July
26th,
2012
These are the possible Group Policy settings when configuring Automatic Updates as described in the “Group Policy Management” application. I needed them all in one place in order to discuss the settings with people in my organization.
Policy | Description |
Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box | This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box. If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option in the Start menu. If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu. |
Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box | This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. If you enable this policy setting, the user's last shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list. If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu. Note that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled. |
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates | Specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the system from hibernation, if there are updates scheduled for installation. Windows Update will only automatically wake up the system if Windows Update is configured to install updates automatically. If the system is in hibernation when the scheduled install time occurs and there are updates to be applied, then Windows Update will use the Windows Power management features to automatically wake the system up to install the updates. Windows update will also wake the system up and install an update if an install deadline occurs. The system will not wake unless there are updates to be installed. If the system is on battery power, when Windows Update wakes it up, it will not install updates and the system will automatically return to hibernation in 2 minutes. |
Configure Automatic Updates | Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. This setting lets you specify if automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting: 2 = Notify before downloading any updates and notify again before installing them. When Windows finds updates that apply to this computer, an icon appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates to download. Windows then downloads the selected updates in the background. When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. 4 = Automatically download updates and install them on the schedule specified below Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.) 5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates With this option, the local administrators will be allowed to use the Automatic Updates control panel to select a configuration option of their choice. For example they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates' configuration. To use this setting, click Enabled, and then select one of the options (2, 3, 4 or 5). If you select 4, you can set a recurring schedule (if no schedule is specified, all installations will occur everyday at 3:00 AM). If the status is set to Enabled, Windows recognizes when this computer is online and uses its Internet connection to search Windows Update for updates that apply to this computer. If the status is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, go to http://windowsupdate.microsoft.com or click Start, click Programs (or click All Programs), and then click Windows Update. If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel. |
Specify intranet Microsoft Updates service location | Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them. If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. |
Automatic Updates detection frequency | Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours. If the status is set to Enabled, Windows will check for available updates at the specified interval. If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours. Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect. |
Allow non-administrators to receive update notifications | This policy setting allows you to control whether non-administrative users will receive update notifications based on the "Configure Automatic Updates" policy setting. If you enable this policy setting, Windows Automatic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive update notifications. Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface , End User License Agreement , or Windows Update setting changes. There are two situations where the effect of this setting depends on the operating system: Hide/Restore updates, and Cancel an install. On XP: If you enable this policy setting, users will not see a User Account Control window and do not need elevated permissions to do either of these update-related tasks. On Vista: If you enable this policy setting, users will not see a User Account Control window and do not need elevated permissions to do either of these tasks. If you do not enable this policy setting, then users will always see an Account Control window and require elevated permissions to do either of these tasks. On Windows 7: This policy setting has no effect. Users will always see an Account Control window and require elevated permissions to do either of these tasks. If you disable or do not configure this policy setting, then only administrative users will receive update notifications. By default, this policy setting is disabled. If the "Configure Automatic Updates" policy setting is disabled or is not configured, then the Elevate Non-Admin policy setting has no effect. |
Turn on Software Notifications | This policy setting allows you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in which you allow the end user access to the Microsoft Update service. If you enable this policy setting, a notification message will appear on the user's computer when featured software is available. The user can click the notification to open the Windows Update Application and get more information about the software or install it. The user can also click "Close this message" or "Show me later" to defer the notification as appropriate. In Windows 7, this policy setting will only control detailed notifications for optional applications. In Windows Vista, this policy setting controls detailed notifications for optional applications and updates. If you disable or do not configure this policy setting, Windows 7 users will not be offered detailed notification messages for optional applications, and Windows Vista users will not be offered detailed notification messages for optional applications or updates. By default, this policy setting is disabled. If you are not using the Microsoft Update service, then the Software Notifications policy setting has no effect. If the "Configure Automatic Updates" policy setting is disabled or is not configured, then the Software Notifications policy setting has no effect. |
Allow Automatic Updates immediate installation | Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows. If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install. If the status is set to Disabled, such updates will not be installed immediately. Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect. |
Turn on recommended updates via Automatic Updates | Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update update service. When this policy is enabled, Automatic Updates will install recommended updates as well as important updates from Windows Update update service. When disabled or not configured Automatic Updates will continue to deliver important updates if it is already configured to do so. |
No auto-restart with logged on users for scheduled automations installations | Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically. If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer. Be aware that the computer needs to be restarted for the updates to take effect. If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. |
Re-prompt for restart with scheduled installations | Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured, the default interval is 10 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. |
Delay Restart for scheduled installations | Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished. If the status is set to Disabled or Not Configured, the default wait time is 15 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. |
Reschedule Automatic Updates scheduled installations | Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously. If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started. If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation. If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. |
Enable client-side targeting | Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer. If the intranet Microsoft update service supports multiple target groups this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified. If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet Microsoft update service. Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect. |
Allow signed updates from an intranet Microsoft update service location | This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. Note: Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting. |