Over the next few five weeks (I'm still sorting out exactly how many posts this will actually take), I'm going to take us on a tour of the configuration options for the Windows Update Agent. Some of these capabilities are documented in the WSUS Deployment Guide (with some errata that complicates it a bit), but some are not discussed at all. In addition, there are certain considerations that you just don't get from the cut-and-dried technical specifications found in that document. This content was originally presented as a webcast in the Summer, 2010, and has been derived from that original outline. The sections are numbered in this series of posts as they're also being aggregated for publication as a comprehensive white paper.


1. What is the Windows Update Agent (WUA)

The Windows Update Agent is the native software in a Windows operating system that communicates with Automatic Updates, Windows Update, Microsoft Update, or a WSUS server to determine what updates are available for installation, initiates the download of those updates, initiates the installation of those updates, and, in the case of WSUS, reports the status of those events back to the WSUS server.

The WUA has functionally existed since Windows 98, although prior to the introduction of WSUS in 2005, it was actually known as the “Automatic Updates Client”. Regardless of its name, the behavior of the WUA has always been configurable via the registry, and starting with the introduction of Active Directory and Group Policy in Windows 2000, via Group Policy or Local Policy.

It wasn’t really until the introduction of WSUS, however, that configuring the WUA really became of interest; otherwise, clients of Automatic Updates just did their thing at 3am on the day (or two) after patches were released by Microsoft, or whenever a logged-in user browsed to Windows Update via Internet Explorer.


2. Methodologies: Policy vs. Registry

As noted, originally the AU Client could only be configured via registry settings, but since they didn’t actually exist in the registry unless manually created, and nobody had documented them, nobody actually knew they existed. Our first real awareness of the ability to configure the AU Client came with the release of WSUS in 2005, and the availability of a Group Policy template that contained those settings.

Today you can configure the WUA using either Group Policy, Local Policy, or directly editing the registry. In an Active Directory environment, Group Policy is the best choice; but for non-Active Directory environments it’s a bit more complicated. The preferred methodology is to use Local Policy to configure a reference machine, and then export the WUA registry key to be imported into other systems.

You can also obtain pre-made registry files online, or build your own, but the biggest risk with importing directly to the registry, or editing the registry directly, is the risk of making errors in the process. If the registry values are incorrectly named, the wrong data type, or have invalid values, the WUA will ignore the registry value and revert to its built-in default settings.

One of the most common errors resulting in invalid registry values is entering decimal values instead of hexadecimal values. In the registry charts in the coming posts I will highlight the cells where common mistakes are made, typically from confusing decimal and hex values when entering them into the registry.


3. General Considerations

There are three general points I’d like to call attention to before we look at individual settings in the coming posts:
  • The Policy settings and registry values that we will discuss in this article are documented in the WSUS Deployment Guide. Except where expressly noted, all policy settings are found in the Computer Configuration\Administrative Templates\Windows Components\Windows Update node of the policy editor. In the interests of brevity, all future policy setting references will be identified as one of the following:
    • ComputerTemplates- \Computer Configuration\Administrative Templates
    • UserTemplates- \User Configuration\Administrative Templates
  • All WUA computer policy settings are manifested in one of these two registry keys:
    • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
    • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
  • All WUA user policy settings are manifested in one of these two registry keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate


4. WUA default behavior

  • Checks for updates from Automatic Updates every 17.6-22.0 hours.
  • Downloads updates automatically upon detection of availability and schedules the installation to occur at 3am the next day.
  • Restarts the system five minutes after the completion of the installation.
  • If the system is powered off at 3am, the downloaded updates are automatically installed the next time the system is powered on.
  • On Windows XP and Windows Server 2003 systems, if the logged-on user has administrative privileges, that user can
    • Select which updates to install.
    • Initiate the installation of updates before the scheduled installation time.
    • Choose whether to reboot the system after the installation is completed, or reboot the system later. If later is chosen, the user is re-prompted every 10 minutes until the user chooses to reboot the system, or the user logs off. If the user logs off, the reboot occurs within 10 minutes.
  • On Windows Vista and all newer systems, all users have privileges to select which updates to install, when they are installed, and whether the system is restarted after installation.
Starting next week... we'll look at how to change the behaviors of the Windows Update Agent.