Here are the relevant sections from the policy that I use: Policy Setting Allow Automatic Updates immediate installation Enabled Automatic Updates detection frequency Enabled Check for updates at the following interval (hours): 4
Policy Setting Configure Automatic Updates Enabled Configure automatic updating: 4 - Auto download and schedule the install The following settings are only required and applicable if 4 is selected. Scheduled install day: 0 - Every day Scheduled install time: 02:00 Not sure why unapproved updates would fire though. -Jeff Steward On Fri, Oct 15, 2010 at 4:45 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > Because I'm a complete idio^H^H^H^newb at GPO stuff, and didn't know? > I even googled, and didn't find that, but it's completely obvious once > you said it. > > Sigh. > > Setting State > Do not display 'Install Updates and Shut Down' option in Shut Down > Windows dialog box Enabled > Do not adjust default option to 'Install Updates and Shut Down' in > Shut Down Windows dialog box Disabled > Configure Automatic Updates Enabled > Specify intranet Microsoft update service location Enabled > Enable client-side targeting Not configured > Reschedule Automatic Updates scheduled installations Not configured > No auto-restart with logged on users for scheduled automatic updates > installations Enabled > Automatic Updates detection frequency Enabled > Allow Automatic Updates immediate installation Enabled > Delay Restart for scheduled installations Enabled > Re-prompt for restart with scheduled installations Enabled > Allow non-administrators to receive update notifications Not > configured > Enable recommended updates via Automatic Updates Not configured > Enabling Windows Update Power Management to automatically wake up the > system to install scheduled updates Enabled > Allow signed content from intranet Microsoft update service location > Enabled > > > On Fri, Oct 15, 2010 at 13:18, Andrew S. Baker <asbz...@gmail.com> wrote: > > Why can't you export the GPO settings from the GPMC? > > > > ASB (My XeeSM Profile) > > Exploiting Technology for Business Advantage... > > > > > > > > On Fri, Oct 15, 2010 at 3:54 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > >> > >> All, > >> > >> Early last week, I set up a GPO to setup WSUS entries for > >> workstations. I've probably fubar'ed something, but I can't figure it > >> out. > >> > >> The issue today is that I've got some random updates (starting last > >> night and continuing on through today) installing and rebooting > >> machines - I haven't yet figured out how many machines. > >> > >> When I look into the WSUS administrative interface, I see that some of > >> the updates were approved on Monday evening with a deadline of 4am > >> Tuesday, and some of the updates were not approved at all, yet > >> installed anyway starting last night. In particular we don't use WSUS > >> to distribute the Junk email filters. > >> > >> By looking at c:\Windows\WindowsUpdate.log, I see that all of the > >> updates are being downloaded from the WSUS server, however. > >> > >> The 4 updates that seem to be in common so far are: > >> > >> - Update for Root Certificates [August 2010] (KB931125) > >> - Update for Internet Explorer 8 Compatibility View List for > >> Windows XP (KB2362765) > >> - Update for Microsoft Office Outlook 2003 Junk Email Filter > >> (KB2291595) > >> - Security Update for Microsoft Office Outlook 2003 (KB2293428) > >> > >> The above are what installed on my machine, but others have gotten > >> them, plus others. > >> > >> I tried to find a way to export the GPO settings directly, but had to > >> resort to going into my workstation's registry and exporting the > >> HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate subtree. > >> > >> The Group Policy settings that have been applied to the workstations > >> are below - can anyone see what I might have done wrong? > >> > >> Thanks, > >> > >> Kurt > >> > >> Key Name: > >> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate > >> Class Name: <NO CLASS> > >> Last Write Time: 2010-10-09 - 17:55 > >> Value 0 > >> Name: WUServer > >> Type: REG_SZ > >> Data: http://wsus > >> > >> Value 1 > >> Name: WUStatusServer > >> Type: REG_SZ > >> Data: http://wsus > >> > >> Value 2 > >> Name: AcceptTrustedPublisherCerts > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> > >> Key Name: > >> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > >> Class Name: <NO CLASS> > >> Last Write Time: 2010-10-09 - 17:55 > >> Value 0 > >> Name: NoAutoRebootWithLoggedOnUsers > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 1 > >> Name: RescheduleWaitTime > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 2 > >> Name: UseWUServer > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 3 > >> Name: DetectionFrequencyEnabled > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 4 > >> Name: DetectionFrequency > >> Type: REG_DWORD > >> Data: 0x8 > >> > >> Value 5 > >> Name: AutoInstallMinorUpdates > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 6 > >> Name: RebootWarningTimeoutEnabled > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 7 > >> Name: RebootWarningTimeout > >> Type: REG_DWORD > >> Data: 0x5 > >> > >> Value 8 > >> Name: RebootRelaunchTimeoutEnabled > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 9 > >> Name: RebootRelaunchTimeout > >> Type: REG_DWORD > >> Data: 0xa > >> > >> Value 10 > >> Name: AUPowerManagement > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 11 > >> Name: NoAutoUpdate > >> Type: REG_DWORD > >> Data: 0x0 > >> > >> Value 12 > >> Name: AUOptions > >> Type: REG_DWORD > >> Data: 0x4 > >> > >> Value 13 > >> Name: ScheduledInstallDay > >> Type: REG_DWORD > >> Data: 0x0 > >> > >> Value 14 > >> Name: ScheduledInstallTime > >> Type: REG_DWORD > >> Data: 0x3 > >> > >> Value 15 > >> Name: NoAUShutdownOption > >> Type: REG_DWORD > >> Data: 0x1 > >> > >> Value 16 > >> Name: NoAUAsDefaultShutdownOption > >> Type: REG_DWORD > >> Data: 0x0 > >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
