Microsoft TechNet
United States (English) Sign in
Home Library Wiki Learn Gallery Downloads Support Forums Blogs
3 out of 5 rated this helpful - Rate this topic

Configure Automatic Updates using Group Policy

Updated: August 23, 2011

Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2008 R2 with SP1, Windows Server Update Services, Windows Small Business Server 2011 Standard

In an Active Directory environment, you can use Group Policy or Registry Editor to configure Automatic Updates. This topic describes how to configure Automatic Updates by using Group Policy.

Administrator-defined configuration options always take precedence over user-defined options.

In this topic:

How to use the WSUS Administrative Template

This topic assumes that you already use and are familiar with Group Policy. For more information about the Group Policy Management Console (GPMC), see Group Policy Management Console.

Group Policy options for WSUS are set in the WSUS Administrative Template, wuau.adm. Depending on the operating system version that you are running, the latest WSUS Administrative Template might already be loaded in the GPMC. The WSUS Administrative Template in GPMC stores most WSUS Group Policy settings in the Computer Configuration\Administrative Templates\Windows Components\Windows Update\ node. A few WSUS Group Policy settings are stored in the User Configuration\Administrative Templates\Windows Components\Windows Update\ node.

To manually load the WSUS Administrative Template into GPMC, follow the instructions in Add or Remove Classic Administrative Templates. By default, administrative template files are stored in the \Program Files\Update Services\adm\language folder, where language is the language that you want to use in the GPMC. For example, the \fra folder contains the French version of wuau.adm, and the \enu folder contains the American English version of wuau.adm.

ImportantImportant
It is important to mention that once you deploy your domain group policy that includes automatic update settings; this will override the same settings if they were specified in the local policy. Such behavior can lead to issues like the one mentioned in the article Clients Unable to Receive Updates with Error 8024402C.

For additional information about Administrative Templates, see Classic Administrative Templates and Administrative Template Policy Settings.

WSUS settings for Automatic Updates

When the WSUS administrative template is loaded in GPMC, you can view and modify the WSUS client-side settings that configure Automatic Updates. For additional configuration guidance for Automatic Updates, see Plan Automatic Updates Settings.

noteNote
After you set up a client computer to use WSUS, it can take up to 90 minutes before that computer displays in the WSUS Administration Console. This is because, by default, Group Policy updates every 90 minutes, with a random offset of 0–30 minutes. You can use the gpupdate /force command on the client computer to force an immediate refresh of Group Policy. For more information, see Refresh Group Policy in the Network Policy Server Deployment Guide.

The following table summarizes the WSUS settings that you can configure by using Group Policy. All settings reside in the Computer Configuration section of GPMC, unless otherwise noted. Be aware that additional Group Policy settings might be available for WSUS, because the exact set of available Group Policy settings depends on the version of the Windows operating system that is running. The GPMC user interface supplies additional information about these settings.

 

Setting Summary

Allow Automatic Updates immediate installation

Specifies whether Automatic Updates should automatically install certain updates that do not disrupt services or restart Windows.

The available setting options offer the following results:

 

Option Result

Enabled

Automatic Updates immediately installs these updates after they are downloaded.

Disabled

Updates are not immediately installed.

Not Configured

Updates are not immediately installed. A local administrator can change this setting by using the Local Group Policy Editor.

Allow non-administrators to receive update notifications

Specifies whether logged-on non-administrative users can receive update notifications. The available setting options offer the following results:

 

Option Result

Enabled

Automatic Updates notifies non-administrative users about updates. Non-administrative users do not need elevated permissions to install optional, recommended, and important updates,or to install updates that contain User Interface, Microsoft License Terms, or Automatic Updates setting changes.

Disabled

Only logged-on administrators receive update notifications.

Not Configured

Only logged-on administrators receive update notifications. A local administrator can change this setting by using local policy.

Allow signed updates from an intranet Microsoft update service location

Allows you to manage whether Automatic Updates accepts updates that are signed by non- Microsoft parties when the update is located on a Microsoft intranet service location. If this policy is not enabled, users can only receive updates that are signed by Microsoft.

The available setting options offer the following results:

 

Option Result

Enabled

Automatic Updates receives non-Microsoft signed updates.

Disabled

Only updates that are signed by Microsoft are available for download.

Not Configured

Only updates that are signed by Microsoft are available for download. A local administrator can change this setting by using local policy.

Automatic Updates detection frequency

Specifies how long Windows waits before it checks for available updates. The default interval is 22 hours.

The exact wait time is the number of hours minus a random value between 0 and 20 percent of that number. For example, if this policy specifies a 20-hour detection frequency, Windows will check for updates anywhere between 16 and 20 hours.

The available setting options offer the following results:

 

Option Result

Enabled

Automatic Updates checks for available updates at the specified interval.

Disabled

Automatic Updates checks for available updates at the default interval of 22 hours.

Not Configured

Automatic Updates checks for available updates at the default interval of 22 hours. A local administrator can change this setting by using local policy.

Configure Automatic Updates

Specifies whether Automatic Updates is enabled on the computer. When you enable Automatic Updates, you can configure download and installation options.

The available setting options offer the following results:

 

Option Result

Enabled

Specifies whether the computer will receive updates by using Automatic Updates. When you enable this setting, you must select one of the following configuration options:

  • 2 = Notify before updates are downloaded and notify again before updates are installed.

  • 3 = Default setting. Automatically download updates and notify when they are ready to be installed.

  • 4 = Automatically download updates and install them on the specified schedule. If you select this option, you must specify a day and a time for Automatic Updates to search for, download, and install updates.

  • 5 = Allow local administrators to select the way in which Automatic Updates notifies and installs updates. By using this option, the local administrator can schedule the update installation times. Local administrators cannot disable Automatic Updates.

Disabled

Any available updates must be manually downloaded and installed.

Not Configured

Automatic Updates is not enabled or configured, but a local administrator can enable and configure Automatic Updates by using Control Panel or local policy.

Delay restart for scheduled installations

Specifies the time that Automatic Updates waits before it proceeds with a restart. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect.

The available setting options offer the following results:

 

Option Result

Enabled

A scheduled restart occurs the specified number of minutes after the update is installed.

Disabled

A scheduled restart occurs after the default wait time of fifteen minutes after the update is installed.

Not Configured

A scheduled restart occurs after the default wait time of fifteen minutes after the update is installed. A local administrator can change this setting by using local policy.

Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog box

Allows you to manage whether the “Install Updates and Shut Down” option can be the default choice in the Shut Down Windows dialog box. You can set this option in the Computer Configuration and User Configuration areas of GPMC. This policy setting has no effect if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display “Install Updates and Shut Down” option in the Shut Down Windows dialog box setting is enabled.

The available setting options offer the following results:

 

Option Result

Enabled

The user’s last shut down choice (for example, Hibernate or Restart) is the default option in the Shut Down Windows dialog box, regardless of whether the “Install Updates and Shut Down” option is available.

Disabled

The “Install Updates and Shut Down” option is the default option in the Shut Down Windows dialog box if updates are available for installation at the time that the user selects the Shut Down option in the Start menu.

Not Configured

The “Install Updates and Shut Down” option is the default option in the Shut Down Windows dialog box if updates are available for installation at the time that the user selects the Shut Down option in the Start menu. A local administrator can change this setting by using local policy.

Do not display “Install Updates and Shut Down” option in Shut Down Windows dialog box

Allows you to manage whether the “Install Updates and Shut Down” option is displayed in the Shut Down Windows dialog box. You can set this option in the Computer Configuration and User Configuration areas of GPMC. The available setting options offer the following results:

 

Option Result

Enabled

“Install Updates and Shut Down” does not appear in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option in the Start menu.

Disabled

The “Install Updates and Shut Down” option is available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu.

Not Configured

The “Install Updates and Shut Down” option is available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu. A local administrator can change this setting by using local policy.

Enable client-side targeting

Enables users of client computers to add themselves to precreated computer groups on a WSUS server. This option is valid only when Automatic Updates is redirected to a WSUS server. If the Specify intranet Microsoft update service location policy is not enabled, this policy has no effect.

The available setting options offer the following results:

 

Option Result

Enabled

The computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. The WSUS server uses this information to determine which updates should be deployed to this computer. You can assign a client computer to more than one computer group by separating the computer group names with a semicolon and a space.

Disabled

No computer group information is sent to the WSUS server.

Not Configured

No computer group information is sent to the WSUS server. A local administrator can change this setting by using local policy.

Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates

Specifies whether Automatic Updates wakes the system from hibernation to install updates.

Automatic Updates will wake the system to install updates if the following are true:

  • Automatic Updates is configured to automatically install updates.

  • The system is in hibernation at the scheduled installation time and there are updates to install, or if an installation deadline occurs.

If the system is running on battery power when Automatic Updates wakes it, updates are not installed and the system automatically returns to hibernation in two minutes.

The available setting options offer the following results:

 

Option Result

Enabled

Automatic Updates wakes the system from hibernation to install updates under the previously listed conditions.

Disabled

Automatic Updates does not wake the system from hibernation to install updates.

Not Configured

Automatic Updates does not wake the system from hibernation to install updates. A local administrator can change this setting by using local policy.

No auto-restart with logged-on users for scheduled automatic updates installations

Specifies that to complete an installation, Automatic Updates will wait for the computer to be restarted by any logged-on user instead of forcing the computer to automatically restart. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect.

This setting does not allow non-administrative Terminal Services users to restart a remote computer where they are logged on. By default, non-administrative Terminal Services users do not have computer restart permissions.

The available setting options offer the following results:

 

Option Result

Enabled

Automatic Updates does not automatically restart a computer during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates notifies the logged-on user to restart the computer to complete the installation. Automatic Updates cannot detect future updates until the restart occurs.

Disabled

Automatic Updates notifies the logged-on user that the computer will automatically restart in five minutes to complete the installation.

Not Configured

Automatic Updates notifies the logged-on user that the computer will automatically restart in five minutes to complete the installation. A local administrator can change this setting by using local policy.

Re-prompt for restart with scheduled installations

Specifies the time that Automatic Updates waits before it prompts the logged-on user to restart the computer. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect.

The available setting options offer the following results:

 

Option Result

Enabled

A scheduled restart occurs the specified number of minutes after the prompt for restart message is dismissed.

Disabled

A scheduled restart occurs ten minutes after the prompt for restart message is dismissed.

Not Configured

A scheduled restart occurs ten minutes after the prompt for restart message is dismissed. A local administrator can change this setting by using local policy.

Reschedule Automatic Updates scheduled installations

Specifies the time that Automatic Updates waits after a system startup before it proceeds with a missed scheduled installation. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect.

The available setting options offer the following results:

 

Option Result

Enabled

A missed installation occurs the specified number of minutes after the computer is restarted.

Disabled

A missed installation occurs at the time of the next scheduled installation.

Not Configured

A missed installation occurs one minute after the next time the computer is started.

Specify intranet Microsoft Update service location

Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. Automatic Updates will search this service for updates that apply to the computers on your network.

To use this setting, you must set two server name values: the server from which Automatic Updates detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.

noteNote
If the Configure Automatic Updates policy is disabled, this policy has no effect.

 

Option Result

Enabled

Automatic Updates connects to the specified intranet Microsoft update service, instead of to Windows Update, to search for and download updates. Enabling this setting means that computers in your organization do not have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.

Disabled

If Automatic Updates is not disabled by policy or user preference, Automatic Updates connects directly to the Windows Update site on the Internet.

Not Configured

If Automatic Updates is not disabled by policy or user preference, Automatic Updates connects directly to the Windows Update site on the Internet.

Turn on recommended updates via Automatic Updates

Specifies whether Automatic Updates delivers important updates and recommended updates. The available setting options offer the following results:

 

Option Result

Enabled

Automatic Updates installs both recommended and important updates.

Disabled

Automatic Updates installs important updates only.

Not Configured

Automatic Updates installs important updates only. A local administrator can change this setting by using Control Panel or local policy.

Turn on Software Notifications

Allows you to control whether users see detailed notification messages about featured software from the online Microsoft Update service.

Detailed notification messages explain the value and promote the installation and use of optional software. This policy setting is intended for use in a loosely managed environment in which users are allowed access to the online Microsoft Update service.

If Automatic Updates is disabled or if you do not use the online Microsoft Update service, this policy has no effect.

The available setting options offer the following results:

 

Option Result

Enabled

A notification message displays on the user’s computer when featured software is available. The user can obtain additional information about the software, and they can install the software.

Disabled

Computers that are running Windows 7 are not offered these messages for optional applications. Computers that are running Windows Vista are not offered these messages for optional applications or updates.

Not Configured

Computers that are running Windows 7 are not offered these messages for optional applications. Computers that are running Windows Vista are not offered these messages for optional applications or updates. A local administrator can change this setting by using Control Panel or local policy.

Remove links and access to Windows Update

Prevents users from connecting to the Windows Update website. In the Group Policy Management Console, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.

The available setting options offer the following results:

 

Option Result

Enabled

This setting blocks user access to the Windows Update website at http://windowsupdate.microsoft.com. Also, the setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.

Disabled

Users are able to connect to the Windows Update website.

Not Configured

Users are able to connect to the Windows Update website.

Turn off access to all Windows Update features

Allows you to remove all access to Windows Update. In the Group Policy Management Console, expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communications Settings.

The available setting options offer the following results:

 

Option Result

Enabled

All Windows Update features are removed. This setting blocks access to the Microsoft Update and Windows Update websites. The computer will not get automatic updates directly from Windows Update or Microsoft Update, but it can still get updates from a WSUS server. This setting overrides the user settings Remove links and access to Windows Update and Remove access to use all Windows Update features.

Disabled

All Windows Update features are available.

Not Configured

All Windows Update features are available.

Remove access to use all Windows Update features

Allows you to control Windows Update and Automatic Updates by preventing the operating system from being updated through Windows Update. In the Group Policy Management Console, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

The available setting options offer the following results:

 

Option Result

Enabled

The operating system cannot be updated through Windows Update, and Automatic Updates is disabled. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu, and the Windows Update website will appear in the browser. However, it will not be possible to update the operating system through Windows Update, regardless of the type of account that is being used to log on.

Disabled

The operating system will be updated through Windows Update and Automatic Updates.

Not Configured

The operating system will be updated through Windows Update and Automatic Updates.

See Also

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft
|
Site Feedback
© 2013 Microsoft. All rights reserved.