Windows Small Business Server 2011 : Configuring the Windows Update Client Using Group Policy

The Windows SBS Console contains controls that enable you to configure only the most basic properties of the Windows Update client on your network computers, such as the time that installations should occur. To exercise more complete control over the client, you must modify the GPOs that contain the configuration settings for Windows Update.

Windows SBS 2011 creates three separate GPOs to configure Windows Update clients, as follows:

  • Update Services Common Settings Policy Applies to all computers on the network
  • Update Services Client Computers Policy Applies only to computers that are members of the Update Services Client Computers group
  • Update Services Server Computers Policy Applies only to computers that are members of the Update Services Server Computers group

As part of its startup procedure, every computer on the network downloads and applies the Update Services Common Settings Policy GPO. This GPO contains most of the Windows Update policy settings that computers on the Windows SBS 2011 network need. The settings and default values for the Update Services Common Settings Policy GPO are listed in Table 1.

Table 1. Default Settings in the Update Services Common Settings Policy GPO

GROUP POLICY SETTING DEFAULT VALUES FUNCTION
Configure Automatic Updates
  • Notify for download and notify for install
  • 0—Every day
  • 03:00
Enables the Windows Update client, specifies whether the client should download and install updates with or without user intervention, and specifies the installation interval and time of day.
Specify intranet Microsoft update service location http://SERVER:####, where SERVER is the name of your server and #### is the port number assigned to the WSUS web application Specifies the URL that Windows Update clients use to access the WSUS server on the local network.
Automatic Updates detection frequency 1 hour Specifies the interval at which Windows Update clients check the server for new updates.
Allow non-administrators to receive update notifications Enabled Enables users without administrative privileges to receive notifications of impending update downloads or installations from the Windows Update client.
Allow Automatic Updates immediate installation Enabled Specifies whether the Windows Update client should install updates that do not require a service interruption or system restart immediately.
No auto-restart with logged on users for scheduled automatic updates installations Disabled Specifies whether the Windows Update client can trigger a system restart when a user is logged on to the system. When set to Disabled, the computer can restart automatically while a user is logged on to the computer.
Re-prompt for restart with scheduled installations 10 minutes Specifies the time interval the Windows Update client should wait before restarting the computer after a user postponed a previous restart request.
Delay Restart for scheduled installations 5 minutes Specifies the time interval the Windows Update client should wait before restarting the computer after an update installation.
Reschedule Automatic Updates scheduled installations 1 minute Specifies the time interval the Windows Update client should wait after system startup before initiating an update installation that did not occur because the computer was offline.

After applying the Update Services Common Settings Policy GPO, each computer then applies either the Update Services Client Computers Policy or Update Services Server Computers Policy GPO, depending on its group membership. These GPOs contain only one policy setting each, as listed in Tables Table 2 and Table 3, with each having a different default value. Because the computers apply these GPOs after the Update Services Common Settings Policy GPO, the client- or server-specific value for the Configure Automatic Updates policy setting overwrites the existing value from the first GPO.

Table 2. Default Settings in the Update Services Client Computers Policy GPO

GROUP POLICY SETTING DEFAULT VALUES FUNCTION
Configure Automatic Updates
  • Auto download and schedule the install
  • 0—Every day
  • 03:00
Enables the Automatic Updates client, specifies whether the client should download and install updates with or without user intervention, and specifies the installation interval and time of day

Table 3. Default Settings in the Update Services Server Computers Policy GPO

GROUP POLICY SETTING DEFAULT VALUES FUNCTION
Configure Automatic Updates
  • Auto download and notify for install
  • 0—Every day
  • 03:00
Enables the Automatic Updates client, specifies whether the client should download and install updates with or without user intervention, and specifies the installation interval and time of day

To modify the default settings for the Update Services Common Settings Policy GPO, use the following procedure:

  1. Log on to your Windows SBS 2011 server, using an account with network Administrator privileges.
  2. Click Start. Then click Administrative Tools > Group Policy Management. The Group Policy Management Console appears.
  3. In the Scope (left) pane, expand the Forest node and browse to the node representing your domain. The Detail (right) pane lists the Group Policy objects linked to your domain object, including the three Update Services GPOs.

    Note

    When a domain has multiple GPOs linked to it, the computers on the network apply the GPOs in order, beginning with the last GPO in the list and ending with the first. If the same policy settings appear in more than one GPO, the settings that the system applies last take precedence. Therefore, the GPO that is number one on the list has the highest priority.

  4. Right-click the Update services common settings policy and, from the context menu, select Edit. The Group Policy Management Editor Console appears, displaying the contents of the GPO.
  5. In the Scope (right) pane, browse to the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update folder.
  6. In the Detail pane, double-click one of the policy settings listed in Table 1. The dialog box for the policy setting appears.
  7. Modify the values for the policy setting as desired and click OK to close the dialog box.
  8. Repeat steps 6 and 7 to modify additional policy settings.
  9. Close the Group Policy Management Editor Console.
  10. Close the Group Policy Management Console.

To modify the Configure automatic updates policy settings that your computers actually use, you must repeat the procedure and edit the Update Services Client Computers Policy and Update Services Server Computers Policy GPOs.

The most common modifications that administrators are likely to make to these GPOs is to change the installation time and frequency in the Configure Automatic Updates policy setting, or disable the automatic installation process for clients. Some of the other modifications you might consider are the following:

  • Enabling the No auto-restart with logged on users for scheduled automatic updates installations policy setting prevents users from being interrupted by an update installation if they are logged on when it is scheduled to occur. The potential drawback of this is that installations do not occur if a user leaves the computer logged on at the end of the day.
  • The only situation in which you would want to modify the Specify intranet Microsoft Update service location policy setting is if you deploy another WSUS server on your network and want your users to obtain their updates from that server.
  • If you want to insulate your users from the update process, you can disable the Allow non-administrators to receive update notifications policy setting. When you do this, most Windows Update activities occur invisibly.
  • Setting the Reschedule automatic updates scheduled installations policy setting to Disabled prevents missed update installations from occurring the next time the computer starts. Instead, the installation occurs at the next scheduled time. This modification can prevent users from facing what might be a lengthy and unexpected installation procedure during business hours.

When you modify the settings in these GPOs, the new values do not take effect until the next time the computer restarts.