Friday, April 4, 2008

How to Configure Automatic Updates

Configuring Automatic Updates by using Group Policy

The easiest way to configure automatic updates is through the group policy, in environments where this is possible. If group policies (AD) are not available, you can use the registry file which has to be deployed to every machine. This registry file, or group policy template if you're using Active Directory, enables advanced features available with the new WSUS client.

In order to configure client machines using group policy it is necessary to load the latest version of the wuau.adm administrative template. This template is available on Windows 2003 servers or Windows XP machines with Service Pack 2 installed. By default it is stored in C:\WINDOWS\Inf directory.


Configuring automatic updates in a non-AD environment

There are three ways of configuring automatic updates in non-Active Directory environments:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

; Define WSUS update server and the status server
"WUServer"="http://msupdate.auckland.ac.nz/"
"WUStatusServer"="http://msupdate.auckland.ac.nz"

; Users in the Users security group are not allowed to approve or
; disapprove changes (change this to 00000001 if you want them to be
; able to approve changes)
"ElevateNonAdmins"=dword:00000000

; Define client target group – important for reports
"TargetGroup"="ITSS"
; This option has to be 1 if client-side targeting is enabled.
"TargetGroupEnabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

"UseWUServer"=dword:00000001

; Logged users can choose if they want to restart the computer
"NoAutoRebootWithLoggedOnUsers"=dword:00000001

; Enable automatic updates (1 for disable)
"NoAutoUpdate"=dword:00000000

; Following options are available:
; 2 – notify before download
; 3 – automatic download and notify of installation
; 4 – automatic download and scheduled installation
; 5 – automatic updates required, but end users can configure them
"AUOptions"=dword:00000004

; Every day is scheduled (0, otherwise days defined from Sunday – 1, to
; Saturday – 7)
"ScheduledInstallDay"=dword:00000000

; Time of day to install updates – 10 AM (0a in hexadecimal)
"ScheduledInstallTime"=dword:0000000a

; Silently install minor updates
"AutoInstallMinorUpdates"=dword:00000001

; Detection frequency in hours – every 20 hours (14 in hexadecimal)
"DetectionFrequency"=dword:00000014
"DetectionFrequencyEnabled"=dword:00000001

; Time between prompting again for a scheduled restart – 30 minutes (1e
; in hexadecimal)
"RebootRelaunchTimeout"=dword:0000001e
"RebootRelaunchTimeoutEnabled"=dword:00000001

; Warning time after installing updates with a deadline or scheduled
; updates – 15 minutes
"RebootWarningTimeout"=dword:0000000f
"RebootWarningTimeoutEnabled"=dword:00000001

; Time that the WSUS client will wait at startup before applying
; updates from a missed scheduled installation time. This applies only
; to scheduled installations.
"RescheduleWaitTime"=dword:0000001e
"RescheduleWaitTimeEnabled"=dword:00000001

No comments: