Show
In an Active Directory environment, you can use Group Policy to define how computers and users can interact with Windows Update to obtain automatic updates from Windows Server Update Services (WSUS). This article refers to these computers and users as WSUS clients. This article contains two main sections: This section provides information about the following three extensions of Group Policy. In these extensions, you'll find the settings that you can use to configure how WSUS clients interact with Windows Update to receive automatic updates.
Note This article assumes that you already use and are familiar with Group Policy. If you're not familiar with Group Policy, we advise that you review the information in the Supplemental information section of this article before you try to configure policy settings for WSUS. This section provides details about the following computer-based policy settings: In the Group Policy Management Editor, Windows Update policies for computer-based configuration are located in the path PolicyName > Computer Configuration > Policies > Administrative Templates > Windows components > Windows Update.
Note By default, these settings are not configured. Specifies whether Automatic Updates will automatically install updates that don't interrupt Windows services or restart Windows.
Note If the Configure Automatic Updates policy setting is set to Disabled, this policy has no effect.
Options: There are no options for this setting. Specifies whether non-administrative users will receive update notifications based on the Configure Automatic Updates policy setting.
Note If the Configure Automatic Updates policy setting is disabled or is not configured, this policy setting has no effect.
Important Starting in Windows 8 and Windows RT, this policy setting is enabled by default. In all prior versions of Windows, it's disabled by default.
Options: There are no options for this setting. Specifies whether Automatic Updates accepts updates that are signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
Note Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft. This policy setting doesn't affect them.
Note This policy is not supported on Windows RT. Enabling this policy won't have any effect on computers running Windows RT. Options: There are no options for this setting.
Options: There are no options for this setting. Always automatically restart at the scheduled timeSpecifies whether a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the sign-in screen for at least two days.
Note If the No auto-restart with logged on users for scheduled automatic updates installations policy setting is enabled, this policy has no effect.
Options: If this setting is enabled, you can specify the amount of time that will elapse after updates are installed before a forced computer restart occurs. Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus 0 to 20 percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.
Note The Specify intranet Microsoft update service location setting must be enabled for this policy to have effect. If the Configure Automatic Updates policy setting is disabled, this policy has no effect.
Note This policy is not supported on Windows RT. Enabling this policy won't have any effect on computers running Windows RT.
Options: If this setting is enabled, you can specify the time interval (in hours) that Windows Update waits before checking for updates. Specifies whether automatic updates are enabled on this computer. If this Group Policy setting is enabled, you must select one of the four options that the setting provides. To use this setting, select Enabled. Then in Options under Configure automatic updating, select one of the options (2, 3, 4, or 5).
Delay restart for scheduled installationsSpecifies the amount of time Automatic Updates will wait before proceeding with a scheduled restart.
Note This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy setting is disabled, this policy has no effect.
Options: If this setting is enabled, you can specify the amount of time (in minutes) Automatic Updates waits before proceeding with a scheduled restart. This policy setting enables you to specify whether the Install Updates and Shut Down option is permitted as the default choice in the Shut Down Windows dialog.
Note This policy setting has no impact if the PolicyName > computer Configuration > Policies > Administrative Templates > Windows components > Windows Update > Do not display Install Updates and Shut Down option in Shut Down Windows dialog policy setting is enabled.
Options: There are no options for this setting. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service. This information will enable future connections to Windows Update and other services, such as Microsoft Update or Microsoft Store.
Note This policy applies only when the computer is configured to connect to an intranet update service by using the Specify intranet Microsoft update service location policy setting.
Options: There are no options for this setting. Specifies whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog.
Options: There are no options for this setting. Specifies the target group name or names that are configured in the WSUS console that will receive updates from WSUS.
Note This policy applies only when this computer is configured to support the specified target group names in WSUS. If the target group name doesn't exist in WSUS, it will be ignored until it's created. If the Specify intranet Microsoft update service location policy setting is disabled or not configured, this policy has no effect.
Note This policy is not supported on Windows RT. Enabling this policy won't have any effect on computers running Windows RT.
Options: Use this space to specify one or more target group names. Specifies whether Windows Update will use the Windows Power Management or Power Options features to automatically wake up the computer from hibernation if updates are scheduled for installation. The computer will automatically wake only if Windows Update is configured to install updates automatically. If the computer is in hibernation when the scheduled installation time occurs and there are updates to be applied, Windows Update will use the Windows Power Management or Power Options features to automatically wake the computer to install the updates. Windows Update will also wake the computer and install an update if an installation deadline occurs. The computer won't wake unless there are updates to be installed. If the computer is on battery power, when Windows Update wakes it, it won't install updates. The computer will automatically return to hibernation in two minutes.
Options: There are no options for this setting. Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is signed in, instead of causing the computer to restart automatically.
Note This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy setting is disabled, this policy has no effect.
Options: There are no options for this setting. Re-prompt for restart with scheduled installationsSpecifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
Important This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy setting is disabled, this policy has no effect.
Note This policy has no effect on computers running Windows RT.
Options: When this setting is enabled, you can specify the amount of time (in minutes) that will elapse before users are prompted again about a scheduled restart. Specifies the amount of time for Automatic Updates to wait after a computer startup, before proceeding with a scheduled installation that was previously missed. If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started.
Note This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy setting is disabled, this policy has no effect.
Options: When this policy setting is enabled, you can specify a number of minutes after the computer is next started that a scheduled installation that did not happen earlier will occur. Specifies an intranet server to host updates from Microsoft Update. You can then use WSUS to automatically update computers on your network. This setting enables you to specify a WSUS server on your network that will function as an internal update service. Instead of using the public Windows Update and Microsoft Update services on the internet, WSUS clients will search this service for updates that apply. Enabling this setting means that users in your organization don't have to go through a firewall to get updates. It also gives you the opportunity to test updates before deploying them. To use this setting, you must set two server name values: the server from which the client detects and downloads updates, and the server to which updated workstations upload statistics. The values don't need to be different if both services are configured on the same server.
Note This policy is not supported on Windows RT. Enabling this policy won't have any effect on computers running Windows RT.
Options: When this policy setting is enabled, you must specify the intranet update service that WSUS clients will use when detecting updates, and the internet statistics server to which updated WSUS clients will upload statistics. Example values:
Specifies whether Automatic Updates will deliver important and recommended updates from WSUS.
Options: There are no options for this setting. Turn on Software NotificationsThis policy setting enables you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. This policy setting is intended for loosely managed environments in which you allow the user access to the Microsoft Update service. If you're not using the Microsoft Update service, the Software Notifications policy setting has no effect. If the Configure Automatic Updates policy setting is disabled or is not configured, the Software Notifications policy setting has no effect.
Note By default, this policy setting is disabled.
Options: There are no options for this setting. Computer Configuration > Maintenance Scheduler policy settingsIn the Configure Automatic Updates setting, if you selected the option 4 - Auto download and schedule the install, you can specify Maintenance Scheduler settings in the Group Policy Management Console (GPMC) for computers running Windows 8 and Windows RT. If you did not select option 4 in the Configure Automatic Updates setting, you don't need to configure these settings for the purpose of automatic updates. Maintenance Scheduler settings are located in the path PolicyName > computer Configuration > Policies > Administrative Templates > Windows components > Maintenance Scheduler. The Maintenance Scheduler extension of Group Policy contains the following settings: Automatic Maintenance Activation BoundaryThis policy enables you to configure the Automatic Maintenance activation boundary. The activation boundary is the daily scheduled time at which Automatic Maintenance starts.
Note This setting is related to option 4 in Configure Automatic Updates. If you did not select option 4 in Configure Automatic Updates, you don't need to configure this setting.
Automatic Maintenance Random delayThis policy setting allows you to configure the random delay for Automatic Maintenance activation. The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its activation boundary. This setting is useful for virtual machines where random maintenance might be a performance requirement.
Note This setting is related to option 4 in Configure Automatic Updates. If you did not select option 4 in Configure Automatic Updates, you don't need to configure this setting. By default, when this setting is enabled, the regular maintenance random delay is PT4H.
Automatic WakeUp PolicyThis policy setting allows you to configure the wake-up policy for Automatic Maintenance. The wake-up policy specifies whether Automatic Maintenance should make a wake-up request to the operating computer for daily scheduled maintenance.
Note If the operating computer's power-wake policy is explicitly disabled, this setting has no effect.
Note This setting is related to option 4 in Configure Automatic Updates. If you did not select option 4 in Configure Automatic Updates, you don't need to configure this setting.
This section provides details about the following user-based policy settings: In GPMC, the user settings for automatic computer updates are located in the path PolicyName > User Configuration > Policies > Administrative Templates > Windows components > Windows Update. The settings are listed in the same order as they appear in the Computer Configuration and User Configuration extensions in Group Policy, when the Settings tab of the Windows Update policy is selected to sort the settings alphabetically.
Note By default, unless otherwise noted, these settings are not configured. For each of these settings, you can use the following steps to enable, disable, or move between settings. Specifies whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog.
Options: There are no options for this setting. Specifies whether the Install Updates and Shut Down option is allowed as the default choice in the Shut Down Windows dialog.
Note This policy setting has no impact if the PolicyName > User Configuration > Policies > Administrative Templates > Windows components > Windows Update > Do not display Install Updates and Shut Down option in Shut Down Windows dialog is enabled.
Options: There are no options for this setting. This setting enables you to remove WSUS client access to Windows Update.
Options: See Enabled in the table for this setting. This section provides more information about using, opening, and saving WSUS settings in Group Policy, and definitions for terms used in this article. For administrators who are familiar with past versions of WSUS (WSUS 3.2 and previous versions), a table summarizes differences between WSUS versions. The following procedures describe how to work with Group Policy objects (GPOs) and other Group Policy settings.
Note To perform these procedures, you must be a member of the Domain Admins group or its equivalent. To open a Group Policy object
To open the Windows Update or Maintenance Scheduler extensions of Group PolicyIn the Group Policy Management Editor, do one of the following:
For more information about Group Policy, see Group Policy Overview. To configure Group Policy settingsAfter you've opened the extension of Group Policy that you want, you can use the following steps to enable, disable, or move between settings:
Changes to WSUSThe following table summarizes key differences between the current and past versions of WSUS that are relevant to this article.
Terms and definitionsThis article used the following terms:
|