2019年4月3日 星期三

Configure Clients Using Group Policy

Configure Clients Using Group Policy

轉載至 https://docs.microsoft.com/zh-tw/security-updates/WindowsUpdateServices/21741019

When you configure the Group Policy settings for WSUS, you should use a Group Policy object (GPO) linked to an Active Directory container appropriate for your environment. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS settings.
In a simple environment, you link the GPO with the WSUS settings to the domain. In more complex environments, you might have multiple GPOs linked to several organizational units (OUs), so that you can set different WSUS policy settings on different types of computer.
After you set up a client computer, it will take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with an Active Directory-based GPO, it will take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0–30 minutes.
 注意
If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type: gpupdate /force.

Load the WSUS Administrative Template

Before you can set any Group Policy options for WSUS, you must ensure that the latest administrative template has been loaded on the computer used to administer Group Policy. The administrative template with WSUS settings is named wuau.adm. Although there are additional Group Policy settings related to the Windows Update Web site, all the new Group Policy settings for WSUS are contained within the wuau.adm file.
If the computer you are using to configure Group Policy has the latest version of wuau.adm, you do not need to load the file to configure settings. The new version of wuau.adm is available on Windows XP with Service Pack 2. Administrative template files are stored by default in the %windir%\Inf directory.
 重要
You can find the correct version of wuau.adm on any computer that has the WSUS-compatible Automatic Updates installed. You can use the old version of wuau.adm to point Automatic Updates to the WSUS server in order to self-update for the first time. After Automatic Updates self-updates, the new wuau.adm file appears in the %windir%\Inf folder.
If the computer you are using to configure Group Policy does not have the latest version of wuau.adm, you must first load it by using the following procedure.
 注意
You can start the Group Policy editor by clicking Start, then Run, then typing gpedit.msc.
To add the WSUS Administrative Template
  1. In the Group Policy Object Editor, click either of the Administrative Templates nodes.
  2. On the Action menu, click Add/Remove Templates.
  3. Click Add.
  4. In the Policy Templates dialog box, select wuau.adm, and then click Open.
  5. In the Add/Remove Templates dialog box, click Close.

Configure Automatic Updates

The settings for this policy enable you to configure how Automatic Updates works. You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update.
To configure the behavior of Automatic Updates
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Configure Automatic Updates.
  3. Click Enabled and select one of the following options:
    • Notify for download and notify for install. This option notifies a logged-on administrative user before the download and before the installation of the updates.
    • Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates.
    • Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.
    • Allow local admin to choose setting. With this option, the local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.
  4. Click OK.

Specify intranet Microsoft Update service location

The settings for this policy enable you to specify a WSUS server that Automatic Updates will contact for updates. You must enable this policy in order for Automatic Updates to download updates from the WSUS server.
Enter the WSUS server HTTP(S) URL twice, so that the server specified for updates is also used for reporting client events. For example, type http(s)://servername in both boxes, where servername is the name of the server. Both URLs are required.
To redirect Automatic Updates to a WSUS server
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Specify Intranet Microsoft update service location.
  3. Click Enabled and type the HTTP(S) URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics serverbox. For example, type http(s)://servername in both boxes, where servername is the name of the server. If the port is not 80 for HTTP or 443 for HTTPS, you should add the port number: https://servername:portnumber.
  4. Click OK.

Enable client-side targeting

This policy enables client computers to add themselves to target computer groups on the WSUS server, when Automatic Updates is redirected to a WSUS server.
If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates should be deployed to this computer. This setting indicates to the WSUS server which group the client computer should use. You must actually create the group on the WSUS server.
If the status is set to Disabled or Not Configured, no computer group information will be sent to WSUS.
To enable client-side targeting
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Enable client-side targeting.
  3. Click Enabled, and then type the name of the computer group to which you want to add this computer in the Target group name for this computer box.
  4. Click OK.
 注意
If you want to assign a client to more than one computer group, you should separate the computer group names with a semicolon plus a space: Group1; Group2.

Reschedule Automatic Updates scheduled installations

This policy specifies the amount of time that Automatic Updates should wait after system startup before proceeding with a scheduled installation that did not take place earlier.
If the status is set to Enabled, a missed installation will occur the specified number of minutes after the computer is next started.
If the status is set to Disabled, a missed installation will occur with the next scheduled installation.
If the status is set to Not Configured, a missed installation will occur one minute after the next time the computer is started.
This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.
To reschedule Automatic Update scheduled installation
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Reschedule Automatic Update scheduled installations, click Enabled, and type the number of minutes to wait.
  3. Click OK.

No auto-restart for scheduled Automatic Update installation options

This policy specifies that, to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted instead of causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify the user to restart the computer in order to complete the installation. Be aware that Automatic Updates will not be able to detect future updates until the restart occurs.
If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in five minutes to complete the installation. This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.
 注意
This policy setting does not allow non-administrative Terminal Services users to restart the remote computer where they are logged on. This is because, by default, non-administrative Terminal Services users do not have computer restart privileges.
To prevent auto-restart for scheduled Automatic Update installation options
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click No auto-restart for scheduled Automatic Update installation options, and click Enabled.
  3. Click OK.

Automatic Update detection frequency

This policy specifies the number of hours that Windows will wait before checking for available updates. The exact wait time is determined by using the number of hours specified minus a random value between 0 and 20 percent of that number. For example, if this policy is used to specify a 20-hour detection frequency, then all computers to which this policy is applied will check for updates anywhere between 16 and 20 hours.
If the status is set to Enabled, Automatic Updates will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Automatic Updates will check for available updates at the default interval of 22 hours.
To set Automatic Update detection frequency
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Automatic Update detection frequency, click Enabled, and type the number of hours for the detection interval.
  3. Click OK.

Allow Automatic Update immediate installation

This policy specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.
If the status is set to Enabled, Automatic Updates will immediately install these updates after they have been downloaded and are ready to install.
If the status is set to Disabled, such updates will not be installed immediately.
To allow Automatic Update immediate installation
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Allow Automatic Update immediate installation, and click Enabled.
  3. Click OK.

Delay restart for scheduled installations

This policy specifies the amount of time that Automatic Updates should wait before proceeding with a scheduled restart.
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.
If the status is set to Disabled or Not Configured, the default wait time is five minutes.
To delay restart for scheduled installations
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Delay restart for scheduled installations, click Enabled, and type the number of minutes to wait.
  3. Click OK.

Reprompt for restart with scheduled installations

This policy setting specifies the amount of time that Automatic Updates should wait before prompting the user again for a scheduled restart.
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the prompt for restart was dismissed.
If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
To reprompt for restart with scheduled installations
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Re-prompt for restart with scheduled installations, click Enabled, and type the number of minutes to wait before restarting.
  3. Click OK.

Allow non-administrators to receive update notifications

This policy specifies whether logged-on non-administrative users will receive update notifications. If Automatic Updates is configured (by policy or locally) to notify the user either before downloading and installation or only before installation, these notifications will be offered to any user, administrator, or non-administrator who is logged on to the computer.
If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.
If the status is set to Disabled or Not Configured, Automatic Updates will notify only logged-on administrators.
To allow non-administrators to receive update notifications
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Allow non-administrators to receive update notifications, and click Enabled.
  3. Click OK.
 注意
This policy setting does not allow non-administrative Terminal Services users to restart the remote computer where they are logged in. This is because, by default, non-administrative Terminal Services users do not have computer restart privileges.

Allow signed content from the intranet Microsoft update service location

If this policy setting is enabled, Automatic Updates receives signed third-party updates from the Windows Server Update Services server. If this policy is not enabled, users will be able to get updates only from Microsoft.
To allow signed content from the intranet Microsoft Update service location
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Allow signed content from intranet Microsoft update service location, and click Enabled.
  3. Click OK.
If this policy setting is enabled, Automatic Updates receives updates from the WSUS server. Users who have this policy setting enabled cannot get updates from a Windows Update Web site that you have not approved. If this policy setting is not enabled, the Windows Updateicon remains on the Start menu; local administrators will be able to visit the Windows Update Web site, from which they could install unapproved software. This happens even if you have specified that Automatic Updates must get approved updates from your WSUS server. In Windows Vista, this setting will gray out the Check for updates option in the Windows Update application.
To remove links and access to Windows Update
  1. In the Group Policy Object Editor, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.
  2. In the details pane, click Remove links and access to Windows Update, and click Enabled.
  3. Click OK.

Disable access to Windows Update

If this policy setting is enabled, all Windows Update features are removed. It blocks access to the Microsoft Update and Windows Update Web sites, and in Windows Vista will gray out the Check for updates option in the Windows Update application. The machine will not get automatic updates directly from Windows Update or Microsoft Update, but it can still get updates from a WSUS server. This setting overrides the user settings Remove links and access to Windows Update and Remove access to use all Windows Update features.
To disable access to Windows Update
  1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
  2. In the details pane, click Turn off access to all Windows Update features, and click Enabled.
  3. Click OK.


沒有留言:

張貼留言