Configuring the Windows Update Agent - Overview

Configuring the Windows Update Agent - General Settings Part 1

Configuring the Windows Update Agent - General Settings Part 2

 

6. Policies exclusive to WSUS environments

In this section, we’ll look at the three configuration settings that are exclusive to the WSUS environment.

 

Specify Intranet Microsoft update service location

This setting defines a client as a WSUS client. If this option is Disabled or has never been configured, the client system will use AU/WU/MU for detection. When this option is Enabled, the URL specifies the WSUS server to be used. Only the WUServer value needs to be specified in the setting; the v7.x Windows Update Agents ignore the WUStatusServer value. The WUServer value must be a URL of the form http://nameOfWSUSServer.

 

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

UseWUServer

0-1

0x0 – 0x1

If enabled, defines the system as a WSUS client and uses the WUServer value as the assigned WSUS server

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Registry Value

Valid String Value

Notes

WUServer

http://nameofWSUSServer

Identifies the URL of the assigned WSUS server. Must be defined as an http:// or https:// URL

Specify Intranet Microsoft Update Service Location - Policy.pngSpecify Intranet Microsoft Update Service Location - Registry.png

 

Enable client-side targeting

WSUS uses groups to provide approvals to client systems for the installation of updates. Groups must be created in the WSUS console, but membership in those groups can be assigned from the console or by using policy settings. In addition to this policy setting, the Options|Computers dialog in the WSUS console must be set to the correct value. The default configuration is “server-side targeting” and group memberships are managed from the WSUS console. When using server-side targeting, this policy setting should be set to Disabled to ensure clients do not attempt to exert authority over their group memberships. If this policy setting is Enabled, the group(s) that a client is assigned to are defined in the policy setting using a semi-colon delimited list. The client becomes authoritative for these group memberships as configured in the policy setting. Do not specify “All Computers” or “Unassigned Computers” in this setting. The Options|Computers setting must also be set to “Use Group Policy…” so that the WSUS server knows the client is authoritative. This setting also disables the ability to change group memberships from the console.

 

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

TargetGroupEnabled

0-1

0x0 – 0x1

If enabled, identifies the assigned WSUS group(s) that the client belongs to. If disabled, the WSUS console is used to assign group memberships

TargetGroup

Semicolon delimited string

 

Enable Client-Side Targeting - Policy.pngEnable Client-Side Targeting - Registry.png

 

Allow signed updates from an intranet Microsoft update service location

When a WSUS server is used to distribute locally published updates to client systems, this setting must be Enabled to permit the WUAgent to validate the packages using an alternate code-signing certificate (one not issued by the Microsoft WU infrastructure).

 

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Registry Value

Valid Decimal Values

Valid Hex Values

Notes

AcceptTrustedPublisherCerts

0-1

0x0 – 0x1

If enabled, allows the WUAgent to install locally published updates validated by an alternate code-signing certificate

Allow Signed Updates - Policy.pngAllow Signed Updates - Registry.png

 

Configuring the Windows Update Agent - Scheduled Installations