A guide for configuring the Automatic Update client via a Group Policy.
Step 1: What you need
You will need the policy template and the deployment guide.
Click here for the administrative template file. This holds the settings available for control.
Click here for SUS 1.0 SP1 Deployment White Paper.
Step 2: Creating the Group Policy
In an Active Directory environment, Group Policies are configured using the “Active Directory Users and Computer” administrative tool.
Select or create the OU for the Group Policy.
Right-click on the OU, select ‘Properties’ on the context menu.
Change to the “Group Policy” tab.
Click ‘New’ and give the Group Policy a meaningful name. Press “enter” to complete.
Click on the ‘Properties’ button, add a tick for the box labelled “Disable User Configuration settings, click ‘Yes’ in the “Confirm Disable” dialog box, click ‘OK’ to complete.
Step 3: Adding the Policy Template
Administrative policy template files allow you to add functionality to Group Policies.
Select your Group Policy and click ‘Edit’.
In the tree, navigate through “Computer Components”, then select “Administrative Templates”.
Right-click on “Administrative Templates”, select “Add/Remove Templates…” from the context menu.
Click ‘Add…’ and navigate to the administrative template file downloaded earlier, select the template file, click ‘Open’, click ‘close’ to complete. Care needs to be taken to select the correct template file, for the Automatic Update client there are old files which do not provide all the new settings.
In the tree, navigate through “Administrative Templates”, then “Windows Components”, then select “Windows Updates”. In the right-hand panel, you will see 4 policy areas.
Step 4: The Policy Settings
The policy settings control the behaviour of the Automatic Update client.
When modifying the policy settings, you can click on the “Explain” tab for further information about the settings.
Policy: Configure Automatic Updates. Select it, right-click and select properties. Click the “Enabled” radio button, modify the settings and click ‘OK’ to complete. Example: “4 – Auto download and schedule the install”, “0 – Every day” and “23:00”.
Policy: Specify intranet Microsoft update service location. Select it, right-click and select properties. Click the “Enabled” radio button, modify the settings and click ‘OK’ to complete. Example: “http://your-sus-server.your-domain.com”. Note: In this policy, both settings should be the same with ‘http://’ at the beginning then your SUS Server name and no forward slash at the end.
Policy: Reschedule Automatic Updates scheduled installation. Select it, right-click and select properties. Click the “Enabled” radio button, if you wish the computer to reschedule the installation if it is shutdown at the scheduled installation time, enter the number of minutes to wait after the restart occurs, between 1 and 60 and click ‘OK’ to complete. Click “Disabled” if you wish to specify the automatic installation will only occur at the time you specified and click ‘OK’ to complete. Example: “Disabled” provides more control in an environment.
Policy: No auto-restart for scheduled Automatic Updates installations. Select it, right-click and select properties. Click the “Enabled” radio button, if you wish the computer to wait for user input if logged on and click ‘OK’ to complete. Click “Disabled” if you wish the computer to reboot at the scheduled time without user input and click ‘OK’ to complete. Example: “Disabled” provides more control in an environment. Note: Unsaved data will be lost if an unattended restart occurs.
Click on the “X” in the control box to close the “Group Policy” window, click “Close” on the OU properties box to complete.
Step 8: Where to now
As the policy is applied to the computers via the domain, they will begin to check-in to the SUS Server for their Microsoft updates.