2.3.2 How to Configure Windows Update Using Group Policy
Settings
You can configure Windows Update client settings using
local or domain Group Policy settings. This is useful for the
following tasks:
-
Configuring computers to use a local WSUS
server
-
Configuring automatic installation of updates at a
specific time of day
-
Configuring how often to check for updates
-
Configuring update notifications, including whether
non-administrators receive update notifications
-
Configure client computers as part of a WSUS target
group, which you can use to deploy different updates to
different groups of computers
Windows Update settings are located at Computer Configuration\Administrative
Templates\Windows Components\Windows Update. The most useful
Windows Update Group Policy settings are as follows:
-
Configure Automatic
Updates Specifies whether client computers will
receive security updates and other important downloads
through the Windows Update service. You also use this
setting to configure whether the updates are installed
automatically and what time of day the installation
occurs.
-
Specify Intranet Microsoft
Update Service Location Specifies the location of
your WSUS server.
-
Automatic Updates Detection
Frequency Specifies how frequently the Windows Update client checks for new updates.
By default, this is a random time between 17 and 22
hours.
-
Allow Non-Administrators To
Receive Update Notifications Determines whether all
users or only administrators will receive update
notifications, as shown in Figure 2.
Non-administrators can install updates using the Windows
Update client.
-
Allow Automatic Updates
Immediate Installation Specifies whether Windows Update will install
updates immediately that don't require the computer to be restarted.
-
Turn On Recommended Updates Via
Automatic Updates Determines whether client computers install
both critical and recommended updates, which might include
updated drivers.
-
No Auto-Restart With Logged On
Users For Scheduled Automatic Updates Installations
Specifies that to complete a scheduled installation, Windows
Update will wait for the computer to be restarted by any
user who is logged on instead of causing the computer to
restart automatically.
-
Re-Prompt For Restart With
Scheduled Installations Specifies how often the
Windows Update client prompts the user to restart. Depending
on other configuration settings, users might have the option
of delaying a scheduled restart. However, the Windows Update
client will remind them automatically to restart based on
the frequency configured in this setting.
-
Delay Restart For Scheduled
Installations Specifies how long the Windows Update
client waits before automatically restarting.
-
Reschedule Automatic Updates
Scheduled Installations Specifies the amount of
time for Windows Update to wait, following system startup,
before continuing with a scheduled installation that was
missed previously. If you don't specify this amount of time,
a missed scheduled installation will occur one minute after
the computer is next started.
-
Enable Client-Side
Targeting Specifies which group the computer is a
member of.
-
Enabling Windows Update Power
Management To Automatically Wake Up The System To Install
Scheduled Updates If people in your organization
tend to shut down their computers when they leave the
office, enable this setting to configure computers with
supported hardware to start up automatically and install an
update at the scheduled time. Computers will not wake up
unless there is an update to be installed. If the computer
is on battery power, the computer will return to Sleep
automatically after two minutes.
In addition, the following two settings are available at
the same location under User Configuration (which you can use to specify
per-user settings) in addition to Computer Configuration:
-
Do Not Display 'Install Updates
And Shut Down' Option In Shut Down Windows Dialog
Box Specifies whether Windows shows the Install
Updates And Shut Down option.
-
Do Not Adjust Default Option To
'Install Updates And Shut Down' In Shut Down Windows Dialog
Box Specifies whether Windows automatically changes the default shutdown
option to Install Updates And Shut Down when Windows Update is waiting to install an
update.
Finally, one user setting is available only at User
Configuration\Administrative Templates\Windows
Components\Windows Update:
Windows 7 opens MSU files with the Windows Update Standalone Installer (Wusa.exe). To
install an update from a script, run the script with administrative
privileges, call Wusa and provide the path to the MSU file. For
example, you can install an update named Windows6.0-KB929761-x86.msu
in the current directory by running the following command:
wusa Windows6.0-KB929761-x86.msu
In addition, Wusa supports the following standard command-line
options:
-
/?, /h, or /help
Displays the command-line options.
-
/uninstall Removes the
specified package. Add the /kb option to
specify the package to be removed using the Knowledge Base (KB)
number.
-
/quiet Quiet mode. This
is the same as unattended mode, but no status or error messages
are displayed. Use quiet mode when installing an update as part
of a script.
-
/norestart When
combined with /quiet, does not restart when
installation has completed. Use this parameter when installing
multiple updates simultaneously. All but the last update
installed should have the /norestart
parameter.
-
/warnrestart When
combined with /quiet, the installer warns
the user before restarting the computer.
-
/promptrestart When
combined with /quiet, the installer prompts
the user to confirm that the computer can be restarted.
-
/forcerestart When
combined with /quiet, the installer closes
all applications and restarts the computer.
Scripting is not usually the best way to install
updates on an ongoing basis. Instead, you should use Windows Update,
WSUS, or Systems Management Server (SMS). However, you might create
a script to install updates on new computers or to install updates
on computers that cannot participate in your standard update
distribution method.
