enter display name hereenter description hereWindows 7, Windows Server 2008 R2, Windows Vista, Windows XP SP2Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2003, Windows XP SP2, Windows XP SP1 , Windows 2000 SP4, Windows 2000 SP3At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3, excluding Windows RTAt least Windows Server 2003 operating systems or Windows XP Professional with SP1, excluding Windows RTWindows 7 SP1, Windows 8.1 UpdateThis policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box.
If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option in the Start menu.
If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu.Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog boxThis policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog.
If you enable this policy setting, the user's last shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.
If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu.
Note that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog.
If you enable this policy setting, the user's last shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.
If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option in the Start menu.
Note that this policy setting has no impact if the User Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog boxRemove access to use all Windows Update featuresThis setting allows you to remove access to Windows Update.
If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.
If enabled you can configure one of the following notification options:
0 = Do not show any notifications
This setting will remove all access to Windows Update features and no notifications will be shown.
1 = Show restart required notifications
This setting will show notifications about restarts that are required to complete an installation.
On Windows 8 and Windows RT, if this policy is Enabled, then only notifications related to restarts and the inability to detect updates will be shown. The notification options are not supported. Notifications on the login screen will always show up.0 - Do not show any notifications1 - Show restart required notificationsConfigure Automatic UpdatesSpecifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
Note: This policy does not apply to Windows RT.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they are ready to be installed
Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)
On Windows 8 and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer is not in use, and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
Automatic maintenance can be further configured by using Group Policy settings here: Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates.
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.5 - Allow local admin to choose setting4 - Auto download and schedule the install3 - Auto download and notify for install2 - Notify for download and notify for install0 - Every day6 - Every Friday2 - Every Monday7 - Every Saturday1 - Every Sunday5 - Every Thursday3 - Every Tuesday4 - Every Wednesday00:0001:0010:0011:0012:0013:0014:0015:0016:0017:0018:0019:0002:0020:0021:0022:0023:0003:0004:0005:0006:0007:0008:0009:00Specify intranet Microsoft update service locationSpecifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.
If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
To ensure the highest level of security, Microsoft recommends securing WSUS with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. If a proxy is required, we recommend configuring system proxy. To ensure highest levels of security, additionally leverage WSUS TLS certificate pinning on all devices.
In order to keep clients inherently secure, we are no longer allowing intranet servers to leverage user proxy by default for detecting updates. If you need to leverage user proxy for detecting updates while using an intranet server despite the vulnerabilities it presents, you must configure the proxy behavior to "Allow user proxy to be used as a fallback if detection using system proxy fails".
Detection for updates against intranet servers will fail when user proxy is needed as a fallback and the alternate proxy behavior is not configured.Only use system proxy for detecting updates (default)Allow user proxy to be used as a fallback if detection using system proxy failsSpecifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.
If the status is set to Enabled, Windows will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.
Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect.
Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.Automatic Updates detection frequencyThis policy setting allows you to control whether non-administrative users will receive update notifications based on the "Configure Automatic Updates" policy setting.
If you enable this policy setting, Windows Automatic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive update notifications. Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface , End User License Agreement , or Windows Update setting changes.
There are two situations where the effect of this setting depends on the operating system: Hide/Restore updates, and Cancel an install.
On XP: If you enable this policy setting, users will not see a User Account Control window and do not need elevated permissions to do either of these update-related tasks.
On Vista: If you enable this policy setting, users will not see a User Account Control window and do not need elevated permissions to do either of these tasks. If you do not enable this policy setting, then users will always see an Account Control window and require elevated permissions to do either of these tasks.
On Windows 7 : This policy setting has no effect. Users will always see an Account Control window and require elevated permissions to do either of these tasks.
On Windows 8 and Windows RT: This policy setting has no effect. Users will always see an Account Control window and require elevated permissions to do either of these tasks.
If you disable this policy setting, then only administrative users will receive update notifications.
Note: On Windows 8 and Windows RT this policy setting is enabled by default. In all prior versions of windows, it is disabled by default.
If the "Configure Automatic Updates" policy setting is disabled or is not configured, then the Elevate Non-Admin policy setting has no effect.Allow non-administrators to receive update notificationsSpecifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.
If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.
If the status is set to Disabled, such updates will not be installed immediately.
Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.Allow Automatic Updates immediate installationSpecifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update update service.
When this policy is enabled, Automatic Updates will install recommended updates as well as important updates from Windows Update update service.
When disabled or not configured Automatic Updates will continue to deliver important updates if it is already configured to do so.Turn on recommended updates via Automatic UpdatesThis policy setting allows you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in which you allow the end user access to the Microsoft Update service.
If you enable this policy setting, a notification message will appear on the user's computer when featured software is available. The user can click the notification to open the Windows Update Application and get more information about the software or install it. The user can also click "Close this message" or "Show me later" to defer the notification as appropriate.
In Windows 7, this policy setting will only control detailed notifications for optional applications. In Windows Vista, this policy setting controls detailed notifications for optional applications and updates.
If you disable or do not configure this policy setting, Windows 7 users will not be offered detailed notification messages for optional applications, and Windows Vista users will not be offered detailed notification messages for optional applications or updates.
By default, this policy setting is disabled.
If you are not using the Microsoft Update service, then the Software Notifications policy setting has no effect.
If the "Configure Automatic Updates" policy setting is disabled or is not configured, then the Software Notifications policy setting has no effect.
Turn on Software NotificationsSpecifies whether the Windows Update will use the Windows Power Management features to automatically wake up the system from hibernation, if there are updates scheduled for installation.
Windows Update will only automatically wake up the system if Windows Update is configured to install updates automatically. If the system is in hibernation when the scheduled install time occurs and there are updates to be applied, then Windows Update will use the Windows Power management features to automatically wake the system up to install the updates.
Windows update will also wake the system up and install an update if an install deadline occurs.
The system will not wake unless there are updates to be installed. If the system is on battery power, when Windows Update wakes it up, it will not install updates and the system will automatically return to hibernation in 2 minutes.Enabling Windows Update Power Management to automatically wake up the system to install scheduled updatesSpecifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.
Be aware that the computer needs to be restarted for the updates to take effect.
If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.
Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at the scheduled timeIf you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days.
The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has signed-in users.
If you disable or do not configure this policy, Windows Update will not alter its restart behavior.
If the "No auto-restart with logged on users for scheduled automatic updates installations" policy is enabled, then this policy has no effect.Windows Automatic UpdatesThis setting controls automatic updates to a user's computer.
Whenever a user connects to the Internet, Windows searches for updates available for the software and hardware on their computer and automatically downloads them. This happens in the background, and the user is prompted when downloaded components are ready to be installed, or prior to downloading, depending on their configuration.
If you enable this setting, it prohibits Windows from searching for updates.
If you disable or do not configure it, Windows searches for updates and automatically downloads them.
Note: Windows Update is an online catalog customized for your computer that consists of items such as drivers, critical updates, Help files, and Internet products that you can download to keep your computer up to date.
Also, see the "Remove links and access to Windows Update" setting. If the "Remove links and access to Windows Update" setting is enabled, the links to Windows Update on the Start menu are also removed.
Note: If you have installed Windows XP Service Pack 1 or the update to Automatic Updates that was released after Windows XP was originally shipped, then you should use the new Automatic Updates settings located at: 'Computer Configuration / Administrative Templates / Windows Update'
Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.
If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. This policy has no effect on Windows RTRe-prompt for restart with scheduled installationsSpecifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.
If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.
Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.Delay Restart for scheduled installationsSpecifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.
If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation.
If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started.
Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.Reschedule Automatic Updates scheduled installationsSpecifies the target group name or names that should be used to receive updates from an intranet Microsoft update service.
If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
If the intranet Microsoft update service supports multiple target groups this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet Microsoft update service.
Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect.
Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.Enable client-side targetingWindows UpdateAllow signed updates from an intranet Microsoft update service location This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
Note: Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.Do not connect to any Windows Update Internet locationsEven when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store.
Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
Note: This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.Turn off the upgrade to the latest version of Windows through Windows UpdateEnables or disables the upgrade to the latest version of Windows through Windows Update.
If you enable this setting, Windows Update will not offer you an upgrade to the latest version of Windows.
If you disable or do not configure this setting, Windows Update might offer an upgrade to the latest version of Windows.Configure notifications:Configure automatic updating:The following settings are only required and applicable if 4 is selected.Install during automatic maintenanceScheduled install day: Scheduled install time:(example: https://IntranetUpd01)Do not enforce TLS certificate pinning for Windows Update client for detecting updates.Select the proxy behavior for Windows Update client for detecting updates:Check for updates at the followinginterval (hours): Wait the following period beforeprompting again with a scheduledrestart (minutes): Wait the following period beforeproceeding with a scheduledrestart (minutes): Wait after systemstartup (minutes): Wait the following period beforeshutting down the service whenidle (minutes): The restart timer will give usersthis much time to save theirwork (minutes):