Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy
By Bobbie Harder, Program Manager, Windows Server Update Services, Microsoft Corporation
See other Security Tip of the Month columns
Windows Server Update Services (WSUS) clients can be configured to provide update installation and reboot behavior best suited to your environment and your business needs. You can use Group Policy or Local Group Policy to modify Automatic Update configuration on your WSUS clients to determine what notification, download, install, and reboot behavior your WSUS managed clients will experience in updating from WSUS. Although there are policy settings for WSUS that control additional configuration, this article focuses on configuration options that define update notification, download, installation, and post-install reboot behavior.
Automatic Updates (AU) is the component of the WSUS client that checks for, pulls down, and triggers installations and reboots of approved updates from WSUS or Microsoft Update (MU). Before discussing AU configuration options, a couple of key points should be clarified. The first point is that its important to distinguish the difference between downloading and installing. After a WSUS administrator approves an update for installation for a client or a group of clients, the update must be downloaded from its mapped source (either the local WSUS server or MU). Before downloading can happen, the client must check in with the WSUS server and determine what updates have been approved for it, as well as report its current update status. By default, a client will check in with the WSUS server every 22 hours, or the check-in can be configured to occur as frequently as every hour.
If an update is approved for installation when the client checks in, the client by default is configured to start to download that update in the background. The AU client can be configured to notify the user before the client begins downloading, but in most cases background download of an update is set to happen without user notification because it causes no user impact. Update download happens in the background using only available bandwidth not already being consumed by the client. For instance, if the user is doing a foreground download, browsing, or sending e-mail, downloading an update in the background will have no impact on those experiences. Once the update is on the client, depending on how the AU options are configured, the installation will occur with the appropriate administrative user logged on, as a separate and distinct action. By default the AU option is set to automatically download updates and then notify when the update is received and ready to be installed. Downloading is just getting the bits from the source to the client, while installing is the action of actually installing those bits onto the system. The AU options and policy settings discussed in this article allow WSUS administrators to customize download notification, installation, and reboot notification and experiences of their WSUS managed clients.
The second important point is that even though download and installation are distinct activities, the actions of installation and reboot should be considered one and the same. These two actions are interdependent for updates that require the system to be rebooted to really be installed. A security update that requires the system to be rebooted is not installed and able to protect against the intended vulnerability until such time as the system is rebooted. Often a system or application file can only be updated when the file is not in use or locked. Additionally, a pending reboot state results in neither an updated nor a prior-to-updated state. In other words, it is important to note that for updates that require a reboot, the update is not installed until such time as the system is rebooted. Further, the system is still vulnerable or unpatched while in the state of a pending reboot, and a client can no longer detect the need for future updates until the reboot has occurred.
The third and final point is that the act of installation, whether it be for an update, a driver, or a full software application, in most environments requires local administrative rights on that system. Because Automatic Updates controls the installation of updates, the installation and reboot experience for the non-local administrator versus the local administrator will vary from opaque and controlled to more transparent and flexible. It is important when applying these policies to note the impact on and experience for both user types.
The method to configuring AU options in a WSUS environment would depend if you have an Active Directory or non-Active Directory environment. In a non-Active directory environment you can use Local Group Policy or edit the registry directly. In an Active Directory environment you would use Group Policy. Its important to note that administrator-set Group Policy settings (whether set locally, in the registry, or with Group Policy) always override any machine-set or user-defined options on the client.
This article focuses on the download, install, and reboot behavior of the WSUS AU client and assumes that client mapping to WSUS servers has been done. Whether using Group Policy or Local Group Policy, the WSUS Administrative Template file must be loaded on the system used to administer Group Policy. This template file is named Wuau.adm and is installed by default on Windows XP Service Pack 2 clients. Additionally, any client machine is WSUS compatible (meaning has self updated to have the latest client version), it will also have the latest Wuau.adm file in the %windir%\Inf directory.
For modifying AU configuration via Local Group Policy, adding the local Group Policy Object Editor can be done by following these simple steps:
On the taskbar, click Start, click Run, type MMC, and then click OK.
In Console 1, on the File menu, click Add/Remove Snap-in, and then click Add.
In the Add Standalone Snap-in dialog box, click Group Policy Object Editor, and then click Add.
Figure 1. Add Standalone Snap-in dialog box
In the Group Policy Wizard, accept Local Computer, and then click Finish.
From Start => Run, type gpedit.msc, in Group Policy, under User Configuration, right-click Administrative Templates, click Add/Remove Templates, click wuau, click Add, click wuau.adm in the Policy Templates dialog box, and then click Open.
To view all the AU configuration policy options in the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. View the console pane and the description for each associated policy as highlighted in Figure 2.
Figure 2. Group Policy Object Editor for Local Group Policy
You can see that the Group Policy options for WSUS also include policies that configure which WSUS server clients should point to (Specify intranet Microsoft Update service location), allow the auto join of a client to a preexisting target group on the WSUS server (resulting in approvals for that target group also applying to the specified client when enabled), and allow the ability to configure the frequency of when a client checks in with a WSUS server (Automatic Update detection frequency).
Configuring AU download and install overall behavior
Configure Automatic Updates is the overall policy that drives the fundamental download and install behavior of AU. From this policy, other policies can be applied to add further granularity to the behavior, but this is the base policy by which one of its configuration options will determine how AU downloads and installs. See Figure 3.
Figure 3: Overall Automatic Update Configuration options
The options here are:
2 - Notify for download and notify for install
This option allows for the utmost control to the Admin users on WSUS clients so that they can decide when to start both the download and the installation of updates. This configuration option is useful in environments where maintenance windows vary and critical business demands on clients (servers or desktops) are difficult to predict, or compliance conformity requirements dictate optimal control over transferred, installed, or removed software. This option also provides the ability of the client’s Admin user to be able to select all or a subset of the approved updates, to be downloaded and/or installed on a client system. This option will cause an icon to appear in the notification area, at the far right of the taskbar, both when the updates are ready to download and when the downloads are complete and are ready to be installed. By clicking the icon, Admin users have both the control of selecting which approved updates to download and which to install.
3 - Auto download and notify for install - Default option
This AU option is particularly useful to ensure that an update installation happens at a time most convenient for the local administrative end user in relation to work imperatives, maintenance windows, and planned or end of the day shutdowns. This option permits the automatic download to occur in the background, but gives the client administrative end user the ability to select which downloaded updates to install and when to install them. After automatic downloads are completed, an icon appears in the notification area. When users click the icon they can see which updates were downloaded and select all or some of them to install.
4 - Auto download and schedule the install
This policy option works very well in environments where known business hours and maintenance windows are fairly stable and predictable. For systems in an environment with predictable usage schedules, downloading in the background and setting a scheduled installation to occur at specific hours after core business works well for environments with static systems that are left on or in energy-saving modes. If this policy is enabled, the default time for the scheduled install is 3:00 A.M. once a day. If an update requires a reboot in order to complete installation, the client will automatically reboot. If an administrative user happens to be logged on during this time, they will see a restart notification and have the option to delay the reboot. Non-administrative users will see the notification (enabling them to save their work). They will not be able to delay the restart, but they can initiate the reboot.
It is important to note that this policy works in combination with five other policies that may be applied to further specify the restart behavior of clients when updates have been installed on a set schedule. These additional policies are:
a. No auto-restart for scheduled Automatic Update installations
b. Delay Restart for scheduled installations
c. Re-prompt for restart with scheduled installations
d. Reschedule Automatic Updates scheduled installations
e. Allow non-administrators to receive update notifications
The matrix below explains the behavior and options and resulting experience when enabling these policies in combination with the number 4 option of the Configure Automatic Updates Setting, for the administrative user and the non-administrative user.
5. Allow local admin to choose setting
With this final AU configuration option, the local administrative users will be allowed to use Automatic Updates in Control Panel to select a configuration option of their choice for AU. For example, they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates configuration, only to use the AU in the client Control Panel to designate their own notification, install, restart behavior. This policy would not apply to the non-administrative user.
Other AU update policies that affect detection, download, installation, or reboot behavior
Allow Automatic Updates immediate installation
This policy is only applicable when AU configuration options 3 or 4 are applied and this policy is enabled. This policy only allows for the immediate installation of minor updates. This policy setting specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows. If this policy is enabled, AU will immediately install these updates once they are downloaded and ready to install. If enabled this policy will override notify for install or scheduled installation configuration for these types of updates. If this policy is not configured and the AU configuration option is set to 4, the minor update will still immediately install. However, if you disable this policy after enabling when AU options are set to 4, the minor update will no longer immediately install.
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
This policy setting allows administrators to manage whether the Install Updates and Shut Down option is allowed to be the default choice in the Shut Down Windows dialog box.
If you enable this policy setting, the user's last shutdown choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and Shut Down option is available in the What do you want the computer to do? list.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user clicks Shut Down on the Start menu.
Note that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' in Shut Down Windows dialog box policy setting is enabled. The administrative user and the non-administrative user would have the same experience if non-administrators have shutdown rights.
Do not display 'Install Updates and Shut Down' in Shut Down Windows dialog box
This policy setting enabled allows admins to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box.
If you enable this policy setting, the Install Updates and Shut Down option will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user clicks Shut Down on the Start menu.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be available in the Shut Down Windows dialog box if updates are available when the user clicks Shut Down on the Start menu. The administrative user and the non-administrative user would have the same experience.
Look for upcoming tips and tricks on WSUS in future articles.