Configuring the Windows Update Agent - Overview

Configuring the Windows Update Agent - General Settings Part 1

 

In this third part of our five-part series, we're continuing our look at the general settings of the Windows Update Agent.

 

Allow Automatic Updates & immediate installation

An option that is quite often overlooked, but probably not really relevant until the introduction of Windows Defender in 2006, is the ability to allow immediate installation of updates that cannot trigger system or service restarts. Unfortunately, there’s no way to visually identify one of these updates in the WSUS console. Generally speaking, this group includes Definition Updates. An update listed with a Reboot Behavior of “Never restarts” may install with this option, but even updates that should have that option set typically do not. What’s important to note is that the Windows Update Agent knows how to identify these updates, and they will be handled automatically if you allow that.

 

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

AutoInstallMinorUpdates

0-1

0x0 – 0x1

If enabled, allows the WUAgent to immediately install any update with the Impact attribute set to “Minor”

Allow Automatic Updates Immediate Installation - Registry.pngAllow Automatic Updates Immediate Installation - Policy.png

Allow non-administrators to receive update notifications

This is mostly a legacy option, beneficial primarily to non-administrative users on Windows XP systems, where interacting with the Windows Update Agent UI requires administrative permissions. This option restricts that requirement and allows the WUA to present the UI to a non-administrative user.

 

Here are a couple of additional pedantic notes:

  • It also applies to Windows Server 2003 systems, but inasmuch as the only non-admin users on a Windows Server 2003 system would be Terminal Services clients, it has no practical application.
  • Windows Vista and newer systems grant full access for the Control Panel WUApp to all users. This option has no practical application on Vista or newer systems.

 

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

ElevateNonAdmins

0-1

0x0 – 0x1

If enabled, allows the WUAgent to interact with non-administrative users on a Windows XP system

Allow Non-Administrators to Receive Update Notifications - Policy.pngAllow Non-Administrators to Receive Update Notifications - Registry.png

Remove links & access to Windows Update

In Windows XP/2003 and earlier systems, there was a Start Menu option, a Taskbar icon, and on Internet Explorer 6 and earlier versions, a menu option to launch Windows Update. This setting removes those menu options (although it did not preclude a creative user from typing the URL into the browser address bar). They have no relevance on Vista or newer systems. This option is a user option, not a computer option, and will be found in the UserTemplates\Start Menu and Taskbar node of the policy editor.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

NoWindowsUpdate

0-1

0x0 – 0x1

If enabled, blocks access to the Start Menu and Internet Explorer menu options, and the Taskbar icon

 

Remove access to use all Windows Update features

This setting is generally applicable to pre-Vista systems to block access to the Windows Update Agent functionality, including the notification boxes and the ability to install updates interactively. There is also an option to configure the type of notifications that are suppressed. The user can have all notifications blocked, or be provided with restart-required notifications. This update is a user setting, and care should be taken when configuring it so as to not block access to all users. Typically a separate GPO filtering out Domain Admins is recommended for using this setting. The setting is found in the UserTemplates\Windows Components\Windows Update node of the policy editor.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

DisableWindowsUpdateAccess

0-1

0x0 – 0x1

If enabled, blocks access to all Windows Update Agent UI functionality

DisableWindowsUpdateAccessMode

0-1

0x0 – 0x1

If enabled, allows the display of restart required notifications

Remove Access to Use All Windows Update Features - Policy.pngRemove Access to Use All Windows Update Features - Registry.png

 

Turn off access to all Windows Update features

This is the current incarnation of the option to block access to client-side update management functionality. The setting configures WSUS as the only update source and fully blocks access to AU, WU, and MU. It is a computer setting, and will override any user-based settings (e.g. if you enabled restart required notifications in the previous user setting, this one will shut them off). This setting is found in the ComputerTemplates\System\Internet Communication Management\Internet Communication Settings node of the policy editor.

 

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

DisableWindowsUpdateAccess

0-1

0x0 – 0x1

If enabled, blocks access to all Windows Update Agent UI functionality

Turn Off Access to All Windows Update Features - Policy.pngTurn Off Access to All Windows Update Features - Registry.png

 

Configuring the Windows Update Agent - WSUS Settings