Automatic Updates Policy Settings

Windows Update is an online catalog that can be used to support computers running Windows operating systems, including Windows XP with SP2. The catalog contains items such as drivers, critical updates, Help files, and Internet products. Windows Update scans the user’s computer and provides a tailored selection of updates that apply only to the software and hardware on that specific computer. Windows Update then enables users to choose updates for their computer's operating system and hardware. New content is added to the Windows Update Web site regularly, allowing users to get the most recent security updates and solutions.

Automatic Updates is a client component of Windows Update Services that enables computers to connect either directly to Windows Update or to a server running Windows Update Services to receive software updates. The Automatic Updates component is included in Windows 2000 with Service Pack 3 and later, Windows XP and later, and Windows Server 2003.

In computers running Windows XP with SP2, a new Install Updates and Shutdown option is displayed in the Shut Down Windows and Turn Off Computer dialog boxes. When updates have been downloaded and are ready to install, Windows shows the new Install Updates and Shutdown option as the default choice and marks it with the Windows Security shield, which indicates that this is a security recommendation. This option provides ease of management for clients configured to run Automatic Updates. See “Windows Install Updates and Shutdown Option,” later in this document.

SP2 provides new policy settings that you can use to manage the Install Updates and Shut Down option to control whether Install Updates and Shut Down is displayed or is the default option for the Automatic Updates feature, as described in “Controlling the Install Updates and Shutdown Feature,” later in this document.

On This Page

Automatic Updates Overview
Windows Install Updates and Shutdown Option
Controlling the Install Updates and Shutdown Feature

Automatic Updates Overview

Automatic Updates connects periodically to Windows Update on the Internet, or to a Windows Update Services server on your corporate network. After it discovers new updates that apply to the computer, Automatic Updates can be configured to install all updates automatically (which is the preferred method) or to notify the computer’s administrator or users whose computers have been configured to receive notification. After an administrator selects which updates should be downloaded, Automatic Updates downloads and installs those updates.

Automatic Updates is not enabled by default. After users install the operating system, they are prompted to enable this option following setup. When Automatic Updates is configured to allow updates to automatically download and install, users do not need to visit special Web pages or remember to periodically check for new updates. Automatic Updates can be configured to use one of the following options:

• Automatic download and installation of updates: Windows XP downloads and installs updates automatically on a schedule specified by an administrator of the computer. Updates are installed regardless of what type of account the user has, or whether the user is logged on at the time.

• Automatic download only: Windows XP automatically starts the download whenever it finds updates available for the computer. The updates are downloaded in the background, enabling the user to continue working uninterrupted. After the download is complete, an icon in the notification area will prompt a user logged on as an administrator that the updates are ready to be installed.

• Notification only: Windows XP sends a notification after which an administrator of the computer can respond by downloading and installing any updates.

• Turn off Automatic Updates: It is left to the user to go to the Windows Update Web site and download updates from time to time.

Windows Install Updates and Shutdown Option

The Install Updates and Shutdown option simplifies the management of many clients running Automatic Updates. This option provides an alternative to installing updates in response to user notification messages and provides a method to install updates at a time when the computer is not being used for other activities. You can control whether this installation option is the default or is displayed by configuring Group Policy settings, as explained in “Controlling the Install Updates and Shutdown Feature,” later in this document.

When the user initiates a shutdown by using the Start menu or Windows Security Dialog, the new Install Updates and Shutdown option appears as the default choice in the Shut Down Windows and Turn Off Computer dialog boxes when the following conditions are met:

• Automatic Updates is enabled and is in one of the three operational modes (automatic download and installation of updates, automatic download only, or notification only).

• At least one update which is allowed to be installed during shutdown is ready to install and the system is not on battery power.

• The Group Policy settings controlling the new Install Updates and Shutdown option are set to either Not Configured or Enabled. There are two new policy settings in SP2 for controlling the Install Updates and Shutdown option, as described in the next section.

Controlling the Install Updates and Shutdown Feature

SP2 includes two new Group Policy settings for managing the Automatic Updates at shutdown feature (Install Updates and Shut Down option): Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box and Do not adjust default option in 'Install Updates and Shut Down' option in Shut Down Windows dialog box. You can use these policy settings to control the visibility of the Automatic Updates feature. The policies are accessed in the Computer Configuration\Administrative Templates\Windows Components\Windows Update node of Group Policy Object Editor.

If you want to make Automatic Updates (Install Updates and Shut Down option) available to users, but are concerned about it replacing the default shutdown option in the Shut Down Windows dialog box, you can enable the Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy* setting.*

If you do not want the Install Updates and Shut Down option to be displayed to users at all, you can enable the Do not adjust default option in 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting.

  Note
To control the way Automatic Updates interacts with Windows Update, you also need to control the type of accounts with which users log on to the network. If an account does not allow software to be installed (for example, if the account is a user account), only one option for Automatic Updates functions while that person is logged on. That option is the automatic download and installation of updates, which means that updates are installed on the user’s computer at a regularly scheduled time, regardless of what type of account the user has, or whether the user is logged on at the time.

Related Automatic Updates Policy Settings

You can configure additional policy settings to manage Automatic Updates, including the following:

• Preventing access to Windows Updates and Automatic Updates

• Blocking access to the Windows Update Web site by specifying an internal server for software updates

• Disabling Automatic Updates

Preventing Access to Windows Updates and Automatic Updates

You can use Group Policy settings to disable both Windows Update and Automatic Updates.

• To disable Windows Update and Automatic Updates on a per-computer basis, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. See “Turn off access to all Windows Update features,” earlier in this document.

• To disable access to Windows Update and Automatic Updates on a per-user basis, configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar. Enabling this policy setting removes access to Windows Update features for the specified user, but Automatic Updates still checks for updates for the computer and does not notify users with this policy set.

Blocking the Windows Update Web Site by Specifying an Internal Server for Software Updates

If you want to block the use of the Windows Update Web site, you can use Group Policy to specify an internal server for updates and for storing upload statistics. You can configure Automatic Updates so that instead of searching the Windows Update Web site, Automatic Updates searches your internal server for updates. To do this, you can enable the Specify intranet Microsoft update service location policy setting in Computer Configuration\Administrative Templates\Windows Components\Windows Update. You also need to set the Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.

The server you specify in the Specify intranet Microsoft update service location policy setting must be one on which you are running Windows Update Services (previously known as Software Update Services). This policy is available in Windows Server 2003, Windows XP SP1, and Windows 2000 SP3.

Disabling Automatic Updates

You can use Group Policy settings in the Wuau.adm Administrative template to selectively disable Automatic Updates. To do this, disable the Configure Automatic Updates policy setting in Computer Configuration\Administrative Templates\Windows Components\Windows Update. This policy is available in Windows Server 2003, Windows XP SP1, and Windows 2000 SP3.

For more detailed information about managing Windows Update and Automatic Updates, see the “Windows Update and Automatic Updates” section of the “Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet*”* white paper on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=29133.

SP2 also provides new policy settings which you can use to control the search for device drivers from Windows Update, as described earlier in this document in “Managing Windows Update Searches Related to the Plug and Play Feature:”