Video Transcript

Hi, this is Greg Shields and I am going to help demystify some of the complex settings that you can apply using Group Policy for your WSUS patch implementation. As you can see here I have got the Group Policy Management Editor brought up and I am taking a look at Administrative Templates, Windows Components, and then Windows Update down here on the bottom. Windows Update has a number of different settings that you can configure for how you will go about deploying patches to the computers on your network.

The most important of these settings is up here called Configure Automatic Updates. This is sort of the master toggle switch for bringing automatic updates under Group Policy control. If you click Enabled here you can actually chose one of four different options for how you will actually configure the clients to download and ultimately install the different updates you want.

Many people will chose to auto download and then ultimately schedule the installation for their patches. When you do so you can chose to schedule the install day, either one particular day of the week or any day of the week, and then what time you actually want those patches to be deployed. Once you have determined what that time frame is for deploying patches, the second most important setting here is choosing your internet service update location or your Microsoft update service location. When you do this, you want to choose it in the format http:// and then whatever your WSUS server name is. Same thing down here for the internet statistics server as well. These two setting will ensure that your clients are pointing to your WSUS server for their patches.

Once you have done that there are number of different other settings here that you kind of have to be conscious of. Because when you configure these, this will determine well, what sorts of the behaviors the Windows update agent will have when it is interfacing with WSUS on the server side. Some of these are very obvious. If you don't want to display install updates and shutdown in this shutdown option dialog box under start, you can adjust the first two of these. The third one here enables Windows update power manager to automatically wake up the system to install scheduled updates.

This setting is actually very powerful if you have got Power Management enabled on your computers, because those computers that maybe shut down or are in sleep or hibernate mode will be able to be powered on so that they can be updated and then later powered off after a few minutes once the update is complete. If you are using the tools that Microsoft has available for actually controlling Power Management settings well this ensures that you can actually update computers in the middle of the evening.

One of the other important settings down here is Allow Automatic Updates immediate installation. There are some types of patches that actually do not require a reboot to complete their installation. When theses patches do not require a reboot, it is generally a good idea to enable this setting allowing them to install immediately without waiting for any kind of deadline or without waiting for any kind of time frame to occur. That means, they do not require a reboot, you can have them automatically install themselves and protect yourself. These four settings, here, here, here, and here deal with how the reboots are handled for deploying patches.

Generally many administrators will go ahead and allow the reboot to occur at three o'clock in the morning which is the default setting here under automatic updates. But allowing that reboot to occur works great whenever the computers are turned on but does not work so great when the computers are turned off or are not on the network whenever that reboot needs to occur. Because of that the next time the user actually turns on the computer, well they may actually automatically get an installation request and have to actually postpone their installation using one of these three settings.

One option to use is to actually prevent the reboot entirely, this setting here No auto-restart with logged on users for scheduled automatic update installations. Really long title, but what it effective means is, do not restart the computer after the update requires a restart. If you do configure this setting you will want to make sure you have some mechanism in place in order to reboot those computers and that mechanism will need to occur outside of WSUS.

If you are looking for more information on how you can configure outside of WSUS reboot to occur, check out my recent article on