Chef Cookbook to install and configure client for Windows Server Update Services (WSUS)
Latest commit 68ed723 Jan 10, 2017 @jmauro jmauro committed on GitHub Merge pull request #26 from criteo-cookbooks/travis
[CI] Update ruby version used in travis
Failed to load latest commit information.
libraries Fix "staturday" typo Mar 19, 2016
resources Describe new LWRP in the README Jun 15, 2015
spec Support chef 12.8.1 64bits Mar 31, 2016
test/cookbooks/wsus-client-test Describe new LWRP in the README Jun 15, 2015
.travis.yml [CI] Update ruby version used in travis Jan 10, 2017
Gemfile Setup test environment Jun 12, 2015
LICENSE Initial commit Sep 3, 2014
chefignore Initial commit Sep 3, 2014
metadata.rb Release v1.2.1 May 10, 2016

Wsus-client Cookbook

Cookbook Version Build Status

Configures WSUS clients to retrieve approved updates.


The PowerShell script will always fail if run via the winrm vagrant provider as the IUpdateSession::CreateUpdateDownloader is not available remotely.


The Microsoft.Update.Session object keeps a log in: C:\Windows\WindowsUpdate.log


This cookbook recommends Chef 11+.


  • Windows XP
  • Windows Vista
  • Windows Server 2003 R2
  • Windows 7
  • Windows Server 2008 (R1, R2)
  • Windows 8 and 8.1
  • Windows Server 2012 (R1, R2)


Using this cookbook is quite easy; add the desired recipes to the run list of a node, or role. Adjust any attributes as desired. For example, to configure a windows server role that connects to your WSUS server:

$ cat roles/updated_windows_server.rb
name 'updated_windows_server'
description 'Setup a windows server to keep up-to-date'


  wsus_client: {
    wsus_server: '',
    update_group: 'updated_server2015',

Providers & Resources


This provider allows to synchronously download and/or install available windows updates.


Action Description
download Download available updates
install Install downloaded updates

NOTE: The default behavior is [:download, :install]


Attribute Description Type Default
actions An array of actions to perform (see. actions above) Symbol array [:download, :install]
name Name of the resource String



Convenience recipe that configures WSUS client and performs a synchronous update. It basically includes wsus-client::configure and wsus-client::update


This recipe modifies the Windows registry to configure WSUS update settings.


The following attributes are used to configure the wsus-client::configure recipe, accessible via node['wsus_client'][attribute].

Attribute Description Type Default
wsus_server Defines a custom WSUS server to use instead of Microsoft Windows Update server String, URI nil
update_group Defines the current computer update group. (see client-side targeting) String nil
disable_windows_update_access Disables access to Windows Update (or your WSUS server) TrueClass, FalseClass false
enable_non_microsoft_updates Allows signed non-Microsoft updates. TrueClass, FalseClass true
allow_user_to_install_updates Authorizes Users to approve or disapprove updates. TrueClass, FalseClass false
auto_install_minor_updates Defines whether minor update should be automatically installed. TrueClass, FalseClass false
no_reboot_with_logged_users Disables automatic reboot with logged-on users. TrueClass, FalseClass true
automatic_update_behavior Defines auto update behavior. Symbol* :disabled
detection_frequency Defines times in hours between detection cycles. FixNum 22
schedule_install_day Defines the day of the week to schedule update install. Symbol** :every_day
schedule_install_time Defines the time of day in 24-hour format to schedule update install. FixNum (1-23) 0
schedule_retry_wait Defines the time in minutes to wait at startup before applying update from a missed scheduled time FixNum (0-60) 0
reboot_warning Defines time in minutes of the restart warning countdown after reboot-required updates automatic install FixNum (1-30) 5
reboot_prompt_timeout Defines time in minutes between prompts for a scheduled restart FixNum (1-1440) 10

* automatic_update_behavior values are:

# :disabled  = Disables automatic updates
# :detect    = Only notify users of new updates
# :download  = Download updates, but let users install them
# :install   = Download and install updates
# :manual    = Lets the users configure the behavior

** schedule_install_day possible values are: :every_day, :sunday, :monday, :tuesday, :wednesday, :thursday, :friday, :saturday


This recipe performs a synchronous detection and install of available Windows updates.


The following attributes are used to configure the wsus-client::update recipe, accessible via node['wsus_client'][attribute].

Attribute Description Type Default
download_only Determines whether available update should be installed once downloaded. TrueClass, FalseClass false


  1. Fork the repository on Github
  2. Create a named feature branch (like add_component_x)
  3. Write your change
  4. Write tests for your change (if applicable)
  5. Run the tests, ensuring they all pass
  6. Submit a Pull Request using Github

License and Authors

Authors: Baptiste Courtois (

Copyright 2014-2015, Criteo.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.