• Like
  • Save

Group Policy and WSUS Best Practices

  • 10,590 views
Uploaded on

For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx …

For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx

This presentation will review the following:

Default behavior and general settings
• General considerations when using Policy with WSUS
• WUAgent default behavior
• WUAgent general settings

Policies
• Policies related to scheduled installation
• Policies new in Windows Vista®
• Policies exclusive to WSUS

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Using the registry is a valid alternative, although you'll still need to use a semicolon delimited list if the client belongs to more than one group.

    You'll need to be careful, however, that the 'Enable client-side targeting' policy setting remains 'Not Configured', else it will overwrite the 'TargetGroups' registry value.

    Another option is to use Local Policy. The advantage here is that you still configure group memberships on a per-computer basis, but there's a second 'copy' of that configuration in the event the registry does get affected. While the Local Policy wouldn't have any affect if a GPO overwrote the settings, there would, at least, be a record of what it should be.

    Finally, depending on the number of clients you have, and particularly with the effort involved in making connections to use local policy or edit the registry values, you may find it simply more effective to use server-side targeting and assign group memberships from the WSUS console.

    If you do choose to use server-side targeting, be sure to set the 'Enable client-side targeting' policy to DISABLED so that the clients will know to query the WSUS server for groups rather than read the registry value.
    Are you sure you want to
    Your message goes here
  • thank you very much! found a lot of necessary information.
    i have a question though, hope you can help me.
    i have computers which are in the domain, and computers in workgroup. in the WSUS console, i have 20 groups, all of them have 5 sub groups. i enabled client-side-targeting, and defined the computers with the necessary target group. i have not created those group in the GPO of AD, and i don't use semicolon.
    just the registry. is that can be a problem?
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
10,590
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
2
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Author Lawrence Garvin, WSUS MVPGroup Policy and WSUS Best Practices
  • 2. Group Policies & WSUS Best Practices  Default behavior and general settings » General considerations when using Policy with WSUS » WUAgent default behavior » WUAgent general settings  Policies » Policies related to scheduled installation » Policies new in Windows Vista® » Policies exclusive to WSUS
  • 3. General Considerations  Policy settings and registry values are documented in the WSUS Deployment Guide » Chapter: Update and Configure the Automatic Updates Client » Section: Determine a Method to Configure Clients » http://technet.microsoft.com/en-us/library/dd939821(WS.10).aspx
  • 4. General Considerations, cont. All WUAgent computer policy settings are manifested in these registry keys » HKLMPoliciesMicrosoftWindowsWindowsUpdate » HKLMPoliciesMicrosoftWindowsWindowsUpdateAU All WUAgent user policy settings are manifested in these registry keys » HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesEx plorer » HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWi ndowsUpdate If registry values are invalid, WUAgent reverts to internal default settings
  • 5. WUAgent Default Behavior Detection Interval: 22 hours Download automatically / scheduled installation at 3am Restart delay (warning) after scheduled installation is 5 minutes Re-prompt for reboot delay is 10 minutes » Vista and later also offer option to delay 1 or 4 hours Installation delay at startup is 1 minute Windows XP® (and Win2003) requires admin access to interact with WUAgent UI
  • 6. WUAgent Default Behavior
  • 7. WUAgent General Settings  Configure Automatic Updates  Automatic Updates detection frequency  Allow Automatic Updates immediate installation  Allow non-administrators to receive update notifications  Turn off access to all Windows Update features » Remove links and access to Windows Update » Remove access to use all Windows Update features  Do not display ‘Install Updates and Shutdown’ option  Do not adjust default option to ‘Install Updates and Shutdown’
  • 8. WUAgent General Settings  Configure Automatic Updates » Options • Option 1: Not Used • Option 2: Notify before download / Notify before installation • Option 3: Download automatically / Notify before installation • Option 4: Download automatically / Schedule installation • Option 5: Allow local admin to choose the configuration » Registry Values (~WindowsUpdateAU) • NoAutoUpdate dword:[0|1] • AUOptions dword:[2-5] • ScheduledInstallDay dword:[0-7] • ScheduledInstallTime dword:[0-23]
  • 9. WUAgent General Settings
  • 10. WUAgent General Settings Automatic Updates detection frequency » Default is 22 hours (- 0-20%) • Actual detection will be 17.6 - 22.0 hours » Should be set consistent with server synchronization scheudule » One hour detections may interfere with targeting cookie automatic expiration » Registry values (~WindowsUpdateAU) • DetectionFrequencyEnabled dword:[0|1] • DetectionFrequency dword:[1-22]
  • 11. WUAgent General Settings
  • 12. WUAgent General Settings  Allow Automatic Updates immediate installation » Applies to updates that do not require system or service restart » Are not directly identifiable by update metadata » Updates with "Restart behavior: Never restarts" may install with this option » To be certain of behavior - requires actual testing » Registry value (~WindowsUpdateAU) • AutoInstallMinorUpdates dword:[0|1]
  • 13. WUAgent General Settings
  • 14. WUAgent General Settings  Allow non-administrators to receive update notifications » Allows non-admin users on Windows XP (and Win2003) to • Receive notifications for download and installation • Install updates interactively (on demand) • Hide updates • Access “Reboot Later” functionality » Registry value (~WindowsUpdate) • ElevateNonAdmins dword:[0|1]
  • 15. WUAgent General Settings
  • 16. WUAgent General Settings Turn off access to all Windows Update features » Configures WSUS as the only update source » Blocks access to AU/WU/MU » Overrides user-based access settings » Policy • SystemInternet Communication ManagementInternet Communication settings » Registry value (~WindowsUpdate) • DisableWindowsUpdateAccess dword:[0|1]
  • 17. WUAgent General Settings
  • 18. WUAgent General Settings Remove links and access to Windows Update » Policy • User ConfigurationAdministrative TemplatesStart Menu and Taskbar » Registry value • HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies Explorer » NoWindowsUpdate dword:[0|1]
  • 19. WUAgent General Settings
  • 20. WUAgent General Settings  Remove access to use all Windows Update features » Provides two options: • [0] Do not show any notifications • [1] Show restart required notifications » Policy • User ConfigurationAdministrative TemplatesWindows ComponentsWindows Update » Registry value • HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWindo wsUpdate » DisableWindowsUpdateAccess dword:[0|1] » DisableWindowsUpdateAccessMode dword:[0|1]
  • 21. WUAgent General Settings
  • 22. WUAgent General Settings  Do not display Install Updates and Shutdown option in Shut Down Windows dialog box » Not available on XP SP1 and earlier systems » The default behavior is to always present this feature when applicable » The intent of this option is to block access to this feature » "Install Updates and Shutdown" is not a forced option; the user can always change the option » Can also be applied on a per-user basis via User Configuration...Windows Update policy » Registry value (~WindowsUpdateAU) • NoAUShutdownOption dword:[0|1]
  • 23. WUAgent General Settings
  • 24. WUAgent General Settings Do not adjust default option to Install Updates and Shut Down in Shut Down Windows dialog box » The intent of this option is to allow the users last selected option to be presented as the default » Can also be applied on a per-user basis via User Configuration...Windows Update policy » Registry value (~WindowsUpdateAU) • NoAUAsDefaultShutdownOption dword:[0|1]
  • 25. WUAgent General Settings
  • 26. Policies Policies related to scheduled installation Policies new in Windows Vista Policies exclusive to WSUS
  • 27. Scheduled Installations Delay Restart for scheduled installations No auto-restart with logged on users for scheduled automatic updates installations Re-prompt for restart with scheduled installations Reschedule Automatic Updates scheduled installations
  • 28. Scheduled Installations Delay Restart for scheduled installations » The delay between the completion of the last installation and the initiation of the restart » The default wait (warning) time is 5 minutes » This value is configurable from 1 to 30 minutes » Registry values (~WindowsUpdateAU) • RebootWarningTimeoutEnable dword:[0|1] • RebootWarningTImeout dword:[1-30]
  • 29. Scheduled Installations
  • 30. Scheduled Installations No auto-restart with logged on users for scheduled automatic updates installations » Only useful for Windows XP (and Win2003) systems » Option is Disabled/Not Configured non-admin users are forced to restart in 5 minutes » Option is Enabled non-admins users are presented a dialog to initiate the restart » Admin users always have the option to Restart Now or Restart Later » Registry value (~WindowsUpdateAU) • NoAutoRebootWithLoggedOnUsers dword:[0|1]
  • 31. Scheduled Installations
  • 32. Scheduled Installations Re-prompt for restart with scheduled installations » Only useful for Windows XP (and Win2003) systems » Allow configuration of the "Restart Later" delay time for Windows XP (and Win2003) systems » The default delay is 10 minutes » This value is configurable from 1 to 1440 minutes (24 hours) » Registry values (~WindowsUpdateAU) • RebootRelaunchTimeoutEnabled dword:[0|1] • RebootRelaunchTimeout dword:[1-1440]
  • 33. Scheduled Installations
  • 34. Scheduled Installations Reschedule Automatic Updates scheduled installations » Whether installation occurs at startup and how long is the delay after startup • Not Configured - installation starts one minute after startup • Disabled - installation will not occur at startup • Enabled - installation will occur the specified number of minutes after startup » This value is configurable from 1 to 60 minutes » Registry values (~WindowsUpdateAU) • RescheduleWaitTimeEnabled dword:[0|1] • RescheduleWaitTime dword:[1-60]
  • 35. Scheduled Installations
  • 36. Vista / Win7 / Win2008 Enable Windows Update Power Management to automatically wake up the system to install scheduled updates Turn on recommended updates via Automatic Updates Turn on Software Notifications
  • 37. Vista / Win7 / Win2008 Enable Windows Update Power Management to automatically wake up the system to install scheduled updates » a system in hibernation at the scheduled installation event will wake up to install updates » a system in hibernation with expired deadlines will wake up to install updates » a system running on batteries will not install updates and will be returned to hibernation » Registry value (~WindowsUpdateAU) • AUPowerManagement dword:[0|1]
  • 38. Vista / Win7 / Win2008
  • 39. Vista / Win7 / Win2008  Turn on recommended updates via Automatic Updates » AU Only -- the concept of “recommended” does not exist in WSUS » Registry value (~WindowsUpdateAU) • IncludeRecommendedUpdates dword:[0|1]  Turn on Software Notifications » Provides enhanced notification messages to promote the installation of optional software » AU Only -- the concept of “optional” does not exist in WSUS » Registry value (~WindowsUpdateAU) • EnableFeaturedSoftware dword:[0|1]
  • 40. Vista / Win7 / Win2008
  • 41. Vista / Win7 / Win2008
  • 42. WSUS Policy Settings  Specify intranet Microsoft update service location  Enable client-side targeting  Allow signed update from an intranet Microsoft update service location
  • 43. WSUS Policy Settings Specify intranet Microsoft update service location » Enables use of a WSUS server » "Intranet update service" and "Intranet statistics server" must be identical » Registry values (~WindowsUpdateAU) • UseWUServer dword:[0|1] » Registry values (~WindowsUpdate) • WUServer sz <http:// URL of WSUS server> • WUStatusServer sz <http:// URL of WSUS server>
  • 44. WSUS Policy Settings
  • 45. WSUS Policy Settings  Enable client-side targeting » If using server-side targeting, this policy should be disabled » The target groups specified in this setting must exist on the WSUS server » Multiple target groups are specified by using a semicolon delimited list » Do not specify "All Computers" or "Unassigned Computers" in this list » Registry values (~WindowsUpdate) • TargetGroupEnabled dword:[0|1] • TargetGroup sz <semicolon delimited string>
  • 46. WSUS Policy Settings
  • 47. WSUS Policy Settings Allow signed updates from an intranet Microsoft update service location » Enables the Windows Update Agent to install locally published updates obtained from the WSUS server » Registry values (~WindowsUpdate) • AcceptTrustedPublisherCerts dword:[0|1]
  • 48. WSUS Policy Settings
  • 49. Helpful Resources Get More Out of WSUS with SolarWinds Patch Manager Watch Video Test Drive Live Demo Ask Our Community Download 30-day Free Trial Click any of the links above - Slide 49 -
  • 50. Author: Lawrence Garvin, WSUS MVP Thank You! Feedback or questionslawrence.garvin@solarwinds.com