iOS 

Setting up windows xp wsus update. Configuring WSUS clients using group policies. Removing a service from autostart

Automatic updates are an important functional feature of any operating system. Thanks to it, the computer receives important updates on time, making the system more stable and secure. In Windows 7, the function is activated initially. This means that if there is a connection with Microsoft servers, the update service checks for the availability of fresh packages, downloads them and installs them. Usually, all processes proceed virtually unnoticed by the user, but when constant offers to upgrade to 10 appear, this is already overkill.

Theoretically, there is no need to disable automatic downloading of updates. It is useful because it closes security gaps, optimizes the operation of the OS, and adds new features to it (regarding the “tens”). There is also a list of reasons why the auto-update service should be disabled:

  1. The user does not like that during the update the Internet speed drops and/or the PC cannot be turned off for a long time.
  2. The computer has expensive or limited wireless Internet.
  3. Problems after launching the updated OS.
  4. Failures during the installation of update packages.
  5. There is not enough space on the system volume to accommodate the increase in volume of Windows 7, which grows with each update.

Kinds

Still, before you disable the Windows 7 update, think about whether it is really necessary. In addition to deactivating the service, it can be switched to the following operating modes.

  1. Fully automatic - operations proceed without user intervention, only notifying the user that the installation of packages is complete.
  2. Searches and downloads the latest fixes on a schedule, and the installation of packages is carried out by the user.
  3. Automatic checking and notifying the user about the availability of updates.
  4. Self-update is disabled. Everything is done manually.

Options are selected in the Update Center component.

Disconnection methods

The settings of any Windows are stored in its registry. You can access the key responsible for the Update Center settings in several simple and a couple more complex ways. Let's look at them all.

Change Update Center settings

Let's start by setting up the service for ourselves. To access the configuration interface, you need to open the “Update Center” using one of the following methods.

System

  1. Through the context menu of My Computer, call up its “Properties”.
  1. In the left vertical menu, click on the corresponding link located at the bottom of the window.

  1. Go to the “Control Panel”.
  2. Open the “System, Security” section.
  1. Call the element of the same name.

If control panel items are rendered as icons rather than categories, a link to the item will appear in the main window.

  1. So, after getting into the desired window, click “Settings parameters”.
  1. Move to the “Important updates” section and select the appropriate option from the drop-down list.

The only way to completely disable receiving updates on a computer with Windows 7 is to stop the service.

Disabling the service

Management of services in the “seven” occurs through:

  • direct editing of registry keys, which is very inconvenient;
  • third-party programs for configuring the OS (we’ll skip this option);
  • MMC console snap-in;
  • system configuration;
  • command line;
  • Group Policy Editor (present in Windows 7 Ultimate, Enterprise).

Removing a service from autostart

The fastest way to disable updates is through the system configurator.

  1. Execute “msconfig” in the command interpreter window, which will open after holding down the Win + R keys or clicking on the “Run” button in Start.
  1. Go to the “Services” tab.
  2. Find “Windows Update” (maybe Windows Update) and uncheck the box next to it.
  1. Save the new settings.

Until the end of the current session, the service will work, properly performing the tasks assigned to it. To apply the new configuration, Windows 7 must be rebooted.

Let's use the MMC console snap-in

The system console snap-in of the same name provides access to managing all services on the PC. It starts like this.

  1. Open the context menu of the “My Computer” directory.
  2. Call the “Manage” command.
  1. In the left vertical menu, expand the “Services and Applications” item. Next, click on the “Services” link.

A simpler option for calling the same window would be to run the “services.msc” command through the “Run” dialog.

  1. Scroll to the very end of the list of services and open the “Properties” of the Windows Update service.
  1. In the “Startup type” drop-down list, select “Disabled” instead of “Automatic” in order to say goodbye to automatic updates forever. If you need to disable the service now, be sure to click “Stop”. Save the new settings with the “Apply” button and close all windows.

The PC does not need to be rebooted to apply the settings.

Group Policy Editor

Another MMC snap-in called the Local Group Policy Editor will help you configure any system parameter.

It is not available in the home edition of the Seven!

  1. The tool is launched by running the “gpedit.msc” command through the “Run” window.
  1. In the “PC Configuration” subsection, expand the “Administrative Templates” branch.
  1. Open “Windows Components” and look for Update Center.
  2. On the right side of the window we find a parameter whose name begins with “Setting auto-update”.
  3. Call up its settings.
  1. Move the checkbox to the “Disable” position and click “OK” to close the window and save the changes.

Let's use the command line

Through the command line, all the same operations are performed as using the graphical interface, and even more, but in text mode. The main thing is to know their syntax and parameters.

The “cmd” command is responsible for calling the command line.

  1. Open the command interpreter and execute it.


Published on February 18, 2009 by · No comments

In this article, I will tell you about some registry keys that are associated with Windows Update. I'll show you the different options that these registry keys can take.

If you missed the second part of this article, then please read

While both Windows Update and WSUS are generally fairly easy to configure, you can sometimes gain more control by making some changes to the Windows registry. In this article, I will show you some registry keys that are associated with Windows Update. I'll show you the different options that these registry keys can take.

To start

First, I'll make the lawyers happy and warn that making changes to the registry can be very dangerous. Entering incorrect registry settings can lead to the destruction of Windows and/or any running applications on the machine. Before attempting to make changes to the registry, you must make a full backup of the system, I am ready to show you how this is done.

There is one more thing I need to tell you about. The fine-tuning that I want to tell you about only applies to computers running Windows XP. You can make changes to specific machines directly, or you can apply them as part of a login script. Also, some of the keys I'll talk about may not exist by default. If you want to use a key that doesn't exist, you must first create it. You should also know that Windows update behavior can be controlled using group policy. Group policies can sometimes modify registry keys so that they follow the behavior they specify.

Privilege escalation

One of the problems with getting updates from a WSUS server is that users cannot approve or deny updates unless they are members of the local administrators group. However, you can use the registry to elevate users' privileges so that they can install or refuse to install changes, regardless of whether they are members of the local administrator group or not. On the other hand, you can also prevent users from installing updates and leave this right to the administrator (Admin).

The registry key that is responsible for this is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins

The ElevateNonAdmins key has two possible values. The default value of 1 allows non-administrator users to install updates. If you change this value to 0, only administrators will be able to install updates.

Target Groups

One of the great things with WSUS is that it allows for client side targeting. The idea with client-side positioning is that you can define different computer groups, and distribute rights to install updates depending on group membership. By default, client side positioning is not used, but if you choose to use it, there are two registry keys that will help you do this. The first of these keys includes client side targeting, and the other indicates the name of the group to which the computer belongs. Both of these keys must be created in: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\

The first key is a DWORD key called TargetGroupEnabled. You can set this key to 0, which disables client side targeting, or 1, which enables client side targeting.

The other key you should create should be called TargetGroup and have a string value. The value of this key must be the name of the group to which the computer should be assigned.

Installing a WSUS Server

If you've been involved with the web for a bit, then you probably know that web design tends to change over time. Things like company growth, new security requirements, and corporate restrictions often form the basis for network changes. How does this apply to Windows updates? WSUS is scalable and can be installed in a hierarchical manner. This means that an organization may have multiple WSUS servers installed. If a PC is moved to another part of the company, the WSUS server that was originally defined for that computer may no longer be appropriate for the new location. Fortunately, a few simple registry modifications can change the WSUS server from which the PC receives updates.

There are two keys that are used to identify the WSUS server. Each of them is located in: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\. The first key is called WUServer. This key must be set to a text value that describes the WSUS server URL (for example: http://servername).

Another key you should change is a key called WUStatusServer. The idea with this key is that the computer (PC) should report its status to the WSUS server so that the WSUS server can know what changes have been installed on the computer. The WUStatusServer key usually contains the exact same value as the WUServer key (for example: http://servername).

Automatic Update Agent

So, I've talked about how to connect a computer (PC) to a specific WSUS server or for a specific group (target group), but that's only half the process. Windows Update uses an update agent that actually installs updates. There are several registry keys located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU that control the automatic update agent.

The first of these keys is the AUOptions key. This DWORD value can be set to 2, 3, 4, or 5. A value of 2 means that the agent should notify the user when updates are downloaded. A value of 3 means that the update will be downloaded automatically and the user will be notified about installation. A value of 4 means that the update should be automatically downloaded and installed as scheduled. In order for this option to work, you must also set the values ​​for the ScheduledInstallDay and ScheduledInstallTime keys. I'll talk more about these keys later. Finally, a value of 5 means that automatic updating is required, but it can be configured by end users.

The next key I want to talk about is the AutoInstallMinorUpdates key. This key can have the value 0 or 1. If the key value is 0, then minor updates are processed the same as any other updates. If the key value is 1, then minor updates are installed silently in the background.

Another key related to the Automatic Update Agent is the DetectionFrequency key. This key allows you to set how often the agent should check for updates. The key value must be an integer from 1 to 22, which reflects the number of hours between attempts to request an update.

The registry key associated with it is the DetectionFrequencyEnabled key. As the name suggests, this key allows you to enable or disable the Detection Frequency function. If you set the value of this key to 0, then the value of the DetectionFrequency key will be ignored, and if you set the value of this key to 1, then the agent will have to use the value of the DetectionFrequency key.

The next key I want to talk about is the NoAutoUpdate key. If the value of this key is 0, then automatic updating is enabled. If the key value is 1, then automatic updating is disabled.

The last registry key I want to talk about is the NoAutoRebootWithLoggedOnUsers key. As you probably know, some updates may not take effect without rebooting the system. If the user is working at this time, then a reboot may be very undesirable. This is especially true if the user has walked away from their desk and has not saved their work. In this case, the NoAutoRebootWithLoggedOnUsers key will help. The value of this key can be 0 or 1. If the value of the key is 0, then users will receive a 5 minute warning before the system automatically reboots. If the key value is 1, then users will simply receive a message asking for permission to reboot, but users can choose to do so at their own discretion.

Conclusion

There are many more registry keys related to Windows Update. I will talk about the rest of them in the second part of this article.

www.windowsnetworking.com


See also:

Readers Comments (No comments)

Exchange 2007

If you would like to read the previous parts of this article series, please follow the links: Monitoring Exchange 2007 Using System Manager...

Introduction In this multi-part article, I want to show you the process I recently used to migrate from an existing Exchange 2003 environment...

If you missed the first part of this series, please read it at Using the Exchange Server Remote Connectivity Analyzer Tool (Part...

If you missed the previous part of this article series, go to Monitoring Exchange 2007 with System Center Operations Manager...

Hello everyone, today a note more for myself, namely a list of Windows Update servers. Why might this be useful, for example, if you received an error Update not found when installing a WSUS role, or vice versa for some reason you want to ban them, to save traffic if you don’t have WSUS, since not all Windows updates are good and especially in in its modern versions, I think there is no point in reminding about the error, although this list can be continued for a very long time. The reason is not important, the main thing is to know that it exists and you can somehow work with it. Below I will show you methods for blocking Microsoft update server addresses, both universal, suitable for an individual computer, and for centralized management within an enterprise.

Why Windows updates won't install?

Here is a screenshot of the error if your Microsoft update server address is not available. As you can see, the error is not very informative. I get it on a server that plays the role of WSUS, for those who don’t remember what it is, then this is a local update center for enterprises, to save traffic, and this is where Windows updates are not installed due to the lack of availability of Microsoft servers.

What to do if Windows updates are not installed

  • First of all, you should check whether you have Internet, since its presence is mandatory for most people, unless of course you have an Active Directory domain and you download them from your WSUS
  • Next, if there is Internet, look at the error code, since it is by this that you need to look for information about solving the problem (from recent problems I can give an example of how Error 0x80070422 or Error c1900101 is solved), but the list can also be kept for a very long time.
  • We check on our proxy server whether there is a ban on the following Microsoft update server addresses.

The list of Microsoft update servers itself

  1. http://windowsupdate.microsoft.com
  2. http://*.windowsupdate.microsoft.com
  3. https://*.windowsupdate.microsoft.com
  4. http://crl.microsoft.com/pki/crl/products/MicProSecSerCA_2007-12-04.crl
  5. http://*.update.microsoft.com
  6. https://*.update.microsoft.com
  7. http://*.windowsupdate.com
  8. https://activation.sls.microsoft.com/
  9. http://download.windowsupdate.com
  10. http://download.microsoft.com
  11. http://*.download.windowsupdate.com
  12. http://wustat.windows.com
  13. http://ntservicepack.microsoft.com
  14. https://go.microsoft.com/
  15. http://go.microsoft.com/
  16. https://login.live.com
  17. https://validation.sls.microsoft.com/
  18. https://activation-v2.sls.microsoft.com/
  19. https://validation-v2.sls.microsoft.com/
  20. https://displaycatalog.mp.microsoft.com/
  21. https://licensing.mp.microsoft.com/
  22. https://purchase.mp.microsoft.com/
  23. https://displaycatalog.md.mp.microsoft.com/
  24. https://licensing.md.mp.microsoft.com/
  25. https://purchase.md.mp.microsoft.com/

In one of the previous articles we described the procedure in detail. After you have configured the server, you need to configure Windows clients (servers and workstations) to use the WSUS server to receive updates, so that the clients receive updates from the internal update server rather than from Microsoft Update servers over the Internet. In this article, we will walk through the procedure for configuring clients to use a WSUS server using Active Directory domain group policies.

AD Group Policies allow an administrator to automatically assign computers to different WSUS groups, eliminating the need to manually move computers between groups in the WSUS console and keep those groups up to date. Assignment of clients to different WSUS target groups is based on a registry label on the client (labels are set by Group Policy or by directly editing the registry). This type of assignment of clients to WSUS groups is called clientsidetargeting(Client-side targeting).

It is assumed that our network will use two different update policies - a separate update installation policy for servers ( Servers) and for workstations ( Workstations). These two groups need to be created in the WSUS console in the All Computers section.

Advice. The policy for how clients use the WSUS update server largely depends on the organizational structure of the OU in Active Directory and the organization's update installation rules. In this article, we will look at just a particular option that allows you to understand the basic principles of using AD policies to install Windows updates.

First of all, you need to specify a rule for grouping computers in the WSUS (targeting) console. By default, in the WSUS console, computers are manually distributed by the administrator into groups (server side targeting). We are not happy with this, so we will point out that computers are distributed into groups based on client side targeting (by a specific key in the client registry). To do this, in the WSUS console, go to the section Options and open the parameter Computers. Change the value to Use Group Policy or registry setting on computers(Use Group Policy or registry settings on computers).

You can now create a GPO to configure WSUS clients. Open the domain Group Policy Management console and create two new group policies: ServerWSUSPolicy and WorkstationWSUSPolicy.

WSUS Group Policy for Windows Servers

Let's start with a description of the server policy ServerWSUSPolicy.

Group policy settings responsible for the operation of the Windows Update service are located in the GPO section: ComputerConfiguration -> Policies-> Administrativetemplates-> WindowsComponent-> WindowsUpdate(Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update).

In our organization, we expect to use this policy to install WSUS updates on Windows servers. It is expected that all computers covered by this policy will be assigned to the Servers group in the WSUS console. In addition, we want to prevent automatic installation of updates on servers when they are received. The WSUS client must simply download available updates to disk, display an alert for new updates in the system tray, and wait for an administrator to initiate installation (either manually or remotely using ) to begin installation. This means that productive servers will not automatically install updates and reboot without administrator approval (usually these works are performed by the system administrator as part of monthly scheduled maintenance). To implement such a scheme, we will set the following policies:

  • ConfigureAutomaticUpdates(Setting automatic update): Enable. 3 – Autodownloadandnotifyforinstall(Automatically download updates and notify you when they are ready to install)– the client automatically downloads new updates and notifies about their availability;
  • SpecifyIntranetMicrosoftupdateservicelocation(Specify intranet Microsoft Update location): Enable. Set the intranet update service for detecting updates: http://srv-wsus.site:8530, Set the intranet statistics server: http://srv-wsus.site:8530– here you need to specify the address of your WSUS server and statistics server (usually they are the same);
  • No auto-restart with logged on users for scheduled automatic updates installations(Do not automatically reboot when installing updates automatically if there are users running on the system): Enable– prohibit automatic reboot when there is a user session;
  • Enableclient-sidetargeting ( Allow client to join target group): Enable. Target group name for this computer: Servers– in the WSUS console, assign clients to the Servers group.

Note. When setting up an update policy, we recommend that you carefully familiarize yourself with all the settings available in each of the options in the GPO section WindowsUpdate and set the parameters that suit your infrastructure and organization.

WSUS Update Installation Policy for Workstations

We assume that updates on client workstations, in contrast to the server policy, will be installed automatically at night immediately after receiving updates. After installing updates, computers should reboot automatically (warning the user 5 minutes in advance).

In this GPO (WorkstationWSUSPolicy) we specify:

  • AllowAutomaticUpdatesimmediateinstallation(Allow immediate installation of automatic updates): Disabled- prohibition on immediate installation of updates when they are received;
  • Allownon-administratorstoreceiveupdatenotifications(Allow non-admin users to receive update notifications): Enabled- display a warning to non-administrators about new updates and allow their manual installation;
  • Configure Automatic Updates:Enabled. Configure automatic updating: 4 - Auto download and schedule the install. Scheduled install day: 0 - Everyday. Scheduled install time: 05:00 – when new updates are received, the client downloads them to the local cache and schedules their automatic installation at 5:00 am;
  • Target group name for this computer: Workstations– in the WSUS console, assign the client to the Workstations group;
  • No auto-restart with logged on users for scheduled automatic updates installations: Disabled- the system will automatically reboot 5 minutes after the update installation is completed;
  • Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http://srv-wsus.site:8530, Set the intranet statistics server: http://srv-wsus.site:8530–address of the corporate WSUS server.

On Windows 10 1607 and above, even though you have told them to get updates from internal WSUS, they may still try to contact Windows Update servers on the Internet. This "feature" is called DualScan. To disable receiving updates from the Internet, you must additionally enable the policy DonotallowupdatedeferralpoliciestocausescansagainstWindowsUpdate ().

Advice. To improve the “level of patching” of computers in an organization, both policies can be configured to force the start of the update service (wuauserv) on clients. To do this, in the section Computer Configuration -> Policies-> Windows Settings -> Security Settings -> System Services Find the Windows Update service and set it to start automatically ( Automatic).

Assigning WSUS policies to Active Directory OUs

The next step is to assign the created policies to the appropriate Active Directory containers (OUs). In our example, the OU structure in the AD domain is as simple as possible: there are two containers – Servers (it contains all the organization’s servers, in addition to domain controllers) and WKS (Workstations – user computers).

Advice. We are considering only one fairly simple option for binding WSUS policies to clients. In real organizations, it is possible to bind one WSUS policy to all computers in a domain (a GPO with WSUS settings is attached to the root of the domain), to distribute different types of clients across different OUs (as in our example - we created different WSUS policies for servers and workstations), in large distributed domains can be linked, or assigned GPOs based on, or a combination of the above methods.

To assign a policy to an OU, click on the desired OU in the Group Policy Management Console and select the menu item Link as Existing GPO and select the appropriate policy.

Advice. Do not forget about a separate OU with domain controllers (Domain Controllers); in most cases, the WSUS “server” policy should be assigned to this container.

In exactly the same way, you need to assign the WorkstationWSUSPolicy policy to the AD WKS container in which Windows workstations are located.

All that remains is to update group policies on clients to bind the client to the WSUS server:

All Windows update system settings that we set using group policies should appear in the client registry in the branch HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

This reg file can be used to transfer WSUS settings to other computers that cannot configure update settings using GPO (computers in a workgroup, isolated segments, DMZ, etc.)

Windows Registry Editor Version 5.00

"WUServer"="http://srv-wsus.site:8530"
"WUStatusServer"="http://srv-wsus.site:8530"
"UpdateServiceUrlAlternate"=""
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="Servers"
"ElevateNonAdmins"=dword:00000000

"NoAutoUpdate"=dword:00000000 –
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"ScheduledInstallEveryWeek"=dword:00000001
"UseWUServer"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001

It is also convenient to control the applied WSUS settings on clients using rsop.msc.

And after some time (depending on the number of updates and the bandwidth of the channel to the WSUS server), you need to check in the tray for pop-up notifications about the presence of new updates. Clients should appear in the WSUS console in the appropriate groups (the table displays the client name, IP, OS, the percentage of them “patched” and the date of the last status update). Because We have assigned computers and servers to various WSUS groups by policies; they will only receive updates approved for installation in the corresponding WSUS groups.

Note. If updates do not appear on the client, it is recommended to carefully examine the Windows Update Service log on the problematic client (C:\Windows\WindowsUpdate.log). Please note that Windows 10 (Windows Server 2016) uses . The client downloads updates to the local folder C:\Windows\SoftwareDistribution\Download. To start searching for new updates on the WSUS server, you need to run the command:

wuauclt/detectnow

Also, sometimes you have to forcefully re-register the client on the WSUS server:

wuauclt /detectnow /resetAuthorization

In particularly difficult cases, you can try to fix the wuauserv service. If this occurs, try changing the frequency of checking for updates on the WSUS server using the Automatic Update detection frequency policy.

In the next article we will describe the features. We also recommend that you read the article between groups on a WSUS server.

With the development of the Internet, constantly updating the operating system has become commonplace. Now developers can fix and improve the system throughout its entire support period. But frequent Windows 10 updates are not always convenient. That's why it would be good to be able to turn them off.

Reasons for turning off automatic updates

The reasons can be very different, and only you can decide how much you need to disable updates. It is worth considering that along with improvements to certain capabilities, important fixes for system vulnerabilities are supplied. And yet, situations when independent updates should be disabled arise quite often:

  • paid Internet - sometimes the update is quite large and downloading it can be expensive if you pay for traffic. In this case, it is better to postpone the download and download later under other conditions;
  • lack of time - after downloading, the update will begin to install while the computer is turned off. This can be inconvenient if you need to quickly shut down work, such as on a laptop. But what’s even worse is that sooner or later Windows 10 will require you to restart your computer, and if you don’t do this, then after some time the restart will be forced. All this distracts and interferes with work;
  • security - although the updates themselves often contain important system changes, no one can ever foresee everything. As a result, some updates may open your system to virus attack, while others will simply break it right after installation. A reasonable approach in this situation is to update some time after the release of the next version, having previously studied the reviews.

Disable automatic Windows 10 updates

There are many ways to turn off Windows 10 updates. Some of them are very simple for the user, others are more complex, and others require the installation of third-party programs.

Disabling via Update Center

Using Update to disable it is not the best option, although Microsoft developers offer it as an official solution. You can actually turn off automatic downloading of updates through their settings. The problem here is that this solution will be temporary one way or another. The release of a major Windows 10 update will change this setting and bring back system updates. But we will still study the shutdown process:

After these changes, minor updates will no longer be installed. But this solution will not help you get rid of downloading updates forever.