Group Policy and WSUS Best Practices

Author Lawrence Garvin, WSUS MVPGroup Policy and WSUS Best Practices

Group Policies & WSUS Best Practices  Default behavior and general settings » General considerations when using Policy with WSUS » WUAgent default behavior » WUAgent general settings  Policies » Policies related to scheduled installation » Policies new in Windows Vista® » Policies exclusive to WSUS

General Considerations  Policy settings and registry values are documented in the WSUS Deployment Guide » Chapter: Update and Configure the Automatic Updates Client » Section: Determine a Method to Configure Clients » http://technet.microsoft.com/en-us/library/dd939821(WS.10).aspx

General Considerations, cont. All WUAgent computer policy settings are manifested in these registry keys » HKLMPoliciesMicrosoftWindowsWindowsUpdate » HKLMPoliciesMicrosoftWindowsWindowsUpdateAU All WUAgent user policy settings are manifested in these registry keys » HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesEx plorer » HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWi ndowsUpdate If registry values are invalid, WUAgent reverts to internal default settings

WUAgent Default Behavior Detection Interval: 22 hours Download automatically / scheduled installation at 3am Restart delay (warning) after scheduled installation is 5 minutes Re-prompt for reboot delay is 10 minutes » Vista and later also offer option to delay 1 or 4 hours Installation delay at startup is 1 minute Windows XP® (and Win2003) requires admin access to interact with WUAgent UI

WUAgent Default Behavior

WUAgent General Settings  Configure Automatic Updates  Automatic Updates detection frequency  Allow Automatic Updates immediate installation  Allow non-administrators to receive update notifications  Turn off access to all Windows Update features » Remove links and access to Windows Update » Remove access to use all Windows Update features  Do not display ‘Install Updates and Shutdown’ option  Do not adjust default option to ‘Install Updates and Shutdown’

WUAgent General Settings  Configure Automatic Updates » Options • Option 1: Not Used • Option 2: Notify before download / Notify before installation • Option 3: Download automatically / Notify before installation • Option 4: Download automatically / Schedule installation • Option 5: Allow local admin to choose the configuration » Registry Values (~WindowsUpdateAU) • NoAutoUpdate dword:[0|1] • AUOptions dword:[2-5] • ScheduledInstallDay dword:[0-7] • ScheduledInstallTime dword:[0-23]

WUAgent General Settings

WUAgent General Settings Automatic Updates detection frequency » Default is 22 hours (- 0-20%) • Actual detection will be 17.6 - 22.0 hours » Should be set consistent with server synchronization scheudule » One hour detections may interfere with targeting cookie automatic expiration » Registry values (~WindowsUpdateAU) • DetectionFrequencyEnabled dword:[0|1] • DetectionFrequency dword:[1-22]

WUAgent General Settings  Allow Automatic Updates immediate installation » Applies to updates that do not require system or service restart » Are not directly identifiable by update metadata » Updates with "Restart behavior: Never restarts" may install with this option » To be certain of behavior - requires actual testing » Registry value (~WindowsUpdateAU) • AutoInstallMinorUpdates dword:[0|1]

WUAgent General Settings  Allow non-administrators to receive update notifications » Allows non-admin users on Windows XP (and Win2003) to • Receive notifications for download and installation • Install updates interactively (on demand) • Hide updates • Access “Reboot Later” functionality » Registry value (~WindowsUpdate) • ElevateNonAdmins dword:[0|1]

WUAgent General Settings Turn off access to all Windows Update features » Configures WSUS as the only update source » Blocks access to AU/WU/MU » Overrides user-based access settings » Policy • SystemInternet Communication ManagementInternet Communication settings » Registry value (~WindowsUpdate) • DisableWindowsUpdateAccess dword:[0|1]

WUAgent General Settings Remove links and access to Windows Update » Policy • User ConfigurationAdministrative TemplatesStart Menu and Taskbar » Registry value • HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies Explorer » NoWindowsUpdate dword:[0|1]

WUAgent General Settings  Remove access to use all Windows Update features » Provides two options: • [0] Do not show any notifications • [1] Show restart required notifications » Policy • User ConfigurationAdministrative TemplatesWindows ComponentsWindows Update » Registry value • HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWindo wsUpdate » DisableWindowsUpdateAccess dword:[0|1] » DisableWindowsUpdateAccessMode dword:[0|1]

WUAgent General Settings  Do not display Install Updates and Shutdown option in Shut Down Windows dialog box » Not available on XP SP1 and earlier systems » The default behavior is to always present this feature when applicable » The intent of this option is to block access to this feature » "Install Updates and Shutdown" is not a forced option; the user can always change the option » Can also be applied on a per-user basis via User Configuration...Windows Update policy » Registry value (~WindowsUpdateAU) • NoAUShutdownOption dword:[0|1]

WUAgent General Settings Do not adjust default option to Install Updates and Shut Down in Shut Down Windows dialog box » The intent of this option is to allow the users last selected option to be presented as the default » Can also be applied on a per-user basis via User Configuration...Windows Update policy » Registry value (~WindowsUpdateAU) • NoAUAsDefaultShutdownOption dword:[0|1]

Policies Policies related to scheduled installation Policies new in Windows Vista Policies exclusive to WSUS

Scheduled Installations Delay Restart for scheduled installations No auto-restart with logged on users for scheduled automatic updates installations Re-prompt for restart with scheduled installations Reschedule Automatic Updates scheduled installations

Scheduled Installations Delay Restart for scheduled installations » The delay between the completion of the last installation and the initiation of the restart » The default wait (warning) time is 5 minutes » This value is configurable from 1 to 30 minutes » Registry values (~WindowsUpdateAU) • RebootWarningTimeoutEnable dword:[0|1] • RebootWarningTImeout dword:[1-30]

Scheduled Installations

Scheduled Installations No auto-restart with logged on users for scheduled automatic updates installations » Only useful for Windows XP (and Win2003) systems » Option is Disabled/Not Configured non-admin users are forced to restart in 5 minutes » Option is Enabled non-admins users are presented a dialog to initiate the restart » Admin users always have the option to Restart Now or Restart Later » Registry value (~WindowsUpdateAU) • NoAutoRebootWithLoggedOnUsers dword:[0|1]

Scheduled Installations Re-prompt for restart with scheduled installations » Only useful for Windows XP (and Win2003) systems » Allow configuration of the "Restart Later" delay time for Windows XP (and Win2003) systems » The default delay is 10 minutes » This value is configurable from 1 to 1440 minutes (24 hours) » Registry values (~WindowsUpdateAU) • RebootRelaunchTimeoutEnabled dword:[0|1] • RebootRelaunchTimeout dword:[1-1440]

Scheduled Installations Reschedule Automatic Updates scheduled installations » Whether installation occurs at startup and how long is the delay after startup • Not Configured - installation starts one minute after startup • Disabled - installation will not occur at startup • Enabled - installation will occur the specified number of minutes after startup » This value is configurable from 1 to 60 minutes » Registry values (~WindowsUpdateAU) • RescheduleWaitTimeEnabled dword:[0|1] • RescheduleWaitTime dword:[1-60]

Vista / Win7 / Win2008 Enable Windows Update Power Management to automatically wake up the system to install scheduled updates Turn on recommended updates via Automatic Updates Turn on Software Notifications

Vista / Win7 / Win2008 Enable Windows Update Power Management to automatically wake up the system to install scheduled updates » a system in hibernation at the scheduled installation event will wake up to install updates » a system in hibernation with expired deadlines will wake up to install updates » a system running on batteries will not install updates and will be returned to hibernation » Registry value (~WindowsUpdateAU) • AUPowerManagement dword:[0|1]

Vista / Win7 / Win2008

Vista / Win7 / Win2008  Turn on recommended updates via Automatic Updates » AU Only -- the concept of “recommended” does not exist in WSUS » Registry value (~WindowsUpdateAU) • IncludeRecommendedUpdates dword:[0|1]  Turn on Software Notifications » Provides enhanced notification messages to promote the installation of optional software » AU Only -- the concept of “optional” does not exist in WSUS » Registry value (~WindowsUpdateAU) • EnableFeaturedSoftware dword:[0|1]

Vista / Win7 / Win2008

WSUS Policy Settings  Specify intranet Microsoft update service location  Enable client-side targeting  Allow signed update from an intranet Microsoft update service location

WSUS Policy Settings Specify intranet Microsoft update service location » Enables use of a WSUS server » "Intranet update service" and "Intranet statistics server" must be identical » Registry values (~WindowsUpdateAU) • UseWUServer dword:[0|1] » Registry values (~WindowsUpdate) • WUServer sz <http:// URL of WSUS server> • WUStatusServer sz <http:// URL of WSUS server>

WSUS Policy Settings

WSUS Policy Settings  Enable client-side targeting » If using server-side targeting, this policy should be disabled » The target groups specified in this setting must exist on the WSUS server » Multiple target groups are specified by using a semicolon delimited list » Do not specify "All Computers" or "Unassigned Computers" in this list » Registry values (~WindowsUpdate) • TargetGroupEnabled dword:[0|1] • TargetGroup sz <semicolon delimited string>

WSUS Policy Settings Allow signed updates from an intranet Microsoft update service location » Enables the Windows Update Agent to install locally published updates obtained from the WSUS server » Registry values (~WindowsUpdate) • AcceptTrustedPublisherCerts dword:[0|1]

Helpful Resources Get More Out of WSUS with SolarWinds Patch Manager Watch Video Test Drive Live Demo Ask Our Community Download 30-day Free Trial Click any of the links above - Slide 49 -

Author: Lawrence Garvin, WSUS MVP Thank You! Feedback or questionslawrence.garvin@solarwinds.com

Group Policy and WSUS Best Practices

by SolarWinds on May 31, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Group Policy and WSUS Best Practices Presentation Transcript