Configure WSUS Using Group Policy PDF

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

25/8/2014 Configure Automatic Updates using Group Policy 1/7
Configure Automatic Updates using Group Policy
4 out of 8 rated this helpful
Updated: August 23, 2011
Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2008 R2 with SP1, Windows Server Update Services, Windows Small
Business Server 2011 Standard
In an Active Directory environment, you can use Group Policy or Registry Editor to configure Automatic Updates. This topic describes how to configure Automatic
Updates by using Group Policy.
Administrator-defined configuration options always take precedence over user-defined options.
In this topic:
How to use the WSUS Administrative Template
WSUS settings for Automatic Updates
How to use the WSUS Administrative Template
This topic assumes that you already use and are familiar with Group Policy. For more information about the Group Policy Management Console (GPMC), see
Group Policy Management Console.
Group Policy options for WSUS are set in the WSUS Administrative Template, wuau.adm. Depending on the operating system version that you are running, the
latest WSUS Administrative Template might already be loaded in the GPMC. The WSUS Administrative Template in GPMC stores most WSUS Group Policy
settings in the Computer Configuration\Administrative Templates\Windows Components\Windows Update\ node. A few WSUS Group Policy settings are
stored in the User Configuration\Administrative Templates\Windows Components\Windows Update\ node.
To manually load the WSUS Administrative Template into GPMC, follow the instructions in Add or Remove Classic Administrative Templates. By default,
administrative template files are stored in the \Program Files\Update Services\adm\language folder, where language is the language that you want to use in
the GPMC. For example, the \fra folder contains the French version of wuau.adm, and the \enu folder contains the American English version of wuau.adm.
It is important to mention that once you deploy your domain group policy that includes automatic update settings; this will override the same settings if they
were specified in the local policy. Such behavior can lead to issues like the one mentioned in the article Clients Unable to Receive Updates with Error
For additional information about Administrative Templates, see Classic Administrative Templates and Administrative Template Policy settings.
WSUS settings for Automatic Updates
When the WSUS administrative template is loaded in GPMC, you can view and modify the WSUS client-side settings that configure Automatic Updates. For
additional configuration guidance for Automatic Updates, see Plan Automatic Updates Settings.
After you set up a client computer to use WSUS, it can take up to 90 minutes before that computer displays in the WSUS Administration Console. This is
because, by default, Group Policy updates every 90 minutes, with a random offset of 030 minutes. You can use the gpupdate /force command on the
client computer to force an immediate refresh of Group Policy. For more information, see Refresh Group Policy in the Network Policy Server Deployment
The following table summarizes the WSUS settings that you can configure by using Group Policy. All settings reside in the Computer Configuration section of
GPMC, unless otherwise noted. Be aware that additional Group Policy settings might be available for WSUS, because the exact set of available Group Policy
settings depends on the version of the Windows operating system that is running. The GPMC user interface supplies additional information about these

Setting Summary
Allow Automatic Updates
immediate installation
Specifies whether Automatic Updates should automatically install certain updates that do not disrupt services or restart
The available setting options offer the following results:

25/8/2014 Configure Automatic Updates using Group Policy 2/7
Option Result
Enabled Automatic Updates immediately installs these updates after they are downloaded.
Disabled Updates are not immediately installed.
Updates are not immediately installed. A local administrator can change this setting by using the Local
Group Policy Editor.
Allow non-administrators
to receive update
Specifies whether logged-on non-administrative users can receive update notifications. The available setting options offer
the following results:

Option Result
Enabled Automatic Updates notifies non-administrative users about updates. Non-administrative users do not need
elevated permissions to install optional, recommended, and important updates,or to install updates that
contain User Interface, Microsoft License Terms, or Automatic Updates setting changes.
Disabled Only logged-on administrators receive update notifications.
Only logged-on administrators receive update notifications. A local administrator can change this setting
by using local policy.
Allow signed updates from
an intranet Microsoft
update service location
Allows you to manage whether Automatic Updates accepts updates that are signed by non- Microsoft parties when the
update is located on a Microsoft intranet service location. If this policy is not enabled, users can only receive updates that
are signed by Microsoft.
The available setting options offer the following results:

Option Result
Enabled Automatic Updates receives non-Microsoft signed updates.
Disabled Only updates that are signed by Microsoft are available for download.
Only updates that are signed by Microsoft are available for download. A local administrator can change
this setting by using local policy.
Automatic Updates
detection frequency
Specifies how long Windows waits before it checks for available updates. The default interval is 22 hours.
The exact wait time is the number of hours minus a random value between 0 and 20 percent of that number. For example, if
this policy specifies a 20-hour detection frequency, Windows will check for updates anywhere between 16 and 20 hours.
The available setting options offer the following results:

Option Result
Enabled Automatic Updates checks for available updates at the specified interval.
Disabled Automatic Updates checks for available updates at the default interval of 22 hours.
Automatic Updates checks for available updates at the default interval of 22 hours. A local administrator
can change this setting by using local policy.
Configure Automatic
Specifies whether Automatic Updates is enabled on the computer. When you enable Automatic Updates, you can configure
download and installation options.
The available setting options offer the following results:

Option Result
25/8/2014 Configure Automatic Updates using Group Policy 3/7
Enabled Specifies whether the computer will receive updates by using Automatic Updates. When you enable this
setting, you must select one of the following configuration options:
2 = Notify before updates are downloaded and notify again before updates are installed.
3 = Default setting. Automatically download updates and notify when they are ready to be installed.
4 = Automatically download updates and install them on the specified schedule. If you select this
option, you must specify a day and a time for Automatic Updates to search for, download, and
install updates.
5 = Allow local administrators to select the way in which Automatic Updates notifies and installs
updates. By using this option, the local administrator can schedule the update installation times.
Local administrators cannot disable Automatic Updates.
Disabled Any available updates must be manually downloaded and installed.
Automatic Updates is not enabled or configured, but a local administrator can enable and configure
Automatic Updates by using Control Panel or local policy.
Delay restart for scheduled
Specifies the time that Automatic Updates waits before it proceeds with a restart. This policy applies only when Automatic
Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled,
this policy has no effect.
The available setting options offer the following results:

Option Result
Enabled A scheduled restart occurs the specified number of minutes after the update is installed.
Disabled A scheduled restart occurs after the default wait time of fifteen minutes after the update is installed.
A scheduled restart occurs after the default wait time of fifteen minutes after the update is installed. A local
administrator can change this setting by using local policy.
Do not adjust default
option to Install Updates
and Shut Down in Shut
Down Windows dialog box
Allows you to manage whether the Install Updates and Shut Down option can be the default choice in the Shut Down
Windows dialog box. You can set this option in the Computer Configuration and User Configuration areas of GPMC. This
policy setting has no effect if the Computer Configuration\Administrative Templates\Windows Components\Windows
Update\Do not display Install Updates and Shut Down option in the Shut Down Windows dialog box setting is enabled.
The available setting options offer the following results:

Option Result
Enabled The users last shut down choice (for example, Hibernate or Restart) is the default option in the Shut Down
Windows dialog box, regardless of whether the Install Updates and Shut Down option is available.
Disabled The Install Updates and Shut Down option is the default option in the Shut Down Windows dialog box if
updates are available for installation at the time that the user selects the Shut Down option in the Start
The Install Updates and Shut Down option is the default option in the Shut Down Windows dialog box if
updates are available for installation at the time that the user selects the Shut Down option in the Start
menu. A local administrator can change this setting by using local policy.
Do not display Install
Updates and Shut Down
option in Shut Down
Windows dialog box
Allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog
box. You can set this option in the Computer Configuration and User Configuration areas of GPMC. The available setting
options offer the following results:

Option Result
Enabled Install Updates and Shut Down does not appear in the Shut Down Windows dialog box, even if updates
are available for installation when the user selects the Shut Down option in the Start menu.
25/8/2014 Configure Automatic Updates using Group Policy 4/7
Disabled The Install Updates and Shut Down option is available in the Shut Down Windows dialog box if updates
are available when the user selects the Shut Down option in the Start menu.
The Install Updates and Shut Down option is available in the Shut Down Windows dialog box if updates
are available when the user selects the Shut Down option in the Start menu. A local administrator can
change this setting by using local policy.
Enable client-side
Enables users of client computers to add themselves to precreated computer groups on a WSUS server. This option is valid
only when Automatic Updates is redirected to a WSUS server. If the Specify intranet Microsoft update service location
policy is not enabled, this policy has no effect.
The available setting options offer the following results:

Option Result
Enabled The computer identifies itself as a member of a particular computer group when it sends information to
the WSUS server. The WSUS server uses this information to determine which updates should be deployed
to this computer. You can assign a client computer to more than one computer group by separating the
computer group names with a semicolon and a space.
Disabled No computer group information is sent to the WSUS server.
No computer group information is sent to the WSUS server. A local administrator can change this setting
by using local policy.
Enabling Windows Update
Power Management to
automatically wake up the
system to install
scheduled updates
Specifies whether Automatic Updates wakes the system from hibernation to install updates.
Automatic Updates will wake the system to install updates if the following are true:
Automatic Updates is configured to automatically install updates.
The system is in hibernation at the scheduled installation time and there are updates to install, or if an installation
deadline occurs.
If the system is running on battery power when Automatic Updates wakes it, updates are not installed and the system
automatically returns to hibernation in two minutes.
The available setting options offer the following results:

Option Result
Enabled Automatic Updates wakes the system from hibernation to install updates under the previously listed
Disabled Automatic Updates does not wake the system from hibernation to install updates.
Automatic Updates does not wake the system from hibernation to install updates. A local administrator
can change this setting by using local policy.
No auto-restart with
logged-on users for
scheduled automatic
updates installations
Specifies that to complete an installation, Automatic Updates will wait for the computer to be restarted by any logged-on
user instead of forcing the computer to automatically restart. This policy applies only when Automatic Updates is configured
to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect.
This setting does not allow non-administrative Terminal Services users to restart a remote computer where they are logged
on. By default, non-administrative Terminal Services users do not have computer restart permissions.
The available setting options offer the following results:

Option Result
Enabled Automatic Updates does not automatically restart a computer during a scheduled installation if a user is
logged on to the computer. Instead, Automatic Updates notifies the logged-on user to restart the
computer to complete the installation. Automatic Updates cannot detect future updates until the restart
25/8/2014 Configure Automatic Updates using Group Policy 5/7
Disabled Automatic Updates notifies the logged-on user that the computer will automatically restart in five minutes
to complete the installation.
Automatic Updates notifies the logged-on user that the computer will automatically restart in five minutes
to complete the installation. A local administrator can change this setting by using local policy.
Re-prompt for restart with
scheduled installations
Specifies the time that Automatic Updates waits before it prompts the logged-on user to restart the computer. This policy
applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic
Updates policy is disabled, this policy has no effect.
The available setting options offer the following results:

Option Result
Enabled A scheduled restart occurs the specified number of minutes after the prompt for restart message is
Disabled A scheduled restart occurs ten minutes after the prompt for restart message is dismissed.
A scheduled restart occurs ten minutes after the prompt for restart message is dismissed. A local
administrator can change this setting by using local policy.
Reschedule Automatic
Updates scheduled
Specifies the time that Automatic Updates waits after a system startup before it proceeds with a missed scheduled
installation. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the
Configure Automatic Updates policy is disabled, this policy has no effect.
The available setting options offer the following results:

Option Result
Enabled A missed installation occurs the specified number of minutes after the computer is restarted.
Disabled A missed installation occurs at the time of the next scheduled installation.
Not Configured A missed installation occurs one minute after the next time the computer is started.
Specify intranet Microsoft
Update service location
Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically
update computers on your network. This setting lets you specify a server on your network to function as an internal update
service. Automatic Updates will search this service for updates that apply to the computers on your network.
To use this setting, you must set two server name values: the server from which Automatic Updates detects and downloads
updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.
If the Configure Automatic Updates policy is disabled, this policy has no effect.

Option Result
Enabled Automatic Updates connects to the specified intranet Microsoft update service, instead of to Windows
Update, to search for and download updates. Enabling this setting means that computers in your
organization do not have to go through a firewall to get updates, and it gives you the opportunity to test
updates before deploying them.
Disabled If Automatic Updates is not disabled by policy or user preference, Automatic Updates connects directly to
the Windows Update site on the Internet.
If Automatic Updates is not disabled by policy or user preference, Automatic Updates connects directly to
the Windows Update site on the Internet.
Turn on recommended
updates via Automatic
Specifies whether Automatic Updates delivers important updates and recommended updates. The available setting options
offer the following results:
25/8/2014 Configure Automatic Updates using Group Policy 6/7

Option Result
Enabled Automatic Updates installs both recommended and important updates.
Disabled Automatic Updates installs important updates only.
Automatic Updates installs important updates only. A local administrator can change this setting by using
Control Panel or local policy.
Turn on Software
Allows you to control whether users see detailed notification messages about featured software from the online Microsoft
Update service.
Detailed notification messages explain the value and promote the installation and use of optional software. This policy
setting is intended for use in a loosely managed environment in which users are allowed access to the online Microsoft
Update service.
If Automatic Updates is disabled or if you do not use the online Microsoft Update service, this policy has no effect.
The available setting options offer the following results:

Option Result
Enabled A notification message displays on the users computer when featured software is available. The user can
obtain additional information about the software, and they can install the software.
Disabled Computers that are running Windows 7 are not offered these messages for optional applications.
Computers that are running Windows Vista are not offered these messages for optional applications or
Computers that are running Windows 7 are not offered these messages for optional applications.
Computers that are running Windows Vista are not offered these messages for optional applications or
updates. A local administrator can change this setting by using Control Panel or local policy.
Remove links and access
to Windows Update
Prevents users from connecting to the Windows Update website. In the Group Policy Management Console, expand User
Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.
The available setting options offer the following results:

Option Result
Enabled This setting blocks user access to the Windows Update website at
Also, the setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in
Internet Explorer.
Disabled Users are able to connect to the Windows Update website.
Users are able to connect to the Windows Update website.
Turn off access to all
Windows Update features
Allows you to remove all access to Windows Update. In the Group Policy Management Console, expand Computer
Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and
then click Internet Communications Settings.
The available setting options offer the following results:

Option Result
Enabled All Windows Update features are removed. This setting blocks access to the Microsoft Update and
Windows Update websites. The computer will not get automatic updates directly from Windows Update or
Microsoft Update, but it can still get updates from a WSUS server. This setting overrides the user settings
Remove links and access to Windows Update and Remove access to use all Windows Update
25/8/2014 Configure Automatic Updates using Group Policy 7/7
Was this page helpful?
Community Additions
Disabled All Windows Update features are available.
All Windows Update features are available.
Remove access to use all
Windows Update features
Allows you to control Windows Update and Automatic Updates by preventing the operating system from being updated
through Windows Update. In the Group Policy Management Console, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Windows Update.
The available setting options offer the following results:

Option Result
Enabled The operating system cannot be updated through Windows Update, and Automatic Updates is disabled.
Users or administrators can still perform actions such as clicking the Windows Update option on the Start
menu, and the Windows Update website will appear in the browser. However, it will not be possible to
update the operating system through Windows Update, regardless of the type of account that is being
used to log on.
Disabled The operating system will be updated through Windows Update and Automatic Updates.
The operating system will be updated through Windows Update and Automatic Updates.
See Also
Plan Automatic Updates Settings
Configure Automatic Updates using Registry Editor
2014 Microsoft
Yes No

You might also like