify User
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /D 3 /t reg_dword

# Logged on user has option to reboot or not computer
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /D 1 /t reg_dword

# Enable Automatic Windows Updates
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /D 0 /t reg_dword

# The WSUS Server is not used unless this key is set
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /D 1 /t reg_dword

wuauclt.exe /resetauthorization /detectnow
wuauclt.exe /reportnow /detectnow

The script will modify the registry on the target computer and point and enroll the computer into WSUS server. In case you want to remove the computer from this and remove the settings here is the WSUS-remove.bat file for your use so you can put all back as it was before.

@ECHO OFF &SETLOCAL disableDelayedExpansion
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /f

wuauclt.exe /resetauthorization /detectnow
wuauclt.exe /reportnow /detectnow

Once your run WSUS-remove.bat – it will modify the registry on computer and remove all the settings that were used to enroll the computer into WSUS. All settings will be back as before and you can continued patching your system via MS Update manually or whatever way you have used before.

Here is some reference link on the Registry settings used in the script and what they mean – KB933844