Configure Automatic Updates using Group Policy
Applies To: Windows Server Update Services, Windows Small Business Server 2011 Standard, Windows Server 2008 R2, Windows Server 2003 with SP2, Windows Server 2008 R2 with SP1
In an Active Directory environment, you can use Group Policy or Registry Editor to configure Automatic Updates. This topic describes how to configure Automatic Updates by using Group Policy.
Administrator-defined configuration options always take precedence over user-defined options.
In this topic:
How to use the WSUS Administrative Template
This topic assumes that you already use and are familiar with Group Policy. For more information about the Group Policy Management Console (GPMC), see Group Policy Management Console [New].
Group Policy options for WSUS are set in the WSUS Administrative Template, wuau.adm. Depending on the operating system version that you are running, the latest WSUS Administrative Template might already be loaded in the GPMC. The WSUS Administrative Template in GPMC stores most WSUS Group Policy settings in the Computer Configuration\Administrative Templates\Windows Components\Windows Update\ node. A few WSUS Group Policy settings are stored in the User Configuration\Administrative Templates\Windows Components\Windows Update\ node.
To manually load the WSUS Administrative Template into GPMC, follow the instructions in Add or Remove Classic Administrative Templates [Preliminary]. By default, administrative template files are stored in the **\Program Files\Update Services\adm\**language folder, where language is the language that you want to use in the GPMC. For example, the \fra folder contains the French version of wuau.adm, and the \enu folder contains the American English version of wuau.adm.
Important
It is important to mention that once you deploy your domain group policy that includes automatic update settings; this will override the same settings if they were specified in the local policy. Such behavior can lead to issues like the one mentioned in the article Clients Unable to Receive Updates with Error 8024402C.
For additional information about Administrative Templates, see Classic Administrative Templates [Preliminary] and Administrative Template Policy settings [Preliminary].
WSUS settings for Automatic Updates
When the WSUS administrative template is loaded in GPMC, you can view and modify the WSUS client-side settings that configure Automatic Updates. For additional configuration guidance for Automatic Updates, see Plan Automatic Updates Settings.
Note
After you set up a client computer to use WSUS, it can take up to 90 minutes before that computer displays in the WSUS Administration Console. This is because, by default, Group Policy updates every 90 minutes, with a random offset of 0–30 minutes. You can use the gpupdate /force command on the client computer to force an immediate refresh of Group Policy. For more information, see Refresh Group Policy [Preliminary2] in the Network Policy Server Deployment Guide.
The following summarizes the WSUS settings that you can configure by using Group Policy. All settings reside in the Computer Configuration section of GPMC, unless otherwise noted. Be aware that additional Group Policy settings might be available for WSUS, because the exact set of available Group Policy settings depends on the version of the Windows operating system that is running. The GPMC user interface supplies additional information about these settings.
Allow Automatic Updates immediate installation: Specifies whether Automatic Updates should automatically install certain updates that do not disrupt services or restart Windows. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Automatic Updates immediately installs these updates after they are downloaded. |
Disabled |
Updates are not immediately installed. |
Not Configured |
Updates are not immediately installed. A local administrator can change this setting by using the Local Group Policy Editor. |
Allow non-administrators to receive update notifications: Specifies whether logged-on non-administrative users can receive update notifications. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Automatic Updates notifies non-administrative users about updates. Non-administrative users do not need elevated permissions to install optional, recommended, and important updates,or to install updates that contain User Interface, Microsoft License Terms, or Automatic Updates setting changes. |
Disabled |
Only logged-on administrators receive update notifications. |
Not Configured |
Only logged-on administrators receive update notifications. A local administrator can change this setting by using local policy. |
Allow signed updates from an intranet Microsoft update service location: Allows you to manage whether Automatic Updates accepts updates that are signed by non- Microsoft parties when the update is located on a Microsoft intranet service location. If this policy is not enabled, users can only receive updates that are signed by Microsoft. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Automatic Updates receives non-Microsoft signed updates. |
Disabled |
Only updates that are signed by Microsoft are available for download. |
Not Configured |
Only updates that are signed by Microsoft are available for download. A local administrator can change this setting by using local policy. |
Automatic Updates detection frequency: Specifies how long Windows waits before it checks for available updates. The default interval is 22 hours.
The exact wait time is the number of hours minus a random value between 0 and 20 percent of that number. For example, if this policy specifies a 20-hour detection frequency, Windows will check for updates anywhere between 16 and 20 hours. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Automatic Updates checks for available updates at the specified interval. |
Disabled |
Automatic Updates checks for available updates at the default interval of 22 hours. |
Not Configured |
Automatic Updates checks for available updates at the default interval of 22 hours. A local administrator can change this setting by using local policy. |
Configure Automatic Updates: Specifies whether Automatic Updates is enabled on the computer. When you enable Automatic Updates, you can configure download and installation options. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Specifies whether the computer will receive updates by using Automatic Updates. When you enable this setting, you must select one of the following configuration options:
|
Disabled |
Any available updates must be manually downloaded and installed. |
Not Configured |
Automatic Updates is not enabled or configured, but a local administrator can enable and configure Automatic Updates by using Control Panel or local policy. |
Delay restart for scheduled installations: Specifies the time that Automatic Updates waits before it proceeds with a restart. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
A scheduled restart occurs the specified number of minutes after the update is installed. |
Disabled |
A scheduled restart occurs after the default wait time of fifteen minutes after the update is installed. |
Not Configured |
A scheduled restart occurs after the default wait time of fifteen minutes after the update is installed. A local administrator can change this setting by using local policy. |
Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog box: Allows you to manage whether the “Install Updates and Shut Down” option can be the default choice in the Shut Down Windows dialog box. You can set this option in the Computer Configuration and User Configuration areas of GPMC. This policy setting has no effect if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display “Install Updates and Shut Down” option in the Shut Down Windows dialog box setting is enabled. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
The user’s last shut down choice (for example, Hibernate or Restart) is the default option in the Shut Down Windows dialog box, regardless of whether the “Install Updates and Shut Down” option is available. |
Disabled |
The “Install Updates and Shut Down” option is the default option in the Shut Down Windows dialog box if updates are available for installation at the time that the user selects the Shut Down option in the Start menu. |
Not Configured |
The “Install Updates and Shut Down” option is the default option in the Shut Down Windows dialog box if updates are available for installation at the time that the user selects the Shut Down option in the Start menu. A local administrator can change this setting by using local policy. |
Do not display “Install Updates and Shut Down” option in Shut Down Windows dialog box: Allows you to manage whether the “Install Updates and Shut Down” option is displayed in the Shut Down Windows dialog box. You can set this option in the Computer Configuration and User Configuration areas of GPMC. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
“Install Updates and Shut Down” does not appear in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option in the Start menu. |
Disabled |
The “Install Updates and Shut Down” option is available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu. |
Not Configured |
The “Install Updates and Shut Down” option is available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu. A local administrator can change this setting by using local policy. |
Enable client-side targeting: Enables users of client computers to add themselves to precreated computer groups on a WSUS server. This option is valid only when Automatic Updates is redirected to a WSUS server. If the Specify intranet Microsoft update service location policy is not enabled, this policy has no effect. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
The computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. The WSUS server uses this information to determine which updates should be deployed to this computer. You can assign a client computer to more than one computer group by separating the computer group names with a semicolon and a space. |
Disabled |
No computer group information is sent to the WSUS server. |
Not Configured |
No computer group information is sent to the WSUS server. A local administrator can change this setting by using local policy. |
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates: Specifies whether Automatic Updates wakes the system from hibernation to install updates.
Automatic Updates will wake the system to install updates if the following are true:
Automatic Updates is configured to automatically install updates.
The system is in hibernation at the scheduled installation time and there are updates to install, or if an installation deadline occurs.
If the system is running on battery power when Automatic Updates wakes it, updates are not installed and the system automatically returns to hibernation in two minutes. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Automatic Updates wakes the system from hibernation to install updates under the previously listed conditions. |
Disabled |
Automatic Updates does not wake the system from hibernation to install updates. |
Not Configured |
Automatic Updates does not wake the system from hibernation to install updates. A local administrator can change this setting by using local policy. |
No auto-restart with logged-on users for scheduled automatic updates installations: Specifies that to complete an installation, Automatic Updates will wait for the computer to be restarted by any logged-on user instead of forcing the computer to automatically restart. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect.
This setting does not allow non-administrative Terminal Services users to restart a remote computer where they are logged on. By default, non-administrative Terminal Services users do not have computer restart permissions. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Automatic Updates does not automatically restart a computer during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates notifies the logged-on user to restart the computer to complete the installation. Automatic Updates cannot detect future updates until the restart occurs. |
Disabled |
Automatic Updates notifies the logged-on user that the computer will automatically restart in five minutes to complete the installation. |
Not Configured |
Automatic Updates notifies the logged-on user that the computer will automatically restart in five minutes to complete the installation. A local administrator can change this setting by using local policy. |
Re-prompt for restart with scheduled installations: Specifies the time that Automatic Updates waits before it prompts the logged-on user to restart the computer. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
A scheduled restart occurs the specified number of minutes after the prompt for restart message is dismissed. |
Disabled |
A scheduled restart occurs ten minutes after the prompt for restart message is dismissed. |
Not Configured |
A scheduled restart occurs ten minutes after the prompt for restart message is dismissed. A local administrator can change this setting by using local policy. |
Reschedule Automatic Updates scheduled installations: Specifies the time that Automatic Updates waits after a system startup before it proceeds with a missed scheduled installation. This policy applies only when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates policy is disabled, this policy has no effect. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
A missed installation occurs the specified number of minutes after the computer is restarted. |
Disabled |
A missed installation occurs at the time of the next scheduled installation. |
Not Configured |
A missed installation occurs one minute after the next time the computer is started. |
Specify intranet Microsoft Update service location: Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. Automatic Updates will search this service for updates that apply to the computers on your network.
To use this setting, you must set two server name values: the server from which Automatic Updates detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.
Note
If the Configure Automatic Updates policy is disabled, this policy has no effect.
Option |
Result |
|---|---|
Enabled |
Automatic Updates connects to the specified intranet Microsoft update service, instead of to Windows Update, to search for and download updates. Enabling this setting means that computers in your organization do not have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them. |
Disabled |
If Automatic Updates is not disabled by policy or user preference, Automatic Updates connects directly to the Windows Update site on the Internet. |
Not Configured |
If Automatic Updates is not disabled by policy or user preference, Automatic Updates connects directly to the Windows Update site on the Internet. |
Turn on recommended updates via Automatic Updates: Specifies whether Automatic Updates delivers important updates and recommended updates. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
Automatic Updates installs both recommended and important updates. |
Disabled |
Automatic Updates installs important updates only. |
Not Configured |
Automatic Updates installs important updates only. A local administrator can change this setting by using Control Panel or local policy. |
Turn on Software Notifications: Allows you to control whether users see detailed notification messages about featured software from the online Microsoft Update service.
Detailed notification messages explain the value and promote the installation and use of optional software. This policy setting is intended for use in a loosely managed environment in which users are allowed access to the online Microsoft Update service.
If Automatic Updates is disabled or if you do not use the online Microsoft Update service, this policy has no effect. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
A notification message displays on the user’s computer when featured software is available. The user can obtain additional information about the software, and they can install the software. |
Disabled |
Computers that are running Windows 7 are not offered these messages for optional applications. Computers that are running Windows Vista are not offered these messages for optional applications or updates. |
Not Configured |
Computers that are running Windows 7 are not offered these messages for optional applications. Computers that are running Windows Vista are not offered these messages for optional applications or updates. A local administrator can change this setting by using Control Panel or local policy. |
Remove links and access to Windows Update: Prevents users from connecting to the Windows Update website. In the Group Policy Management Console, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
This setting blocks user access to the Windows Update website at https://windowsupdate.microsoft.com. Also, the setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. |
Disabled |
Users are able to connect to the Windows Update website. |
Not Configured |
Users are able to connect to the Windows Update website. |
Turn off access to all Windows Update features: Allows you to remove all access to Windows Update. In the Group Policy Management Console, expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communications Settings. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
All Windows Update features are removed. This setting blocks access to the Microsoft Update and Windows Update websites. The computer will not get automatic updates directly from Windows Update or Microsoft Update, but it can still get updates from a WSUS server. This setting overrides the user settings Remove links and access to Windows Update and Remove access to use all Windows Update features. |
Disabled |
All Windows Update features are available. |
Not Configured |
All Windows Update features are available. |
Remove access to use all Windows Update features: Allows you to control Windows Update and Automatic Updates by preventing the operating system from being updated through Windows Update. In the Group Policy Management Console, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. The available setting options offer the following results:
Option |
Result |
|---|---|
Enabled |
The operating system cannot be updated through Windows Update, and Automatic Updates is disabled. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu, and the Windows Update website will appear in the browser. However, it will not be possible to update the operating system through Windows Update, regardless of the type of account that is being used to log on. |
Disabled |
The operating system will be updated through Windows Update and Automatic Updates. |
Not Configured |
The operating system will be updated through Windows Update and Automatic Updates. |
See Also
Plan Automatic Updates Settings
Configure Automatic Updates using Registry Editor