WSUS – DMZ Server

I have a virtual machine in a DMZ which is not part of my Active Directory domain however I want to configure it to point at my internal Windows Server Update Services VM (WSUS) server for patching. If it had been in AD I would have deployed a GPO however that not being an option I resorted to a registry change.

Note all firewall rules were in place to allow the flow of traffic between WSUS and the DMZ VM.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ElevateNonAdmins"=dword:00000000
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="SERVERS"
"WUServer"="http://lab-wsus.lab.local:8530"
"WUStatusServer"="http://lab-wsus.lab.local:8530"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAUAsDefaultShutdownOption"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001

The above changes force the server to connect to my specified WSUS along with a few configs for whether to auto-install etc. This works out really well as it allows me to leverage WSUS for deploying updates and also reduces the number of ingress points I have to open on the firewall for that DMZ VM which can only be a good thing.

If you would like to do something similar then just copy the code block above into a text file, alter the file extension to be .reg WSUS Reg File and then right click and select Merge. You will probably be prompted with at least one dialog box/UAC pop up – accept these and you should be good to go.

It’s a quick simple method however there are alternate ways such as the reg command or PowerShell.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.