I have a virtual machine in a DMZ which is not part of my Active Directory domain however I want to configure it to point at my internal Windows Server Update Services VM (WSUS) server for patching. If it had been in AD I would have deployed a GPO however that not being an option I resorted to a registry change.
Note – all firewall rules were in place to allow the flow of traffic between WSUS and the DMZ VM.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "ElevateNonAdmins"=dword:00000000 "TargetGroupEnabled"=dword:00000001 "TargetGroup"="SERVERS" "WUServer"="http://lab-wsus.lab.local:8530" "WUStatusServer"="http://lab-wsus.lab.local:8530" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] "NoAUAsDefaultShutdownOption"=dword:00000001 "NoAutoUpdate"=dword:00000000 "AUOptions"=dword:00000003 "ScheduledInstallDay"=dword:00000000 "ScheduledInstallTime"=dword:00000003 "UseWUServer"=dword:00000001
The above changes force the server to connect to my specified WSUS along with a few configs for whether to auto-install etc. This works out really well as it allows me to leverage WSUS for deploying updates and also reduces the number of ingress points I have to open on the firewall for that DMZ VM which can only be a good thing.
If you would like to do something similar then just copy the code block above into a text file, alter the file extension to be .reg and then right click and select Merge. You will probably be prompted with at least one dialog box/UAC pop up – accept these and you should be good to go.
It’s a quick simple method however there are alternate ways such as the reg command or PowerShell.