3

We're running a WSUS server for the simple purpose of caching updates. Since we are a very small network of all "power users", we've got the domain group policy for WSUS updates on the clients set to prompt for download/install. i.e. We don't want updates to install without our knowledge.

But there are a few cases where it would be nice to be able to set a certain update to auto-install. e.g. Windows Defender updates, Malicious Software Removal Tool, Outlook Junk Email Filter, etc. Basically all the silly little updates that you would always install anyway and don't require a restart.

Is there a way to set the general policy to prompt for download/install, but auto-install certain regular updates?

P.S. WSUS itself does have the facility to auto-approve certain updates. That part works.

Facts & Figures: SBS 2003 domain Windows 7 Pro clients Windows XP Pro clients

Nicolas
  • 201
  • 1
  • 3
  • 8

2 Answers2

3

Set group policy on Administrative Templates->Windows Components->Windows Update -> Allow Automatic Updates Immediate Installation

Description text: "Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.

If the status is set to Disabled, such updates will not be installed immediately.

Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect."

Rjcassara
  • 123
  • 4
  • Thanks for the suggestion - I was looking at it from the WSUS side, not the group policy side. But will this work since we have our updates set to prompt for download and for install (we're often on a VPN connection and don't want to find out too late that we've downloaded an entire service pack over 3G!). Will these still automatically download and install without user intervention? – Nicolas Apr 14 '11 at 08:15
  • Basically, I need to know how the "Configure Automatic Updates" setting interacts with the "Allow Automatic Updates Immediate Installation". – Nicolas Apr 14 '11 at 08:53
  • I haven't tested this specific combination, so I'm not certain. I would guess that if you are prompting for download, it will not automatically download. – Rjcassara Apr 20 '11 at 18:37
  • confirmed. With WSUS set to prompt for download and install, the immediate installation setting seems to have no effect. – Nicolas Apr 26 '11 at 08:26
0

You should be able to set a deadline on the update (which can be in the past) to force computers to install the update the next time they check for available updates. Be aware that if an update requires a restart, it will do it there and then without much warning - however for the definition updates like you plan it ought to be fine.

Be aware though that if a user has installed an update which requires a reboot but has not rebooted, a deadline will trigger a reboot even if the update with the deadline does not require one.

Further Reading: Client Behavior with Update Deadlines (TechNet).

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
  • This doesn't sound like an ideal configuration... and will it work with a recurring update, such as the Windows Defender definitions? – Nicolas Apr 14 '11 at 08:16