Configure Clients in a Non–Active Directory Environment
In a non-Active Directory environment, you can configure Automatic Updates by using any of the following methods:
- Using Group Policy Object Editor and editing the Local Group Policy object
- Editing the registry directly by using the registry editor (Regedit.exe)
For a listing of the entries and the values to set, see Configure Clients Using Group Policy earlier in this guide.
Administrators who do not wish to use Group Policy may set up client computers using the registry. Registry entries for the WSUS server are located in the following subkey:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate.
The keys and their value ranges are listed in the following table.
Entry name | Data type | Values |
---|---|---|
AcceptTrustedPublisherCerts | Reg_DWORD | Range = 1|0 1 = Enabled. The WSUS server will distribute signed third-party updates if available. 0 = Disabled. The WSUS server will not distribute third-party updates. |
ElevateNonAdmins | Reg_DWORD | Range = 1|0 1 = Users in the Users security group are allowed to approve or disapprove updates. 0 = Only users in the Administrators user group can approve or disapprove updates. |
TargetGroup | Reg_SZ | Name of the computer group to which the computer belongs, used to implement client-side targeting (for example, "TestServers.") This policy is paired with TargetGroupEnabled. |
TargetGroupEnabled | Reg_DWORD | Range = 1|0 1 = Use client-side targeting. 0 = Do not use client-side targeting. This policy is paired with TargetGroup. |
WUServer | Reg_SZ | HTTP(S) URL of the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid. |
WUStatusServer | Reg_SZ | The HTTP(S) URL of the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid. |
DisableWindowsUpdateAccess | Reg_DWORD | Range = 1|0 1 = Disables access to Windows Update. 0 = Enables access to Windows Update. |
The registry entries for Automatic Update configuration options are located in the following subkey:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
The keys and their value ranges are listed in the following table.
Entry name | Data type | Value range and meanings |
---|---|---|
AUOptions | Reg_DWORD | Range = 2|3|4|5 2 = Notify before download. 3 = Automatically download and notify of installation. 4 = Automatically download and schedule installation. (Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.) 5 = Automatic Updates is required, but end users can configure it. |
AutoInstallMinorUpdates | Reg_DWORD | Range = 0|1 0 = Treat minor updates as other updates are treated. 1 = Silently install minor updates. |
DetectionFrequency | Reg_DWORD | Range = n, where n = time in hours (1–22). Time between detection cycles. |
DetectionFrequencyEnabled | Reg_DWORD | Range = 0|1 1 = Enable DetectionFrequency. 0 = Disable custom DetectionFrequency (use default value of 22 hours). |
NoAutoRebootWithLoggedOnUsers | Reg_DWORD | Range = 0|1 1 = Logged-on user gets to choose whether or not to restart his or her computer. 0 = Automatic Updates notifies user that the computer will restart in 5 minutes. |
NoAutoUpdate | Reg_DWORD | Range = 0|1 0 = Enable Automatic Updates. 1 = Disable Automatic Updates. |
RebootRelaunchTimeout | Reg_DWORD | Range = n, where n = time in minutes (1–1,440). Time between prompting again for a scheduled restart. |
RebootRelaunchTimeoutEnabled | Reg_DWORD | Range = 0|1 1 = Enable RebootRelaunchTimeout 0 = Disable custom RebootRelaunchTimeout(use default value of 10 minutes) |
RebootWarningTimeout | Reg_DWORD | Range = n, where n = time in minutes (1–30). Length, in minutes, of the restart warning countdown, after installing updates with a deadline or scheduled updates. |
RebootWarningTimeoutEnabled | Reg_DWORD | Range = 0|1 1 = Enable RebootWarningTimeout 0 = Disable custom RebootWarningTimeout (use default value of 5 minutes) |
RescheduleWaitTime | Reg_DWORD | Range = n, where n = time in minutes (1–60). Time, in minutes, that Automatic Updates should wait at startup before applying updates from a missed scheduled installation time. Note that this policy applies only to scheduled installations, not deadlines. Updates whose deadlines have expired should always be installed as soon as possible. |
RescheduleWaitTimeEnabled | Reg_DWORD | Range = 0|1 1 = Enable RescheduleWaitTime 0 = Disable RescheduleWaitTime (attempt the missed installation during the next scheduled installation time). |
ScheduledInstallDay | Reg_DWORD | Range = 0|1|2|3|4|5|6|7 0 = Every day. 1 through 7 = The days of the week from Sunday (1) to Saturday (7). (Only valid if AUOptions = 4.) |
ScheduledInstallTime | Reg_DWORD | Range = n, where n = the time of day in 24-hour format (0–23). |
UseWUServer | Reg_DWORD | Range = 0|1 1 = This machine gets its updates from a WSUS server. 0 = This machine gets its updates from Microsoft Update. The WUServer value is not respected unless this key is set. |
The following scenarios illustrate specific issues
If a scheduled installation is missed (because the client computer was turned off) and RescheduleWaitTime is not set to a value between 1 and 60, Automatic Updates waits until the next scheduled day and time to perform the installation. If a scheduled installation is missed and RescheduleWaitTime is set to a value between 1 and 60, then Automatic Updates reschedules the installation to occur at the Automatic Updates service start time plus the number of minutes specified in RescheduleWaitTime.
There are 3 basic rules for this feature:
When a scheduled installation is missed, it will be rescheduled for the system startup time plus the value of RescheduleWaitTime.
Changes in the scheduled installation day and time via the Control Panel or Group Policy are respected over the rescheduled time.
The rescheduled time has precedence over the next calculated scheduled day and time if the “next calculated scheduled day and time” is later than the rescheduled time. The “next calculated scheduled day and time” is calculated as follows:
- When Automatic Updates starts, it uses the currently set schedule to calculate the “next calculated scheduled day and time”.
- The resulting day and time value is then compared to the ScheduledInstallDate.
- If the values are different, Automatic Updates performs the following actions:
- sets a new “next calculated scheduled day and time” within Automatic Updates.
- writes this new “next calculated scheduled day and time” to the ScheduledInstallDate registry key.
- logs an event stating the new scheduled installation day and time.
The following examples show the use of the RescheduleWaitTime value.
This example shows the consequences of RescheduleWaitTime set to 1.
- Update installations are scheduled to occur every day at 3:00 A.M.
- The RescheduleWaitTime registry value is set to 1.
- Automatic Updates finds an update, downloads it, and is ready to install it at 3:00 A.M.
- The logged-on user does not see the “ready to install” prompt because the user does not have administrative privileges on the computer.
- The user shuts down the computer.
- The user restarts on the computer after the scheduled time has passed.
- When Automatic Updates starts, it recognizes that it missed its previously set scheduled installation time and that RescheduleWaitTime is set to 1. It therefore logs an event with the new scheduled time (one minute after the current time).
- If no one logs on before the newly scheduled time (1 minute interval) the installation begins. Since no one is logged on, there is no delay and no notification. If the update requires it, Automatic Updates will restart the computer.
- The user logs on to the updated computer.
This example shows the consequences of RescheduleWaitTime set to 15.
- Update installations are scheduled to occur every day at 3:00 A.M.
- The local administrator of the client computer sets the RescheduleWaitTime registry value to 15.
- Automatic Updates finds an update, downloads it, and is ready to install it at 3:00 A.M.
- The local administrator ignores the prompt to install the update.
- The local administrator shuts down the computer.
- The local administrator restarts on the computer after the scheduled time has passed.
- When Automatic Updates starts, it recognizes that it missed its previously set scheduled install time, and that RescheduleWaitTime is set to 15. It therefore logs an event with the new scheduled time (fifteen minutes after the current time).
- The local administrator logs on before the newly-scheduled time.
- After Automatic Updates has been running for 15 minutes, it starts the scheduled installation.
- The local administrator is notified five minutes before installation begins by the countdown timer.
- The timer expires and the installation proceeds.
To prevent Automatic Updates from restarting a computer while users are logged on, the administrator can create the NoAutoRebootWithLoggedOnUsers registry value in s. The value is a DWORD and must be either 0 (false) or 1 (true). If this value is changed while the computer is in a restart pending state, it will not take effect until the next time an update requires a restart.
When the admin creates and sets the NoAutoRebootWithLoggedOnUsers registry key to 1, the restart countdown dialog that pops up for the logged on user (active and inactive) will change in the following ways:
Users with administrator credentials | Users without administrator credentials |
---|---|
The No button will be active. | The No button will be inactive. |
The Yes button will be active if the logged-on user is the only administrator logged on at the time the restart dialog appears. | The Yes button will now be active only if the logged-on user is the only non-administrator logged on at the time the restart dialog appears. However, the Yes button will be inactive if the user’s local security policy prohibits restarting. |
The restart countdown progress bar and the text underneath the progress bar will not display. | The restart countdown progress bar and the text underneath the progress bar will not display. |
Scenario following a scheduled installation | With NoAutoRebootWithLoggedOnUsers enabled | With NoAutoRebootWithLoggedOnUsers disabled or not configured | |||
---|---|---|---|---|---|
No users logged on | Automatic restart immediately following installation | Automatic restart immediately following installation | |||
Single user with administrative privileges | Restart notification allows user to start or postpone restart. This notification does not have a countdown timer. Therefore the user must initiate the system restart. | Restart notification allows user to start or postpone restart. This notification has a 5 minute countdown timer. When the timer expires, the automatic restart begins. | |||
Single user with restart privileges but no other administrative privileges | Restart notification that allows user to initiate the restart but not to postpone it. This notification does not have a countdown timer. Therefore the user must initiate the system restart. | Restart notification that allows user to initiate the restart but not to postpone it. This notification has a 5-minute countdown timer. When the timer expires, the automatic restart begins. | |||
Single non-administrator without restart privilege | Restart notification that does not allow the user to initiate the restart or postpone it. This notification does not have a countdown timer. Therefore the user must wait for an authorized user to initiate the system restart. | Restart notification that does not allow the user to initiate the restart or postpone it. This notification has a 5-minute countdown timer. When the timer expires, the automatic restart begins. | |||
Administrator while other users are logged on | Restart notification that does not allow the user to initiate the restart but does allow the user to postpone it. This notification does not have a countdown timer. Therefore the user must initiate the system restart. | Restart notification that does not allow the user to initiate the restart but does allow the user to postpone it. This notification has a 5 minute countdown timer. When the timer expires, the automatic restart begins. | |||
Non-administrator with restart privilege while other users are logged on | Restart notification that does not allow the user to initiate the restart or postpone it. This notification does not have a countdown timer. Therefore the user must initiate the system restart. | Restart notification that does not allow the user to initiate the restart or postpone it. This notification has a 5 minute countdown timer. When the timer expires, the automatic restart begins. | |||
Non-administrator without restart privilege while other users are logged on | Restart notification that does not allow the user to initiate the restart or postpone it. This notification does not have a countdown timer. Therefore, the user must wait for an authorized user to initiate the system restart. | Restart notification that does not allow the user to initiate the restart or postpone it. This notification has a 5 minute countdown timer. When the timer expires, the automatic restart begins. |
If the “Remove access to use all Windows Update features” setting (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess) is enabled, Automatic Updates will not notify that logged-on user. It makes a local administrator appear as a non-administrator, so that user will not be able to install updates. When this policy is enabled, the Automatic Updates service still runs, and scheduled installations will still occur if they were configured to run.
If the “Remove links and access to Windows Update” Group Policy setting (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate) is enabled, then Automatic Updates will continue to get updates from the WSUS server. Users with this policy set will not be able to get updates that the WSUS administrator has not approved on the WSUS server. If this policy is not enabled, the Microsoft Update icon will remain on the Start menu; local administrators will be able to visit the Microsoft Update Web site and install software that the WSUS administrator has not approved. This happens even if you have specified that Automatic Updates should get approved updates from the WSUS server. In Windows Vista, enabling this setting will gray out the Check for updates option in the Windows Update application.
The above settings can be overridden by the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ DisableWindowsUpdateAccess setting.