Registry Keys for Tweaking Windows Update (Part 1)

http://banman.isoftmarketing.com/a.aspx?ZoneID=54&Task=Click&Mode=HTML&SiteID=7&PageID=63187
http://banman.isoftmarketing.com/a.aspx?ZoneID=54&Task=Click&Mode=HTML&SiteID=7&PageID=63187
In this article, I will show you some registry keys that are associated with Windows Update. As I
do, I will show you the various settings that you can assign to those registry keys.
• Published: May 03, 2006
• Updated: May 17, 2006
• Section: Articles & Tutorials :: Windows XP
• Author: Brien M. Posey

Although Windows Update and WSUS are both generally pretty simple to configure, you can
sometimes gain a higher level of control over them by making a few minor modifications to the
Windows registry. In this article, I will show you some registry keys that are associated with
Windows Update. As I do, I will show you the various settings that you can assign to those
registry keys.

Before I Begin
Before I get started, I need to keep the lawyers happy by telling you that modifying the Windows
registry can be dangerous. Incorrectly modifying the registry can destroy Windows and / or your
applications. I therefore strongly recommend that you perform a full system backup prior to
attempting any of the techniques that I am about to show you.
Now that I’ve gotten the standard disclaimer out of the way, there is one more thing that I need
to tell you before I get started. The registry tweaks that I am about to show you are intended for
machines that are running Windows XP. You can apply the tweaks to individual machines
directly, or you can apply modifications as a part of a login script. Also, some of the keys that I
am going to be talking about may not exist by default. If you want to use a key that does not
exist, you will have to create it. You should also keep in mind that Windows Update’s behavior
can be controlled by a group policy, and that if a group policy is in effect, it can cause portions of
the registry to be overwritten after you have made changes.

Elevation of Privileges
One of the problems with receiving updates from a WSUS server is that users are not allowed to
approve or disapprove of updates unless they are a member of the local administrators group.
However, you can use the registry to give users an elevation of privileges that will allow them to
approve or disapprove of updates regardless of whether or not they are a local administrator. On
the flip side, you could also deny end users the ability to approve updates, reserving that right for
Admins.
The registry key that controls this behavior is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Eleva
teNonAdmins
The ElevateNonAdmins key has two possible values. The default value of 1 allows non
administrators to approve or deny updates. If you change this value to 0, then only administrators
will be allowed to approve or deny updates.

Target Groups
One of the nice things about WSUS is that it allows you to use client side targeting. The idea
behind client side targeting is that you can set up different computer groups, and you can roll out
updates on a group basis. Client side targeting isn’t used by default, but if you decide to use it,
then there are two different registry keys that you will have to create. One of these keys enables
client side targeting, while the other specifies the name of the target group that the computer
belongs to. Both of these registry keys must be created at:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
The first key is a DWORD key named TargetGroupEnabled. You can assign this key a value of
either 0, which disables client side targeting, or of 1, which enables client side targeting.
The other key that you will have to create is string value named TargetGroup. The value that you
would assign to this key is the name of the target group that the computer should be assigned to.

Assigning a WSUS Server

If you have been involved in networking for a while, then you probably know that network
designs tend to change over time. Things like company growth, new security requirements, and
corporate restructurings often force the underlying network to change. So what does this have to
do with Windows Update? Well, WSUS is scalable and can be deployed in a hierarchical
manner. This means that an organization can have a multitude of WSUS servers deployed. If a
PC is moved to a different part of the company, then the WSUS server that it was initially
configured to use may no longer be appropriate for its new location. Fortunately, a couple of
simple registry modifications can be used to change the WSUS server that the PC gets its updates
from.
There are actually two registry keys that are used when specifying a WSUS server. Both of these
keys are located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\. The
first key is named WUServer. This registry key holds a string value which should be entered as
the WSUS server’s URL (example: http://SEGURIDAD-AGSNA).
The other key that you will have to change is a string value named WUStatusServer. The idea
behind this key is that the PC must report its status to a WSUS server so that the WSUS server
knows which updates have been applied to the PC. The WUStatusServer key normally holds the
exact same value as the WUServer key (example: http://SEGURIDAD-AGSNA).

The Automatic Update Agent

So far I have talked about how to connect the PC to a specific WSUS server or to a specific
target group, but this is only half of the process. Windows Update uses an update agent that
actually installs the updates. There are a number of registry keys located at
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
that control the automatic update agent.
The first of these keys is the AUOptions key. This DWORD value can be assigned a value of
either 2, 3, 4, or 5. A value of 2 indicates that the agent should notify the user prior to
downloading updates. A value of 3 indicates that updates will be automatically downloaded and
the user will be notified of installation. Recommended procedure for servers is to configure
AUOptions to 3, which won't install the updates until the administrator chooses to do so during a
scheduled outage A value of 4 indicates that updates should be automatically downloaded and
installed according to a schedule. For this option to work, the ScheduledInstallDay and
ScheduledInstallTime keys must also be set. I will talk more about those keys later on. Finally, a
value of 5 indicates that automatic updates are required, but can be configured by end users.
The next key that I want to talk about is the AutoInstallMinorUpdates key. This key can be set to
a value of either 0 or 1. If the key is set to 0, then minor updates are treated just like any other
update. If the key’s value is set to 1, then minor updates are silently installed in the background.
Another key related to the Automatic Update Agent is the DetectionFrequency key. This key
allows you to specify how often the agent looks for updates. The key’s value must be a whole
number between 1 and 22, and indicates the number of hours between each detection attempt.
A related registry key is the DetectionFrequencyEnabled key. As the name implies, this key
either enables or disables the Detection Frequency function. Setting this key to a value of 0
causes the DetectionFrequency key to be ignored, while setting it to a value of 1 causes the agent
to use the DetectionFrequency value.
The next key that I want to talk about is the NoAutoUpdate key. If this key is set to a value of 0,
then automatic updates are enabled. If the key’s value is set to 1, then automatic updates are
disabled.
The last registry key that I want to talk about is the NoAutoRebootWithLoggedOnUsers key. As
you probably know, some updates simply cannot be applied without rebooting the system. If a
user happens to be logged in, then a system mandated reboot can be very disruptive. This is
especially true if the user has walked away from their desk without saving their work. This is
where the NoAutoRebootWithLoggedOnUsers key comes into play. The key can be assigned
either a value of 0 or 1. If the value is set to 0, then users will receive a five minute warning and
then the system will reboot automatically. If the value is set to 1, then users will simply receive a
message asking them to reboot their systems, but they can reboot at their leisure.

Registry Keys for Tweaking Windows Update (Part 2)

In Part 1 of this article series, I explained that although Windows Update is self configuring for
the most part, there are a large number of registry keys that you can use to tweak Windows
Update’s behavior. This is especially useful if you are downloading updates from a WSUS
server. In this article, I will continue the discussion where I left off in Part 1 by exploring the
remaining Windows Update related registry keys.

Before I Begin
Before I get started, I have to keep the lawyers happy by telling you that making modifications to
the registry can be dangerous. Making an incorrect registry modification can destroy Windows
and / or any applications that are running on the machine. You should therefore make a full
system backup before attempting any of the registry tweaks that I am about to show you.
One other thing that I want to mention before I get started is that if you try some of these
modifications and you don’t get the results that you are expecting, try checking to see if there is a
group policy that mandates Windows update settings for the machine. Group policies can
sometimes modify a registry key so that it follows the mandated behavior rather than using any
modifications that might have been previously made.
Finally, I want to mention that I ended Part 1 of this article by discussing some of the registry
keys found in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\windows\Windows
Update section of the registry. All of the registry keys that I will be discussing in this article are
found in this section of the registry as well. None of the registry keys that I am about to show
you exist by default, but you can create them to achieve the desired behavior. If you choose to
create a registry key, then please keep in mind that the key names that I will be showing you are
case sensitive and any of these keys that you create should be created as DWORD values.

Disabling Windows Update

The first key that I want to show you is the NoAutoUpdate key. You can use the NoAutoUpdate
key to either enable or disable Windows update. Normally, this probably isn’t a key that you
want to use, but it does have its place. Si ocurre que trabaja en un entorno sin conexión a Internet
y/o bien usted no tiene un servidor WSUS, entonces usted podría desactivar Windows Update
sólo para que se tenga una molestia. I don’t recommend creating this registry key unless you
need to disable Windows Update. If you do need to disable Windows update, then you can create
a key named NoAutoUpdate with a DWORD value of 1. Changing the value to 0 re-enables
automatic updates.

Reboot Reminders
Have you ever applied an update to a server and then had Windows prompt you to reboot the
server at a time that just wasn’t convenient? Personally, I’ve always found it annoying that
Windows Update keeps prompting you to reboot your server every few minutes while you are
trying to work. You can however change the reminder frequency. To do so, simply create a
registry key named RebootRelaunchTimeout. The value that you assign to this registry key
should reflect the number of minutes that you want Windows to wait between reminders. For
example, if you wanted a reminder every half hour, then you would set the value to 30. You can
set the RebootRelaunchTimeout registry key to use any positive integer from 1 to 1440.
Of course you also have the option of getting rid of reboot reminders completely. To do so,
create a registry key named RebootRelaunchTimeoutEnabled, and set the value to 0. If you
decide later that you want to re-enable reboot reminders then just change this key’s value to 1.
If you have ever worked with scheduled updates, you might have noticed that Windows can be
configured so that the computer automatically reboots after an update requiring a reboot is
applied. When automatic update is configured in this way, the user will receive a warning
message before their computer reboots. The warning says something like “your computer will
reboot in 5 minutes”. As you might have already guessed though, this reboot count down is
controlled by the Windows registry. You can therefore tweak the registry to give users more or
less warning prior to a reboot.
To create a custom reboot count down, simply create a registry key named
RebootWarningTimeout. A continuación, puede asignar esta clave un valor que
corresponde a la cantidad de minutos que desea que el usuario desde el momento en que
la advertencia es la primera muestra hasta que el ordenador se reinicia. For example,
setting this registry key to a value of 10 would give the users a ten minute warning. Valid
values include positive integers ranging from 1 to 30.
If you plan on using the RebootWarningTimeout key to specify a custom reboot warning
countdown, you will have to use the RebootWarningTimeoutEnabled registry key to enable it.
To do so, create a registry key named RebootTimeoutWarningEnabled, and set its value to 1.
Setting this value to 0 will cause Windows to use a five minute reboot countdown regardless of
what has been set through the RebootWarningTimeout key.

Applying Missed Updates

Although Windows Update gives you the ability to schedule updates, things can happen that
cause a computer to miss the scheduled update period. For example, the computer could be
turned off at the scheduled update time. When a scheduled update is missed, Windows will
attempt to install the update the next time that the computer is booted. However, it can be
disruptive to the user to have updates installed as soon as their computer boots up. You can
therefore set a timer to control the number of minutes that Windows should wait after the system
boots to install missed scheduled updates.
Before I show you how to set the timer, I should mention that this only applies to missed
scheduled updates, not updates with an expired deadline. With that said, you can create the timer
by creating a registry key named RescheduleWaitTime and assigning it a value that reflects the
number of minutes that Windows should wait from the time that the system boots until missed
updates are installed. Valid values are positive integers ranging from 1 to 60.
If you plan on using the RescheduleWaitTime registry key, you will have to use a second
registry key to enable it. The name of the second required key is RescheduleWaitTimeEnabled.
Assigning this key a value of 1 will enable the reschedule wait timer registry key, where as
setting this key to a value of 0 will cause the wait timer to be ignored.

Scheduling Installations
I have talked a lot about scheduled installations, but I want to show you one last trick. You can
use the registry to set the installation schedule. There are two registry keys that are used when
scheduling an update. The first of these keys is ScheduledInstallDay. El valor para la asignación
de esta clave será de 0, indica que las actualizaciones de Windows que debe ser instalado,
independientemente de qué día es. You can however specify a day by specifying a positive
integer ranging from 1 to 7. The number that you specify designates a day of the week. A value
of 1 sets the installation day to Sunday. Setting the value to 2 sets installation day to Monday. If
you are going to limit installations to one day a week, Se recomienda usar Miércoles (valor=4)
ya que la mayoría de parches de Microsoft serán liberados el martes.
Una cosa que usted necesita saber sobre el ScheduledInstallDay clave es que se ignora a no ser
que el
HKEY_LOCAL_MACHINES\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AU
Options key is set to a value of 4. I discussed this key in Part 1.
The last key that I want to talk about is the ScheduledInstallTime key. This key tells Windows
what time of day updates should be installed. Valid values for this key are positive integers
ranging from 1 to 24, which reflect the hour of the day in military time. As such, a value of 3
would reflect a 3:00 AM installation time. A value of 13 would be a 1:00 PM installation time.

Conclusion
As you can see, there are a tremendous number of registry keys that can be used to configure
Windows Update. If you are thinking about trying these keys out, I recommend testing your
settings on a single PC before rolling out your changes on a large scale.