How to Create Custom Update Settings for Client and Server Computers in Essentials

  • Article

Applies To: System Center Essentials 2010

System Center Essentials 2010 uses Group Policy to configure the Windows Update agent to receive updates from the Essentials management server. These settings apply to all computers managed by Essentials unless you create a new Group Policy object (GPO) to customize the update settings. This section provides use case examples, information about the default Windows Update agent settings, and instructions on creating a GPO with customized Windows Update settings to apply to a specific group of computers.

Example 1: You might want your managed clients to automatically download and install approved updates (the default Essentials 2010 policy), and you might want your managed servers to download the approved updates and then notify the administrator using a custom policy.

Example2: You might want to specify one time of day for a group of Hyper-V host servers to receive updates and a different time of day for a group of domain controllers to receive updates.

Note

The Product Configuration Wizard detects any custom Group Policy objects and displays warnings about conflicting policies. You can safely ignore warnings about conflicting policies because you created the custom policies according to the appropriate guidance.

Default Windows Update Agent Settings in Essentials 2010

The default Windows Update settings used by Essentials are shown in the following table.

Windows Update Setting Default Value

Configure automatic updates

Enabled
  • Configure automatic updating
  • 4 (auto-download and schedule the install)
  • Scheduled install day
  • 0 (every day)
  • Scheduled install time
  • 03:00

Specify intranet Microsoft Update service location

Enabled
  • Intranet update server
  • https://<SCEServer FQDN>:8531
  • Intranet statistics server
  • https://<SCEServer FQDN>:8531

Allow signed content from intranet Microsoft Update service locations

Enabled

No auto-restart for scheduled Automatic Updates installations

Enabled

To customize Windows Update settings using a Group Policy object

  1. Create an Active Directory Group Policy object (GPO) in the same domain as the computers to which you want to apply customized settings. For more information, see Create a Group Policy Object (https://go.microsoft.com/fwlink/?LinkId=161344).

  2. Change the security filtering of the GPO from Authenticated Users to the SCE Managed Computers <management group name> security group. For more information, see Assign Security Group Filters to the GPO (https://go.microsoft.com/fwlink/?LinkId=161346).

  3. Link the Group Policy object to the organization units (OU) containing the computers to which you want to apply the customized Windows Update Agent settings. For more information, see Link the GPO to the Domain (https://go.microsoft.com/fwlink/?LinkId=161347).

  4. Edit the Windows Update Agent settings in the GPO.

  5. After the Group Policy object refresh interval has elapsed (every 90 minutes by default, with a random offset of 0 to 30 minutes), the computers with customized Windows Update Agent settings will be configured.

  6. If you want to revert back to the original Windows Update settings configured by Essentials 2010, you can delete the customized GPO you created in step 1.

  7. If you uninstall Essentials 2010, be sure to delete any customized GPOs you have created.

Supported Customizations to Windows Update Agent Settings in Essentials 2010

The supported customizations to Windows Update settings used by Essentials 2010 are shown in the following table. For more information, see Configure Automatic Updates by Using Group Policy (https://go.microsoft.com/fwlink/?LinkId=161349).

Windows Update Setting Supported Customizable Value

Configure Automatic Updates

Yes
  • Configure Automatic Updating
  • Yes
  • Scheduled Install Day
  • Yes
  • Scheduled Install Time
  • Yes

Specify intranet Microsoft Update Service location

No
  • Intranet Update Server
  • No
  • Intranet Statistics Server
  • No

Allow signed content from intranet Microsoft Update service locations

No

Enable client-side targeting

No

Reschedule Automatic Update scheduled installation

Yes

No auto-restart for scheduled Automatic Updates installations

Yes

Automatic Update detection frequency

Must be less than 24 hours

Allow Automatic Update Immediate Installation

Yes

Delay Restart for Scheduled Installations

Yes

Re-prompt for Restart with Scheduled Installations

Yes

Allow non-Administrators to Receive Update Notifications

Yes

Remove Links and Access to Windows Update

Yes

See Also

Other Resources

Configuring Update Management in Essentials
Managing Updates in Essentials