Monday 13 February 2012

Configuring Automatic Updates by using local Group Policy

Configuring Automatic Updates by using local Group Policy

  1. Click Start, and then click Run.
  2. Type gpedit.msc, and then click OK.
  3. Expand Computer Configuration.
  4. Right-click Administrative Templates, and then click Add/Remove Templates.
  5. Click Add, click Wuau.adm in the Windows\Inf folder, and then click Open.
  6. Click Close.
  7. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then expand Windows Update.

    The Configure Automatic Updates policy appears. This policy specifies whether the computer receives security updates and other important downloads through the Windows Automatic Updates feature. The settings for this policy let you specify if automatic updates are enabled on the computer. If the service is enabled, you must select one of the three configuration options.
  8. To view the policy settings, double-click the Configure Automatic Updates policy.
  9. To turn on Automatic Updates, click Enabled in the list of options that appear at the top of the Setting tab.

    If you click Enabled, you must select one of the three configuration options that are listed in step 10.
  10. Select one of the following three options:
    • 2 - Notify for download and notify for install

      When Windows finds updates that apply to this computer, an icon appears in the notification area, and a message appears that states that the updates are ready to be downloaded. If you click either the icon or the message, the option that you use to select the updates you want to download appears. Windows downloads the selected updates in the background. When the download is complete, the icon appears in the notification area again, and a message appears that states that the updates are ready to be installed. If you click either the icon or the message, the option that you use to select the updates you want to install appears.
    • 3 - Auto download and notify for install

      Note This setting is the default setting.

      Windows finds updates that apply to your computer, and then downloads these updates in the background.The user is not notified or interrupted during this process. When the download is complete, the icon appears in the notification area, and a message that states that the updates are ready to be installed appears. If you click either the icon or the message, the option that you use to select the updates you want to install appears.
    • 4 - Auto download and schedule the install

      To specify the schedule, select the appropriate options in the Group Policy Settings dialog box. If you do not specify a schedule, the default schedule for all installations is used. This schedule is every day at 3:00 A.M. If any one of the updates require you to restart the computer to complete the installation, Windows restarts the computer automatically. (If a user is logged on to the computer when Windows is ready to restart it, the user is notified that Windows will restart. The user can chose to delay the restart operation.)

      If you select 4 - Auto download and schedule the install you can set a recurring schedule. If you do not set a schedule, all updates are downloaded and installed every day at 3:00 A.M.
    • Other Options

      Additionally, you can select either the Disabled option or the Not Configured option. If you select Disabled, an administrator must download and install any available updates manually from the Microsoft Windows Update Web site.

      If you select Not Configured, the status of Automatic Updates is not specified at the Group Policy level. The status is either "enabled" or "not enabled." However, an administrator can still configure Automatic Updates by using Control Panel. Control Panel includes the same settings that are available in Group Policy.
Note An updated Administrative Template (.adm file) is now available for use with the Automatic Updates feature in Windows Server 2003 and the Software Update Services (SUS) Service Pack 1 (SP1) client. This updated policy file adds two new policies:
  • Reschedule Automatic Updates scheduled installations

    This policy specifies the time that Automatic Updates has to wait after the computer starts, before it proceeds with a scheduled installation that was missed previously.
  • No auto-restart for scheduled Automatic Updates installations

    This policy specifies that Automatic Updates will wait for the computer to be restarted by any user who is logged on to complete a scheduled installation. If this policy is not used, the computer restarts automatically.
The updated client and policy file is included in Windows Server 2003. To download the SUS SP1 client for Windows 2000-based and Windows XP-based computers, visit the following Microsoft Web site:
(http://www.microsoft.com/downloads/details.aspx?FamilyID=799432fb-c196-4f01-8cce-4f9ea58d6177&DisplayLang=en)
To download the updated Administrative Template for Windows 2000-based and Windows XP-based computers, visit the following Microsoft Web site:
(http://microsoft.com/downloads/details.aspx?FamilyId=D26A0AEA-D274-42E6-8025-8C667B4C94E9&displaylang=en)

Loading policy settings by using Group Policy in Active Directory directory services

To load policy settings by using Group Policy, you must use the Wuau.adm file that describes the new policy settings for the Automatic Updates client. Wuau.adm is automatically installed in the Windows\Inf folder when you install the new Automatic Updates feature.

You can load Windows\Inf\Wuau.adm as an administrative template in Group Policy Object Editor.

To load policy settings by using Group Policy in Active Directory:
  1. On an Active Directory domain controller, click Start, and then click Run.
  2. Type dsa.msc.
  3. Right-click the organizational unit or domain where you want to create the policy, and then click Properties.
  4. Click the Group Policy tab, and then click New.
  5. Type a name for the policy, and then click Edit.
  6. Under Computer Settings, right-click Administrative Templates.
  7. Click Add/Remove Templates, and then click Add.
  8. Type the name of the Automatic Updates .adm file, for example, type windows_folder\inf\wuau.adm.
  9. Click Open.

Configuring Automatic Updates by editing the registry

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows


In a non-Active Directory environment, you can edit registry settings to configure Automatic Updates.

Note You must manually create these registry keys.

You can use either of the following methods to set these registry keys:
  • Manually edit the registry by using Registry Editor (regedit.exe).
  • Centrally deploy these registry keys by using the Windows NT 4.0-style System Policy functionality.
To use Registry Editor, follow these steps:
  1. Click Start, click Run, and then type regedit in the Open box.
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  3. Add any one of the following settings:
    • Value name: NoAutoUpdate
      Value data: 0 or 1
      • 0: Automatic Updates is enabled (default).
      • 1: Automatic Updates is disabled.
      Registry Value Type: Reg_DWORD
    • Value name: AUOptions
      Value data: 1 to 4
      • 1: Keep my computer up to date has been disabled in Automatic Updates.
      • 2: Notify of download and installation.
      • 3: Automatically download and notify of installation.
      • 4: Automatically download and scheduled installation.
      Registry Value Type: Reg_DWORD
    • Value name: ScheduledInstallDay
      Value data: 0 to 7
      • 0: Every day.
      • 1 through 7: The days of the week from Sunday (1) to Saturday (7).
      Registry Value Type: Reg_DWORD
    • Value name: ScheduledInstallTime
      Value data: n, where n equals the time of day in a 24-hour format (0-23).
      Registry Value Type: Reg_DWORD
    • Value name: UseWUServer
      Value data: Set this value to 1 to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
      Registry Value Type: Reg_DWORD
    • Value name: RescheduleWaitTime
      Value data: m, where m equals the time to wait between the time Automatic Updates starts and the time it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
      Registry Value Type: Reg_DWORD

      Note This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later.
    • Value name: NoAutoRebootWithLoggedOnUsers
      Value data: Reg_DWORD: 0 (false) or 1 (true). If set to 1, Automatic Updates does not automatically restart a computer while users are logged on.
      Registry Value Type: Reg_DWORD

      Note This setting affects client behavior after the clients have updated to the SUS SP1 client version or later.
    To use Automatic Updates with a server that is running Software Update Services, see the Software Update Services Deployment white paper. To view this white paper, visit the following Microsoft
When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.

To determine the server that is running SUS that your client computers and servers go to for their updates, add the following f registry values to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\


Value name: WUServer
Registry Value Type: Reg_SZ
This value sets the SUS server by HTTP name (for example, http://IntranetSUS).

Value name: WUStatusServer
Registry Value Type: Reg_SZ
This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).

No comments:

Post a Comment