Group Policy and WSUS Best Practices

Author
Lawrence Garvin, WSUS MVP

Group Policy and WSUS
Best Practices

Group Policies & WSUS Best Practices
 Default behavior and general settings
» General considerations when using Policy with WSUS
» WUAgent default behavior
» WUAgent general settings

 Policies
» Policies related to scheduled installation
» Policies new in Windows Vista®
» Policies exclusive to WSUS

General Considerations
 Policy settings and registry values are documented in the
WSUS Deployment Guide
» Chapter: Update and Configure the Automatic Updates Client
» Section: Determine a Method to Configure Clients
» http://technet.microsoft.com/en-us/library/dd939821(WS.10).aspx

General Considerations, cont.
 All WUAgent computer policy settings are manifested in
these registry keys
» HKLMPoliciesMicrosoftWindowsWindowsUpdate
» HKLMPoliciesMicrosoftWindowsWindowsUpdateAU
 All WUAgent user policy settings are manifested in these
registry keys
» HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesEx
plorer
» HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWi
ndowsUpdate
 If registry values are invalid, WUAgent reverts to internal
default settings

WUAgent Default Behavior
 Detection Interval: 22 hours
 Download automatically / scheduled installation at 3am
 Restart delay (warning) after scheduled installation is 5
minutes
 Re-prompt for reboot delay is 10 minutes
» Vista and later also offer option to delay 1 or 4 hours
 Installation delay at startup is 1 minute
 Windows XP® (and Win2003) requires admin access to
interact with WUAgent UI

WUAgent General Settings

 Configure Automatic Updates
 Automatic Updates detection frequency
 Allow Automatic Updates immediate installation
 Allow non-administrators to receive update notifications
 Turn off access to all Windows Update features
» Remove links and access to Windows Update
» Remove access to use all Windows Update features
 Do not display ‘Install Updates and Shutdown’ option
 Do not adjust default option to ‘Install Updates and
Shutdown’

 Configure Automatic Updates
» Options
• Option 1: Not Used
• Option 2: Notify before download / Notify before installation
• Option 3: Download automatically / Notify before installation
• Option 4: Download automatically / Schedule installation
• Option 5: Allow local admin to choose the configuration
» Registry Values (~WindowsUpdateAU)
• NoAutoUpdate dword:[0|1]
• AUOptions dword:[2-5]
• ScheduledInstallDay dword:[0-7]
• ScheduledInstallTime dword:[0-23]

 Automatic Updates detection frequency
» Default is 22 hours (- 0-20%)
• Actual detection will be 17.6 - 22.0 hours
» Should be set consistent with server synchronization scheudule
» One hour detections may interfere with targeting cookie
automatic expiration
» Registry values (~WindowsUpdateAU)
• DetectionFrequencyEnabled dword:[0|1]
• DetectionFrequency dword:[1-22]

 Allow Automatic Updates immediate installation
» Applies to updates that do not require system or service restart
» Are not directly identifiable by update metadata
» Updates with "Restart behavior: Never restarts" may install with
this option
» To be certain of behavior - requires actual testing
» Registry value (~WindowsUpdateAU)
• AutoInstallMinorUpdates dword:[0|1]


 Allow non-administrators to receive update notifications
» Allows non-admin users on Windows XP (and Win2003) to
• Receive notifications for download and installation
• Install updates interactively (on demand)
• Hide updates
• Access “Reboot Later” functionality
» Registry value (~WindowsUpdate)
• ElevateNonAdmins dword:[0|1]

 Turn off access to all Windows Update features
» Configures WSUS as the only update source
» Blocks access to AU/WU/MU
» Overrides user-based access settings
» Policy
• SystemInternet Communication ManagementInternet
Communication settings
» Registry value (~WindowsUpdate)
• DisableWindowsUpdateAccess dword:[0|1]

 Remove links and access to Windows Update
» Policy
• User ConfigurationAdministrative TemplatesStart Menu and
Taskbar
» Registry value
• HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies
Explorer
» NoWindowsUpdate dword:[0|1]

 Remove access to use all Windows Update features
» Provides two options:
• [0] Do not show any notifications
• [1] Show restart required notifications
» Policy
• User ConfigurationAdministrative TemplatesWindows
ComponentsWindows Update
» Registry value
• HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWindo
wsUpdate
» DisableWindowsUpdateAccess dword:[0|1]
» DisableWindowsUpdateAccessMode dword:[0|1]

 Do not display 'Install Updates and Shutdown' option in
Shut Down Windows dialog box
» Not available on XP SP1 and earlier systems
» The default behavior is to always present this feature when
applicable
» The intent of this option is to block access to this feature
» "Install Updates and Shutdown" is not a forced option; the user
can always change the option
» Can also be applied on a per-user basis via User
Configuration...Windows Update policy
• NoAUShutdownOption dword:[0|1]

 Do not adjust default option to 'Install Updates and Shut
Down' in Shut Down Windows dialog box
» The intent of this option is to allow the user's last
selected option to be presented as the default
» Can also be applied on a per-user basis via User
Configuration...Windows Update policy
• NoAUAsDefaultShutdownOption dword:[0|1]

Policies

 Policies related to scheduled
installation
 Policies new in Windows Vista
 Policies exclusive to WSUS

Scheduled Installations
 Delay Restart for scheduled installations
 No auto-restart with logged on users for scheduled
automatic updates installations
 Re-prompt for restart with scheduled installations
 Reschedule Automatic Updates scheduled installations

 Delay Restart for scheduled installations
» The delay between the completion of the last
installation and the initiation of the restart
» The default wait (warning) time is 5 minutes
» This value is configurable from 1 to 30 minutes
• RebootWarningTimeoutEnable dword:[0|1]
• RebootWarningTImeout dword:[1-30]

 No auto-restart with logged on users for
scheduled automatic updates installations
» Only useful for Windows XP (and Win2003) systems
» Option is Disabled/Not Configured non-admin users
are forced to restart in 5 minutes
» Option is Enabled non-admins users are presented a
dialog to initiate the restart
» Admin users always have the option to Restart Now
or Restart Later
• NoAutoRebootWithLoggedOnUsers dword:[0|1]


 Re-prompt for restart with scheduled installations
» Only useful for Windows XP (and Win2003) systems
» Allow configuration of the "Restart Later" delay time
for Windows XP (and Win2003) systems
» The default delay is 10 minutes
» This value is configurable from 1 to 1440 minutes (24
hours)
• RebootRelaunchTimeoutEnabled dword:[0|1]
• RebootRelaunchTimeout dword:[1-1440]


 Reschedule Automatic Updates scheduled installations
» Whether installation occurs at startup and how long is the delay
after startup
• Not Configured - installation starts one minute after startup
• Disabled - installation will not occur at startup
• Enabled - installation will occur the specified number of minutes
after startup
» This value is configurable from 1 to 60 minutes
• RescheduleWaitTimeEnabled dword:[0|1]
• RescheduleWaitTime dword:[1-60]

Vista / Win7 / Win2008

 Enable Windows Update Power Management to
automatically wake up the system to install scheduled
updates
 Turn on recommended updates via Automatic Updates
 Turn on Software Notifications

 Enable Windows Update Power Management to
automatically wake up the system to install scheduled
updates
» a system in hibernation at the scheduled installation event will
wake up to install updates
» a system in hibernation with expired deadlines will wake up to
install updates
» a system running on batteries will not install updates and will be
returned to hibernation
• AUPowerManagement dword:[0|1]


 Turn on recommended updates via Automatic Updates
» AU Only -- the concept of “recommended” does not exist in
WSUS
• IncludeRecommendedUpdates dword:[0|1]
 Turn on Software Notifications
» Provides enhanced notification messages to promote the
installation of optional software
» AU Only -- the concept of “optional” does not exist in WSUS
• EnableFeaturedSoftware dword:[0|1]

WSUS Policy Settings

 Specify intranet Microsoft update service location
 Enable client-side targeting
 Allow signed update from an intranet Microsoft update
service location

 Specify intranet Microsoft update service location
» Enables use of a WSUS server
» "Intranet update service" and "Intranet statistics server" must be
identical
• UseWUServer dword:[0|1]
» Registry values (~WindowsUpdate)
• WUServer sz <http:// URL of WSUS server>
• WUStatusServer sz <http:// URL of WSUS server>


 Enable client-side targeting
» If using server-side targeting, this policy should be disabled
» The target groups specified in this setting must exist on the
WSUS server
» Multiple target groups are specified by using a semicolon
delimited list
» Do not specify "All Computers" or "Unassigned Computers" in
this list
• TargetGroupEnabled dword:[0|1]
• TargetGroup sz <semicolon delimited string>

 Allow signed updates from an intranet Microsoft update
service location
» Enables the Windows Update Agent to install locally published
updates obtained from the WSUS server
• AcceptTrustedPublisherCerts dword:[0|1]

Helpful Resources

Get More Out of WSUS with
SolarWinds Patch Manager

Watch Video Test Drive Live Demo

Ask Our Community Download 30-day Free Trial

Click any of the links above

- Slide 49 -

Author: Lawrence Garvin, WSUS MVP

Thank You!

Feedback or questions
lawrence.garvin@solarwinds.com

Group Policy and WSUS Best Practices

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (15)

More from SolarWinds

More from SolarWinds (20)

Recently uploaded

Recently uploaded (20)

Group Policy and WSUS Best Practices