Configure Automatic Updates
The settings for this policy enable you to configure how Automatic Updates works. You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update.
To configure the behavior of Automatic Updates
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Configure Automatic Updates.
- Click Enabled and select one of the following options:
- Notify for download and notify for install. This option notifies a logged-on administrative user prior to the download and prior to the installation of the updates.
- Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user prior to installing the updates.
- Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.
- Allow local admin to choose setting. With this option, the local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.
- Click OK.
Specify Intranet Microsoft Update Service Location
The settings for this policy enable you to configure a WSUS server that Automatic Updates will contact for updates. You must enable this policy in order for Automatic Updates to download updates from the WSUS server.
Enter the WSUS server HTTP(S) URL twice, so that the server specified for updates is also used for reporting client events. For example, type
http(s)://servername in both boxes. Both URLs are required.
To redirect Automatic Updates to a WSUS server
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Specify Intranet Microsoft update service location.
- Click Enabled and type the HTTP(S) URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http(s)://servername in both boxes.
- Click OK.
Enable Client-side Targeting
This policy enables client computers to self-populate computer groups that exist on the WSUS server.
If the status is set to
Enabled, the specified computer group information is sent to WSUS, which uses it to determine which updates should be deployed to this computer. This setting is only capable of indicating to the WSUS server which group the client computer should use. You must actually create the group on the WSUS server.
If the status is set to
Disabled or
Not Configured, no computer group information will be sent to WSUS.
To enable client-side targeting
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Enable client-side targeting.
- Click Enabled and type the name of the computer group in the box.
- Click OK.
Reschedule Automatic Update Scheduled Installations
This policy specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
If the status is set to
Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.
If the status is set to
Disabled, a missed scheduled installation will occur with the next scheduled installation.
If the status is set to
Not Configured, a missed scheduled installation will occur one minute after the computer is next started.
This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the
Configure Automatic Updates policy is disabled, this policy has no effect.
To reschedule Automatic Update scheduled installation
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Reschedule Automatic Update scheduled installations, click Enable, and type a value in minutes.
- Click OK.
No Auto-restart for Scheduled Automatic Update Installation Options
This policy specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
If the status is set to
Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify the user to restart the computer in order to complete the installation.
Be aware that Automatic Updates will not be able to detect future updates until the restart occurs.
If the status is set to
Disabled or
Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.
This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the
Configure Automatic Updates policy is disabled, this policy has no effect.
To inhibit auto-restart for scheduled Automatic Update installation options
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click No auto-restart for scheduled Automatic Update installation options, and set the option.
- Click OK.
Automatic Update Detection Frequency
This policy specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here, minus 0 to 20 percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all WSUS clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.
If the status is set to
Enabled, Automatic Updates will check for available updates at the specified interval.
If the status is set to
Disabled or
Not Configured, Automatic Updates will check for available updates at the default interval of 22 hours.
To set Automatic Update detection frequency
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Automatic Update detection frequency, and set the option.
- Click OK.
Allow Automatic Update Immediate Installation
This policy specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.
If the status is set to
Enabled, Automatic Updates will immediately install these updates after they have been downloaded and are ready to install.
If the status is set to
Disabled, such updates will not be installed immediately.
To allow Automatic Update immediate installation
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Allow Automatic Update immediate installation, and set the option.
- Click OK.
Delay Restart for Scheduled Installations
This policy specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.
If the status is set to
Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.
If the status is set to
Disabled or
Not Configured, the default wait time is five minutes.
To delay restart for scheduled installations
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Delay restart for scheduled installations, and set the option.
- Click OK.
Re-prompt for Restart with Scheduled Installations
This policy specifies the amount of time for Automatic Updates to wait before prompting the user again for a scheduled restart.
If the status is set to
Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.
If the status is set to
Disabled or
Not Configured, the default interval is 10 minutes.
To re-prompt for restart with scheduled installations
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Re-prompt for restart with scheduled installations, and set the option.
- Click OK.
Allow Non-administrators to Receive Update Notifications
This policy specifies whether logged-on non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.
If the status is set to
Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.
If the status is set to
Disabled or
Not Configured, Automatic Updates will notify only logged-on administrators.
To allow non-administrators to receive update notifications
- In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
- In the details pane, click Allow non-administrators to receive update notifications, and set the option.
- Click OK.
Note This policy setting does not allow non-administrative Terminal Services users to restart the remote computer where they are logged in. This is because, by default, non-administrative Terminal Services users do not have computer restart privileges.
Remove Links and Access to Windows Update
If this setting is enabled, Automatic Updates receives updates from the WSUS server. Users who have this policy set cannot get updates from a Windows Update Web site that you have not approved. If this policy is not enabled, the
Windows Update icon remains on the
Start menu for local administrators to visit the Windows Update Web site. Local administrative users can use it to install unapproved software from the public Windows Update Web site. This happens even if you have specified that Automatic Updates must get approved updates from your WSUS server.
To remove links and access to Windows Update
- In Group Policy Object Editor, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.
- In the details pane, click Remove links and access to Windows Update, and set the option.
- Click OK.
Source:
Configure Automatic Updates by Using Group Policy
How to configure automatic updates by using Group Policy or registry settings