Windows Update Policies

Although you can configure some settings, such as when the computer will check for updates and how the computer will deal with updates using the Windows Update Control Panel, you configure most Windows Update settings by configuring Group Policy. The Computer Configuration\Administrative Templates\Windows Components\Windows Update Group Policy node contains 16 policies.

You can configure Windows Update using these policies as follows:

• Do Not Display "Install Updates And Shut Down" Option In Shut Down Windows Dialog Box This policy allows you to configure whether the Shut Down menu displays the Install Updates And Shut Down option. The default setting has this option available.
• Do Not Adjust Default Option To "Install Updates And Shut Down" in Shut Down Windows Dialog Box When this policy setting is enabled, the user's last shutdown choice is the default shutdown option. When this policy setting is disabled or is not configured, Install Updates and Shut Down is the default option if updates are available for installation. This policy is deprecated when the Do Not Display "Install Updates And Shut Down" Option In Shut Down Windows Dialog Box policy is enabled.
• Enabling Windows Update Power Management To Automatically Wake The System To Install Scheduled Updates This policy allows Windows Update to wake a hibernating computer to install updates. Updates does not install if the computer is hibernating on battery power.
• Configure Automatic Updates This policy, allows you to configure update detection, download, and installation settings. Several of these settings are similar to the ones that you can configure through the Windows Update control panel. You can configure the following settings using this policy:
  • Notify For Download And Notify For Install Windows Update does not download updates. Windows Update notifies the user that updates are available for download and installation.
  • Auto Download And Notify For Install Windows Update downloads updates and notifies the user that updates are available for installation.
  • Auto Download And Schedule The Install Windows Update downloads and installs updates without user intervention.
  • Allow Local Admin To Choose Setting This setting configured using Windows Update control panel is used for update download and notification.
  • Install Day and Install Time Use these settings to configure the day and time that Windows Update will install updates.
  • Specify Intranet Microsoft Update Service Location This policy allows you to specify the location of an internal update server, such as one running WSUS. This policy is the only way that you can configure Windows Update to use an alternate update server. Using this policy, you can specify the update server and the statistics server. In most cases, these are the same servers. The updates server is where the updates are downloaded from, and the statistics server is the server where clients report update installation information.
  • Automatic Updates Detection Frequency Configure this policy to specify how often Windows Update checks the local intranet update server for updates. This policy does not work if you configure a client to retrieve updates from the Windows Update servers.
  • Allow Non-Administrators To Receive Update Notifications This policy specifies whether users who are not members of the local Administrators group are able to install updates.
  • Turn On Software Notification When you enable this policy, Windows Update presents users with information about optional updates.
  • Allow Automatic Updates Immediate Installation When you enable this policy, updates that do not require a restart install automatically. Updates that do require a restart are not installed until the conditions set in the Configure Automatic Updates policy are met.
  • Turn On Recommended Updates Via Automatic Updates Use this policy to configure Windows Update to install recommended updates as well as important updates.
  • No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installation When you enable this policy, Windows Update waits until the currently logged on user logs off if Windows Update installs updates that requiring a restart. If you disable or do not configure this policy and the Configure Automatic Updates policy is set to install updates at a specific time, Windows Update gives the logged-on user a 5-minute warning prior to restarting to complete the installation.
  • Re-prompt For Restart With Scheduled Installations Use this policy to set the amount of time that a user can postpone a scheduled restart when the Configure Automatic Updates policy is set to install updates at a specific time.
  • Delay Restart For Scheduled Installations Through this policy, you can specify the amount of time that Windows waits before automatically restarting after a scheduled installation. This policy applies only if the Configure Automatic Updates policy is set to install updates at a specific time.
  • Reschedule Automatic Updates Scheduled Installations You can use this policy to configure a computer that has missed a scheduled update to perform the update a specific number of minutes after startup. For example, use this policy to ensure that a computer that was switched off at the scheduled update time installs updates 1 minute after starting up. Disabling this policy means that updates install at the next scheduled time.
  • Enable Client-Side Targeting This policy allows you to place computers into different software update groups. Different software update groups allow the software update administrator to target the deployment of updates, allowing updates to be deployed to specific groups of computers in the organization rather than all computers in the organization.
  • Allow Signed Updates From An intranet Microsoft Update Service Location This policy allows updates from third-party vendors to be distributed from the Automatic Updates location so long as those updates are digitally signed by a trusted publisher.