Configuring SUS Policies on a Run-Time Image

5/10/2007

There are several ways you can control the SUS policies on a run-time image:

  • Update the group policies on each individual system using the Group Policy editor in the Microsoft Management Console (MMC).

  • Update the group policies directly in the registry of your run-time image by using Registry Editor.

  • In an Active Directory environment, update the global policies for all of the devices in your domain.

    Note

    Group policies set by Active Directory supersede any custom group policy settings on the client.

    For more information about how to configure the group policy settings using Active Directory, see the Deploying Microsoft Software Update Services white paper.

    Warning

    OEMs should not configure SUS to download updates directly from the public Microsoft Update site. Administrators of the device should be instructed to create their own internal SUS server to deliver updates to the client devices. Administrators should examine and approve any and all updates before they are applied. If client devices automatically download updates directly from the Microsoft Windows update, the updates may damage the run-time image.

If your run-time image includes the Group Policy Core Administration MMC Snap-In component, you can update the Group Policy settings directly on your run-time image.

To configure SUS policies on your run-time image using the Group Policy edit

  1. From your run-time image, run the Group Policy editor by opening a command prompt and typing gpedit.msc.

  2. Expand Local Computer Policy, then Computer Configuration, then Administrative Templates, and then Windows Components.

  3. Select Windows Update. The Windows Update settings appear in the details pane. Specifically, you will enable the following two configuration options:

    • Configure Automatic Updates, which configures the day and time that updates are installed and specifies the type of user notification.
    • Specify intranet Microsoft update service location, which specifies the host name or IP address of the intranet update server.
  4. Enable Automatic Updates and configure the update schedule:

    1. Right-click the Configure Automatic Updates policy and choose Properties. The Configure Automatic Updates Properties window opens.
    2. Select the Enable radio button.
    3. Select the type of user notification in the Configure Automatic Updating list.
    4. Select the automatic update schedule. Choose OK when you are finished.
  5. Set the host name or IP address of your intranet update server.

    1. Right-click the Specify intranet Microsoft update service location policy and choose Properties. The Configure Automatic Updates Properties window opens.
    2. Select the Enable radio button and type in the host name or IP address of your intranet Microsoft update server. Choose OK when you are finished.
  6. Review the additional group policy settings for Windows Update. Update the policies as necessary for your environment. Click an option to view its description.

If you are not in an active directory environment, or you run-time image does not include the Group Policy Core Administration MMC Snap-In component, you can edit the registry to configure SUS.

You can use the Registry Editor directly on the run-time image, or load the hive offline.

  1. From your run-time image, run the Group Policy editor by opening a command prompt and typing gpedit.msc.

  2. Expand Local Computer Policy, then Computer Configuration, then Administrative Templates, and then Windows Components.

  3. Select Windows Update. The Windows Update settings appear in the details pane. Specifically, you will enable the following two configuration options:

    • Configure Automatic Updates, which configures the day and time that updates are installed and specifies the type of user notification.
    • Specify intranet Microsoft update service location, which specifies the host name or IP address of the intranet update server.
  4. Enable Automatic Updates and configure the update schedule:

    1. Right-click the Configure Automatic Updates policy and choose Properties. The Configure Automatic Updates Properties window opens.
    2. Select the Enable radio button.
    3. Select the type of user notification in the Configure Automatic Updating list.
    4. Select the automatic update schedule. Choose OK when you are finished.
  5. Set the host name or IP address of your intranet update server.

    1. Right-click the Specify intranet Microsoft update service location policy and choose Properties. The Configure Automatic Updates Properties window opens.
    2. Select the Enable radio button and type in the host name or IP address of your intranet Microsoft update server. Choose OK when you are finished.
  6. Review the additional group policy settings for Windows Update. Update the policies as necessary for your environment. Click an option to view its description.

If you are not in an active directory environment, or you run-time image does not include the Group Policy Core Administration MMC Snap-In component, you can edit the registry to configure SUS.

You can use the Registry Editor directly on the run-time image, or load the hive offline.

To configure SUS policies on your run-time image by editing the registry

  1. Edit or add the following registry keys:

    Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

    Name: WUServer

    Type: REG_SZ

    Value: <Host name or IP address of the intranet SUS server>

    Example: http://intranetSUS, or 192.168.100.100

    Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

    Name: WUStatusServer

    Type: REG_SZ

    Value: <Host name or IP address of the intranet SUS statistics server>

    Example: http://intranetSUS, or 192.168.100.100

  2. Open the following registry key and update the values to support SUS: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

    The following table shows the different registry entries for this key:

    Key Description

    NoAutoUpdate

    0: Automatic Updates enabled.

    1: Automatic Updates disabled.

    AUOptions

    2: Notify of download and installation.

    3: Auto-download and notify of installation.

    4: Auto-download and scheduled installation.

    ScheduledInstallDay

    1-7: Indicates the days of the week, starting at 1 for Monday.

    ScheduledInstallTime

    0-23: Time of day in 24-hour format

    UseWUServer

    1:Use the Windows Update server specified in the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer.

  1. Edit or add the following registry keys:

    Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

    Name: WUServer

    Type: REG_SZ

    Value: <Host name or IP address of the intranet SUS server>

    Example: http://intranetSUS, or 192.168.100.100

    Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

    Name: WUStatusServer

    Type: REG_SZ

    Value: <Host name or IP address of the intranet SUS statistics server>

    Example: http://intranetSUS, or 192.168.100.100

  2. Open the following registry key and update the values to support SUS: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

    The following table shows the different registry entries for this key:

    Key Description

    NoAutoUpdate

    0: Automatic Updates enabled.

    1: Automatic Updates disabled.

    AUOptions

    2: Notify of download and installation.

    3: Auto-download and notify of installation.

    4: Auto-download and scheduled installation.

    ScheduledInstallDay

    1-7: Indicates the days of the week, starting at 1 for Monday.

    ScheduledInstallTime

    0-23: Time of day in 24-hour format

    UseWUServer

    1:Use the Windows Update server specified in the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer.

See Also

Tasks

Approving Updates From Your SUS Server

Other Resources

Software Update Services (SUS)