For more information on Patch Manager, visit: http://www.solarwinds.com/patch-manager.aspx This presentation will review the following: Default behavior and general settings • General considerations when using Policy with WSUS • WUAgent default behavior • WUAgent general settings Policies • Policies related to scheduled installation • Policies new in Windows Vista® • Policies exclusive to WSUS

1. Author
Lawrence Garvin, WSUS MVP
Group Policy and WSUS
Best Practices

2. Group Policies & WSUS Best Practices
 Default behavior and general settings
» General considerations when using Policy with WSUS
» WUAgent default behavior
» WUAgent general settings
 Policies
» Policies related to scheduled installation
» Policies new in Windows Vista®
» Policies exclusive to WSUS

3. General Considerations
 Policy settings and registry values are documented in the
WSUS Deployment Guide
» Chapter: Update and Configure the Automatic Updates Client
» Section: Determine a Method to Configure Clients
» http://technet.microsoft.com/en-us/library/dd939821(WS.10).aspx

4. General Considerations, cont.
 All WUAgent computer policy settings are manifested in
these registry keys
» HKLMPoliciesMicrosoftWindowsWindowsUpdate
» HKLMPoliciesMicrosoftWindowsWindowsUpdateAU
 All WUAgent user policy settings are manifested in these
registry keys
» HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesEx
plorer
» HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWi
ndowsUpdate
 If registry values are invalid, WUAgent reverts to internal
default settings

5. WUAgent Default Behavior
 Detection Interval: 22 hours
 Download automatically / scheduled installation at 3am
 Restart delay (warning) after scheduled installation is 5
minutes
 Re-prompt for reboot delay is 10 minutes
» Vista and later also offer option to delay 1 or 4 hours
 Installation delay at startup is 1 minute
 Windows XP® (and Win2003) requires admin access to
interact with WUAgent UI

6. WUAgent Default Behavior

7. WUAgent General Settings
 Configure Automatic Updates
 Automatic Updates detection frequency
 Allow Automatic Updates immediate installation
 Allow non-administrators to receive update notifications
 Turn off access to all Windows Update features
» Remove links and access to Windows Update
» Remove access to use all Windows Update features
 Do not display ‘Install Updates and Shutdown’ option
 Do not adjust default option to ‘Install Updates and
Shutdown’

8. WUAgent General Settings
 Configure Automatic Updates
» Options
• Option 1: Not Used
• Option 2: Notify before download / Notify before installation
• Option 3: Download automatically / Notify before installation
• Option 4: Download automatically / Schedule installation
• Option 5: Allow local admin to choose the configuration
» Registry Values (~WindowsUpdateAU)
• NoAutoUpdate dword:[0|1]
• AUOptions dword:[2-5]
• ScheduledInstallDay dword:[0-7]
• ScheduledInstallTime dword:[0-23]

9. WUAgent General Settings

10. WUAgent General Settings
 Automatic Updates detection frequency
» Default is 22 hours (- 0-20%)
• Actual detection will be 17.6 - 22.0 hours
» Should be set consistent with server synchronization scheudule
» One hour detections may interfere with targeting cookie
automatic expiration
» Registry values (~WindowsUpdateAU)
• DetectionFrequencyEnabled dword:[0|1]
• DetectionFrequency dword:[1-22]

11. WUAgent General Settings

12. WUAgent General Settings
 Allow Automatic Updates immediate installation
» Applies to updates that do not require system or service restart
» Are not directly identifiable by update metadata
» Updates with "Restart behavior: Never restarts" may install with
this option
» To be certain of behavior - requires actual testing
» Registry value (~WindowsUpdateAU)
• AutoInstallMinorUpdates dword:[0|1]

13. WUAgent General Settings

14. WUAgent General Settings
 Allow non-administrators to receive update notifications
» Allows non-admin users on Windows XP (and Win2003) to
• Receive notifications for download and installation
• Install updates interactively (on demand)
• Hide updates
• Access “Reboot Later” functionality
» Registry value (~WindowsUpdate)
• ElevateNonAdmins dword:[0|1]

15. WUAgent General Settings

16. WUAgent General Settings
 Turn off access to all Windows Update features
» Configures WSUS as the only update source
» Blocks access to AU/WU/MU
» Overrides user-based access settings
» Policy
• SystemInternet Communication ManagementInternet
Communication settings
» Registry value (~WindowsUpdate)
• DisableWindowsUpdateAccess dword:[0|1]

17. WUAgent General Settings

18. WUAgent General Settings
 Remove links and access to Windows Update
» Policy
• User ConfigurationAdministrative TemplatesStart Menu and
Taskbar
» Registry value
• HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies
Explorer
» NoWindowsUpdate dword:[0|1]

19. WUAgent General Settings

20. WUAgent General Settings
 Remove access to use all Windows Update features
» Provides two options:
• [0] Do not show any notifications
• [1] Show restart required notifications
» Policy
• User ConfigurationAdministrative TemplatesWindows
ComponentsWindows Update
» Registry value
• HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWindo
wsUpdate
» DisableWindowsUpdateAccess dword:[0|1]
» DisableWindowsUpdateAccessMode dword:[0|1]

21. WUAgent General Settings

22. WUAgent General Settings
 Do not display 'Install Updates and Shutdown' option in
Shut Down Windows dialog box
» Not available on XP SP1 and earlier systems
» The default behavior is to always present this feature when
applicable
» The intent of this option is to block access to this feature
» "Install Updates and Shutdown" is not a forced option; the user
can always change the option
» Can also be applied on a per-user basis via User
Configuration...Windows Update policy
» Registry value (~WindowsUpdateAU)
• NoAUShutdownOption dword:[0|1]

23. WUAgent General Settings

24. WUAgent General Settings
 Do not adjust default option to 'Install Updates and Shut
Down' in Shut Down Windows dialog box
» The intent of this option is to allow the user's last
selected option to be presented as the default
» Can also be applied on a per-user basis via User
Configuration...Windows Update policy
» Registry value (~WindowsUpdateAU)
• NoAUAsDefaultShutdownOption dword:[0|1]

25. WUAgent General Settings

26. Policies
 Policies related to scheduled
installation
 Policies new in Windows Vista
 Policies exclusive to WSUS

27. Scheduled Installations
 Delay Restart for scheduled installations
 No auto-restart with logged on users for scheduled
automatic updates installations
 Re-prompt for restart with scheduled installations
 Reschedule Automatic Updates scheduled installations

28. Scheduled Installations
 Delay Restart for scheduled installations
» The delay between the completion of the last
installation and the initiation of the restart
» The default wait (warning) time is 5 minutes
» This value is configurable from 1 to 30 minutes
» Registry values (~WindowsUpdateAU)
• RebootWarningTimeoutEnable dword:[0|1]
• RebootWarningTImeout dword:[1-30]

29. Scheduled Installations

30. Scheduled Installations
 No auto-restart with logged on users for
scheduled automatic updates installations
» Only useful for Windows XP (and Win2003) systems
» Option is Disabled/Not Configured non-admin users
are forced to restart in 5 minutes
» Option is Enabled non-admins users are presented a
dialog to initiate the restart
» Admin users always have the option to Restart Now
or Restart Later
» Registry value (~WindowsUpdateAU)
• NoAutoRebootWithLoggedOnUsers dword:[0|1]

31. Scheduled Installations

32. Scheduled Installations
 Re-prompt for restart with scheduled installations
» Only useful for Windows XP (and Win2003) systems
» Allow configuration of the "Restart Later" delay time
for Windows XP (and Win2003) systems
» The default delay is 10 minutes
» This value is configurable from 1 to 1440 minutes (24
hours)
» Registry values (~WindowsUpdateAU)
• RebootRelaunchTimeoutEnabled dword:[0|1]
• RebootRelaunchTimeout dword:[1-1440]

33. Scheduled Installations

34. Scheduled Installations
 Reschedule Automatic Updates scheduled installations
» Whether installation occurs at startup and how long is the delay
after startup
• Not Configured - installation starts one minute after startup
• Disabled - installation will not occur at startup
• Enabled - installation will occur the specified number of minutes
after startup
» This value is configurable from 1 to 60 minutes
» Registry values (~WindowsUpdateAU)
• RescheduleWaitTimeEnabled dword:[0|1]
• RescheduleWaitTime dword:[1-60]

35. Scheduled Installations

36. Vista / Win7 / Win2008
 Enable Windows Update Power Management to
automatically wake up the system to install scheduled
updates
 Turn on recommended updates via Automatic Updates
 Turn on Software Notifications

37. Vista / Win7 / Win2008
 Enable Windows Update Power Management to
automatically wake up the system to install scheduled
updates
» a system in hibernation at the scheduled installation event will
wake up to install updates
» a system in hibernation with expired deadlines will wake up to
install updates
» a system running on batteries will not install updates and will be
returned to hibernation
» Registry value (~WindowsUpdateAU)
• AUPowerManagement dword:[0|1]

38. Vista / Win7 / Win2008

39. Vista / Win7 / Win2008
 Turn on recommended updates via Automatic Updates
» AU Only -- the concept of “recommended” does not exist in
WSUS
» Registry value (~WindowsUpdateAU)
• IncludeRecommendedUpdates dword:[0|1]
 Turn on Software Notifications
» Provides enhanced notification messages to promote the
installation of optional software
» AU Only -- the concept of “optional” does not exist in WSUS
» Registry value (~WindowsUpdateAU)
• EnableFeaturedSoftware dword:[0|1]

40. Vista / Win7 / Win2008

41. Vista / Win7 / Win2008

42. WSUS Policy Settings
 Specify intranet Microsoft update service location
 Enable client-side targeting
 Allow signed update from an intranet Microsoft update
service location

43. WSUS Policy Settings
 Specify intranet Microsoft update service location
» Enables use of a WSUS server
» "Intranet update service" and "Intranet statistics server" must be
identical
» Registry values (~WindowsUpdateAU)
• UseWUServer dword:[0|1]
» Registry values (~WindowsUpdate)
• WUServer sz <http:// URL of WSUS server>
• WUStatusServer sz <http:// URL of WSUS server>

44. WSUS Policy Settings

45. WSUS Policy Settings
 Enable client-side targeting
» If using server-side targeting, this policy should be disabled
» The target groups specified in this setting must exist on the
WSUS server
» Multiple target groups are specified by using a semicolon
delimited list
» Do not specify "All Computers" or "Unassigned Computers" in
this list
» Registry values (~WindowsUpdate)
• TargetGroupEnabled dword:[0|1]
• TargetGroup sz <semicolon delimited string>

46. WSUS Policy Settings

47. WSUS Policy Settings
 Allow signed updates from an intranet Microsoft update
service location
» Enables the Windows Update Agent to install locally published
updates obtained from the WSUS server
» Registry values (~WindowsUpdate)
• AcceptTrustedPublisherCerts dword:[0|1]

48. WSUS Policy Settings

49. Helpful Resources
Get More Out of WSUS with
SolarWinds Patch Manager
Watch Video Test Drive Live Demo
Ask Our Community Download 30-day Free Trial
Click any of the links above
- Slide 49 -

50. Author: Lawrence Garvin, WSUS MVP
Thank You!
Feedback or questions
lawrence.garvin@solarwinds.com