For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx
This presentation will review the following:
Default behavior and general settings
• General considerations when using Policy with WSUS
• WUAgent default behavior
• WUAgent general settings
Policies
• Policies related to scheduled installation
• Policies new in Windows Vista®
• Policies exclusive to WSUS
Testing tools and AI - ideas what to try with some tool examples
Group Policy and WSUS Best Practices
1. Author
Lawrence Garvin, WSUS MVP
Group Policy and WSUS
Best Practices
2. Group Policies & WSUS Best Practices
Default behavior and general settings
» General considerations when using Policy with WSUS
» WUAgent default behavior
» WUAgent general settings
Policies
» Policies related to scheduled installation
» Policies new in Windows Vista®
» Policies exclusive to WSUS
3. General Considerations
Policy settings and registry values are documented in the
WSUS Deployment Guide
» Chapter: Update and Configure the Automatic Updates Client
» Section: Determine a Method to Configure Clients
» http://technet.microsoft.com/en-us/library/dd939821(WS.10).aspx
4. General Considerations, cont.
All WUAgent computer policy settings are manifested in
these registry keys
» HKLMPoliciesMicrosoftWindowsWindowsUpdate
» HKLMPoliciesMicrosoftWindowsWindowsUpdateAU
All WUAgent user policy settings are manifested in these
registry keys
» HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesEx
plorer
» HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWi
ndowsUpdate
If registry values are invalid, WUAgent reverts to internal
default settings
5. WUAgent Default Behavior
Detection Interval: 22 hours
Download automatically / scheduled installation at 3am
Restart delay (warning) after scheduled installation is 5
minutes
Re-prompt for reboot delay is 10 minutes
» Vista and later also offer option to delay 1 or 4 hours
Installation delay at startup is 1 minute
Windows XP® (and Win2003) requires admin access to
interact with WUAgent UI
7. WUAgent General Settings
Configure Automatic Updates
Automatic Updates detection frequency
Allow Automatic Updates immediate installation
Allow non-administrators to receive update notifications
Turn off access to all Windows Update features
» Remove links and access to Windows Update
» Remove access to use all Windows Update features
Do not display ‘Install Updates and Shutdown’ option
Do not adjust default option to ‘Install Updates and
Shutdown’
8. WUAgent General Settings
Configure Automatic Updates
» Options
• Option 1: Not Used
• Option 2: Notify before download / Notify before installation
• Option 3: Download automatically / Notify before installation
• Option 4: Download automatically / Schedule installation
• Option 5: Allow local admin to choose the configuration
» Registry Values (~WindowsUpdateAU)
• NoAutoUpdate dword:[0|1]
• AUOptions dword:[2-5]
• ScheduledInstallDay dword:[0-7]
• ScheduledInstallTime dword:[0-23]
10. WUAgent General Settings
Automatic Updates detection frequency
» Default is 22 hours (- 0-20%)
• Actual detection will be 17.6 - 22.0 hours
» Should be set consistent with server synchronization scheudule
» One hour detections may interfere with targeting cookie
automatic expiration
» Registry values (~WindowsUpdateAU)
• DetectionFrequencyEnabled dword:[0|1]
• DetectionFrequency dword:[1-22]
12. WUAgent General Settings
Allow Automatic Updates immediate installation
» Applies to updates that do not require system or service restart
» Are not directly identifiable by update metadata
» Updates with "Restart behavior: Never restarts" may install with
this option
» To be certain of behavior - requires actual testing
» Registry value (~WindowsUpdateAU)
• AutoInstallMinorUpdates dword:[0|1]
14. WUAgent General Settings
Allow non-administrators to receive update notifications
» Allows non-admin users on Windows XP (and Win2003) to
• Receive notifications for download and installation
• Install updates interactively (on demand)
• Hide updates
• Access “Reboot Later” functionality
» Registry value (~WindowsUpdate)
• ElevateNonAdmins dword:[0|1]
16. WUAgent General Settings
Turn off access to all Windows Update features
» Configures WSUS as the only update source
» Blocks access to AU/WU/MU
» Overrides user-based access settings
» Policy
• SystemInternet Communication ManagementInternet
Communication settings
» Registry value (~WindowsUpdate)
• DisableWindowsUpdateAccess dword:[0|1]
18. WUAgent General Settings
Remove links and access to Windows Update
» Policy
• User ConfigurationAdministrative TemplatesStart Menu and
Taskbar
» Registry value
• HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies
Explorer
» NoWindowsUpdate dword:[0|1]
20. WUAgent General Settings
Remove access to use all Windows Update features
» Provides two options:
• [0] Do not show any notifications
• [1] Show restart required notifications
» Policy
• User ConfigurationAdministrative TemplatesWindows
ComponentsWindows Update
» Registry value
• HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWindo
wsUpdate
» DisableWindowsUpdateAccess dword:[0|1]
» DisableWindowsUpdateAccessMode dword:[0|1]
22. WUAgent General Settings
Do not display 'Install Updates and Shutdown' option in
Shut Down Windows dialog box
» Not available on XP SP1 and earlier systems
» The default behavior is to always present this feature when
applicable
» The intent of this option is to block access to this feature
» "Install Updates and Shutdown" is not a forced option; the user
can always change the option
» Can also be applied on a per-user basis via User
Configuration...Windows Update policy
» Registry value (~WindowsUpdateAU)
• NoAUShutdownOption dword:[0|1]
24. WUAgent General Settings
Do not adjust default option to 'Install Updates and Shut
Down' in Shut Down Windows dialog box
» The intent of this option is to allow the user's last
selected option to be presented as the default
» Can also be applied on a per-user basis via User
Configuration...Windows Update policy
» Registry value (~WindowsUpdateAU)
• NoAUAsDefaultShutdownOption dword:[0|1]
26. Policies
Policies related to scheduled
installation
Policies new in Windows Vista
Policies exclusive to WSUS
27. Scheduled Installations
Delay Restart for scheduled installations
No auto-restart with logged on users for scheduled
automatic updates installations
Re-prompt for restart with scheduled installations
Reschedule Automatic Updates scheduled installations
28. Scheduled Installations
Delay Restart for scheduled installations
» The delay between the completion of the last
installation and the initiation of the restart
» The default wait (warning) time is 5 minutes
» This value is configurable from 1 to 30 minutes
» Registry values (~WindowsUpdateAU)
• RebootWarningTimeoutEnable dword:[0|1]
• RebootWarningTImeout dword:[1-30]
30. Scheduled Installations
No auto-restart with logged on users for
scheduled automatic updates installations
» Only useful for Windows XP (and Win2003) systems
» Option is Disabled/Not Configured non-admin users
are forced to restart in 5 minutes
» Option is Enabled non-admins users are presented a
dialog to initiate the restart
» Admin users always have the option to Restart Now
or Restart Later
» Registry value (~WindowsUpdateAU)
• NoAutoRebootWithLoggedOnUsers dword:[0|1]
32. Scheduled Installations
Re-prompt for restart with scheduled installations
» Only useful for Windows XP (and Win2003) systems
» Allow configuration of the "Restart Later" delay time
for Windows XP (and Win2003) systems
» The default delay is 10 minutes
» This value is configurable from 1 to 1440 minutes (24
hours)
» Registry values (~WindowsUpdateAU)
• RebootRelaunchTimeoutEnabled dword:[0|1]
• RebootRelaunchTimeout dword:[1-1440]
34. Scheduled Installations
Reschedule Automatic Updates scheduled installations
» Whether installation occurs at startup and how long is the delay
after startup
• Not Configured - installation starts one minute after startup
• Disabled - installation will not occur at startup
• Enabled - installation will occur the specified number of minutes
after startup
» This value is configurable from 1 to 60 minutes
» Registry values (~WindowsUpdateAU)
• RescheduleWaitTimeEnabled dword:[0|1]
• RescheduleWaitTime dword:[1-60]
36. Vista / Win7 / Win2008
Enable Windows Update Power Management to
automatically wake up the system to install scheduled
updates
Turn on recommended updates via Automatic Updates
Turn on Software Notifications
37. Vista / Win7 / Win2008
Enable Windows Update Power Management to
automatically wake up the system to install scheduled
updates
» a system in hibernation at the scheduled installation event will
wake up to install updates
» a system in hibernation with expired deadlines will wake up to
install updates
» a system running on batteries will not install updates and will be
returned to hibernation
» Registry value (~WindowsUpdateAU)
• AUPowerManagement dword:[0|1]
39. Vista / Win7 / Win2008
Turn on recommended updates via Automatic Updates
» AU Only -- the concept of “recommended” does not exist in
WSUS
» Registry value (~WindowsUpdateAU)
• IncludeRecommendedUpdates dword:[0|1]
Turn on Software Notifications
» Provides enhanced notification messages to promote the
installation of optional software
» AU Only -- the concept of “optional” does not exist in WSUS
» Registry value (~WindowsUpdateAU)
• EnableFeaturedSoftware dword:[0|1]
42. WSUS Policy Settings
Specify intranet Microsoft update service location
Enable client-side targeting
Allow signed update from an intranet Microsoft update
service location
43. WSUS Policy Settings
Specify intranet Microsoft update service location
» Enables use of a WSUS server
» "Intranet update service" and "Intranet statistics server" must be
identical
» Registry values (~WindowsUpdateAU)
• UseWUServer dword:[0|1]
» Registry values (~WindowsUpdate)
• WUServer sz <http:// URL of WSUS server>
• WUStatusServer sz <http:// URL of WSUS server>
45. WSUS Policy Settings
Enable client-side targeting
» If using server-side targeting, this policy should be disabled
» The target groups specified in this setting must exist on the
WSUS server
» Multiple target groups are specified by using a semicolon
delimited list
» Do not specify "All Computers" or "Unassigned Computers" in
this list
» Registry values (~WindowsUpdate)
• TargetGroupEnabled dword:[0|1]
• TargetGroup sz <semicolon delimited string>
47. WSUS Policy Settings
Allow signed updates from an intranet Microsoft update
service location
» Enables the Windows Update Agent to install locally published
updates obtained from the WSUS server
» Registry values (~WindowsUpdate)
• AcceptTrustedPublisherCerts dword:[0|1]
49. Helpful Resources
Get More Out of WSUS with
SolarWinds Patch Manager
Watch Video Test Drive Live Demo
Ask Our Community Download 30-day Free Trial
Click any of the links above
- Slide 49 -
50. Author: Lawrence Garvin, WSUS MVP
Thank You!
Feedback or questions
lawrence.garvin@solarwinds.com