home
Programs
Source windows update via registry. Configuring WSUS Clients Using Group Policy WSUS Update Installation Policy for Workstations

Source windows update via registry. Configuring WSUS Clients Using Group Policy WSUS Update Installation Policy for Workstations

Hello everyone today, a note more for yourself, namely the list of Update servers Windows Update... Why this can be useful, for example, if you received an update not found error when installing the WSUS role, or vice versa, for some reason, you want to ban them, to save traffic, if you do not have WSUS, since not all updates Windows are good and especially in its modern versions, I think there is no point in reminding about the error, although this list can be continued for a very long time. The reason is not important, the main thing is to know what it is and you can somehow work with it. Below I will show you methods of prohibiting addresses of the microsoft update server, both universal, suitable for an individual computer, and for centralized management within an enterprise.

Why Windows Updates are not installed

Here is a screenshot of the error if the address of the microsoft update server is not available. As you can see, the error is not very informative. I get it on the server carrying the WSUS role, who does not remember what it is, then this is a local update center for enterprises, to save traffic, and this is where Windows updates are not installed due to the inaccessibility of Microsoft servers.

What to do if Windows updates are not installed

  • First of all, you should check if you have the Internet, since it is mandatory for most people, unless of course you have an Active Directory domain and you download them from your WSUS
  • Further, if the Internet is available, we look at the error code, since it is on it that you need to look for information about solving the problem (from the last problems I can give an example of how Error 0x80070422 or Error c1900101 is solved), but the list can also be kept for a very long time.
  • We check on our proxy server if there is a prohibition to such addresses of the microsoft update server.

The list of microsoft update servers itself

  1. http://windowsupdate.microsoft.com
  2. http: //*.windowsupdate.microsoft.com
  3. https: //*.windowsupdate.microsoft.com
  4. http://crl.microsoft.com/pki/crl/products/MicProSecSerCA_2007-12-04.crl
  5. http: //*.update.microsoft.com
  6. https: //*.update.microsoft.com
  7. http: //*.windowsupdate.com
  8. https://activation.sls.microsoft.com/
  9. http://download.windowsupdate.com
  10. http://download.microsoft.com
  11. http: //*.download.windowsupdate.com
  12. http://wustat.windows.com
  13. http://ntservicepack.microsoft.com
  14. https://go.microsoft.com/
  15. http://go.microsoft.com/
  16. https://login.live.com
  17. https://validation.sls.microsoft.com/
  18. https://activation-v2.sls.microsoft.com/
  19. https://validation-v2.sls.microsoft.com/
  20. https://displaycatalog.mp.microsoft.com/
  21. https://licensing.mp.microsoft.com/
  22. https://purchase.mp.microsoft.com/
  23. https://displaycatalog.md.mp.microsoft.com/
  24. https://licensing.md.mp.microsoft.com/
  25. https://purchase.md.mp.microsoft.com/

With the development of the internet, constantly updating the operating system has become commonplace. Now developers can fix and modify the system throughout the entire period of its support. But frequent updates to Windows 10 are not always convenient. That is why it would be nice to be able to turn them off.

Reasons for disabling automatic updates

The reasons can be very different, and only you yourself can decide how much you need to disable updates. It should be borne in mind that along with improvements to certain features, important fixes for system vulnerabilities are delivered. Nevertheless, situations when independent updates should be disabled occur quite often:

  • paid internet - sometimes the update is quite large and it can be expensive to download if you are paying for traffic. In this case, it is better to postpone the download and download later under different conditions;
  • lack of time - after downloading, the update will start installing during the shutdown of the computer. This can be inconvenient if you need to quickly finish work, for example, on a laptop. But even worse here is that sooner or later Windows 10 will require you to restart your computer, and if you do not do this, then after a while the restart will be forced. All this distracts and interferes with work;
  • security - although the updates themselves often contain important changes to the system, no one can ever foresee everything. As a result, some updates can open your system to virus attack, while others will simply disrupt its work immediately after installation. A reasonable approach in this situation is to update some time after the release of the next version, having previously studied the reviews.

Disable automatic updates for Windows 10

There are many ways to turn off Windows 10 update. Some of them are quite simple for the user, others are more difficult, and still others require the installation of third-party programs.

Disconnect via update center

Using Update Center to Disable - Don't the best way, although it is offered as an official solution by developers from Microsoft. You can actually turn off automatic download updates through their settings. The problem here is that this solution will be temporary in one way or another. A major Windows 10 update release will change this setting and bring back system updates. But we will study the disconnection process anyway:

After these changes, minor updates will no longer be installed. But this solution will not help you permanently get rid of downloading updates.

When solving security problems of a computing system, one has to take into account a whole range of problems, one of which is timely updating operating systems and software.

Introduction

To maintain the current state of operating systems and software information system the company should update them regularly. These actions can be performed from the Microsoft Update site by each client computer or by using the server / servers Windows Server Update Services (WSUS). If we are talking about a corporate network, then the recommended option is to use a WSUS server. By working with the aforementioned service, a significant reduction in Internet traffic is achieved and the ability to centrally manage the process of deploying system and software patches obtained from Microsoft is provided.

I would like to additionally note that on March 23, 2011 Microsoft announced the release of a new product "Windows Intune", one of the functions of which will be to perform the tasks for which WSUS was previously responsible.

To be able to update client computers, you must:

1. Design the solution

2. Deploy the WSUS server / servers;

3. Ensure regular synchronization of the WSUS server with the Microsoft Update resource;

4. Configure the parameters of the WSUS server / servers;

5. Create target groups and place client computers into target groups on the WSUS server.

6. Configure clients to use WSUS servers;

7. Ensure the security of the WSUS server / servers.

In this article, we will not cover the design and deployment stages, synchronization, we will focus on configuring clients and securing the WSUS server.

Configuring update server clients without using group policies

There are three ways to configure clients to use a WSUS server:

  1. Using Group Policy;
  2. Using local computer policy;
  3. Direct modification of the register of client stations.

The best way is to use GPOs, see fig. 1, bound to the desired AD container (for Windows 2003) or AD DS (for Windows 2008), but this option is only available if your organization has Active Directory deployed. The capabilities of Group Policy for configuring interaction with the management server and for managing client update procedures fully meet the needs of the administrator. What we can verify by looking at fig. 1. The list of available settings is wide enough.

Rice. 1. Settings for the WSUS client.

If the directory service is not deployed in your organization, you can enable the client to interact with WSUS either through local policy or by making changes to system registry workstation, or server, the relevance of the state of which we want to ensure. In essence, a policy is nothing more than an interface to the registry.

Circumstances in which workstations and servers are not AD clients can arise in a variety of situations, for example:

· Using a third-party directory service, however, solutions based on Microsoft operating systems are used as application servers, file servers, client workstations;

· The need to build a "guest" zone to provide access to "external" users to the Internet;

· Insufficient "maturity" of the company due to which the centralized directory service is not deployed, or lack of need for the specified service.

1. It is necessary to host the update service on the intranet and a statistics server, and also to distribute clients into groups.

In the registry key

you will need to specify the address or name of the update server to which the client will connect and the port number that is chosen to work with the WSUS server. The default is port 80.

"WUStatusServer" = http: //192.168.1.100

Since it is required to place client computers in target groups, we must indicate which of the target groups the computer should be placed in:

"TargetGroupEnabled" = dword: 00000001

In our example, the target group is called "WSUS-Test-WKS". For customers with a different target group name, this field is specified with a different value. The TargetGroupEnabled parameter in this case provides client-side grouping control.

To do this, in the registry key

"TargetGroup" = "WSUS-Test-WKS"

"TargetGroupEnabled" = dword: 00000001

"WUServer" = "http://192.168.1.100"

"WUStatusServer" = "http://192.168.1.100"

"NoAutoUpdate" = dword: 00000000

"AUOptions" = dword: 00000004

"ScheduledInstallDay" = dword: 00000000

"ScheduledInstallTime" = dword: 00000009

"UseWUServer" = dword: 00000001

"RescheduleWaitTime" = dword: 00000001

" NoAutoRebootWithLoggedOnUsers "=dword: 00000000

Providing delivery and fulfillment the specified file, we can configure the WSUS server clients without resorting to Group Policy. For a description of all registry variables that can be used to work with the update server and their possible values, see the Windows Server Update Services 3.0 SP2 Deployment Guide.

To ensure the security of the update server itself, it makes sense to follow a number of simple recommendations:

1. If we need to ensure secure information exchange between clients and servers and / or between WSUS servers, then the possibility of using SSL protocol... See the "Securing WSUS with the Secure Sockets Layer" section in the Windows Server Update Services Deployment Guide (). In the absence of network exchange between servers, data transfer is provided by means of an external medium. Alternative way protection, if SSL is not possible, is the use of the IPsec protocol. See "Overview of IPsec Deployment" http://go.microsoft.com/fwlink/?LinkId=45154.

2. The WSUS server that synchronizes with Microsoft Update should be placed behind a firewall and made available only to hosts that really need it. See "Configure the Firewall" in the Windows Server Update Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=79983).

3. As for, file access then you should not grant excessive permissions to resources, see the "Before You Begin" section in the Windows Server Update Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=79983) for a description of the access rights requirements.

4. If the update server has access to the Internet (in some cases it may not be, for example, synchronization with another WSUS server that has this capability is performed), then it is recommended to place its database on another computer, access from outside to which is impossible. See “Appendix B: Configure Remote SQL” in the Windows Server Update Services Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=79983).

5. To manage the WSUS server, it is wise to use the built-in WSUS Administrators group that will be created during deployment.

Leonid Shapiro.

Bibliography.

Anita Taylor Windows Server Update Services 3.0 SP2 Deployment Guide.

Anita Taylor Windows Server Update Services 3.0 SP2 Operations Guide

[i] DMZ - demilitarizedzone

Not all are covered here, but only the basic settings for the WSUS client.

You can specify the path to the required servers using either the address, which was done in the above example, or using the server name, while providing for the possibility of resolving the server name into its IP address.

This is the abstract name of the test group.

In a previous article, we described the procedure in detail. After you have configured the server, you need to configure Windows clients (servers and workstations) to use the WSUS server to receive updates so that clients receive updates from the internal update server and not from Microsoft Update servers over the Internet. In this article, we'll walk through the procedure for configuring clients to use a WSUS server using Active Directory Domain Group Policy.

AD Group Policy allows an administrator to automatically assign computers to different WSUS groups, eliminating the need to manually move computers between groups in the WSUS console and keeping those groups up to date. The assignment of clients to different WSUS target groups is based on a label in the registry on the client (labels are set group policy or by directly editing the registry). This type of assignment of clients to WSUS groups is called clientsidetargeting(Client-side targeting).

It is assumed that our network will use two different update policies - a separate update installation policy for servers ( Servers) and for workstations ( Workstations). These two groups need to be created in the WSUS console in the All Computers section.

Advice... The policy of using the WSUS update server by clients depends largely on the organizational structure of the OU in Active Directory and the update installation rules in the organization. In this article, we will consider only a private option that allows you to understand basic principles using AD policies to install Windows updates.

First of all, you need to specify the rule for grouping computers in the WSUS console (targeting). By default, in the WSUS console, computers are manually assigned to groups by the administrator (server side targeting). We are not satisfied with this, so we will indicate that computers are distributed into groups based on client side targeting (according to a specific key in the client's registry). To do this, in the WSUS console go to the section Options and open the parameter Computers... Change the value to Use Group Policy or registry setting on computers(Use Group Policy or registry settings on computers).

Now you can create a GPO for configuring WSUS clients. Open the domain-based Group Policy Management console and create two new group policies: ServerWSUSPolicy and WorkstationWSUSPolicy.

WSUS Group Policy for Windows Servers

Let's start with a description of the server policy ServerWSUSPolicy.

The settings of the group policies responsible for the operation of the Windows update service are located in the GPO section: ComputerConfiguration -> Policies-> Administrativetemplates-> WindowsComponent-> WindowsUpdate(Computer Configuration -> Administrative Templates -> Windows components-> Windows Update).

In our organization, we intend to use this policy to install WSUS updates on Windows servers. It is assumed that all computers falling under this policy will be assigned to the Servers group in the WSUS console. In addition, we want to prohibit automatic installation updates on servers when they are received. The WSUS client simply needs to download the available updates to disk, display a notification about new updates in the system tray, and wait for the administrator to start the installation (manual or remote using) to start the installation. This means that productive servers will not automatically install updates and reboot without administrator confirmation (usually this work is performed by the system administrator as part of monthly scheduled maintenance). To implement such a scheme, we will set the following policies:

  • ConfigureAutomaticUpdates(Configuring Automatic Updates): Enable... 3 - Autodownloadandnotifyforinstall(Automatically download updates and notify them when they are ready to install)- the client automatically downloads new updates and notifies about their appearance;
  • SpecifyIntranetMicrosoftupdateservicelocation(Specify intranet Microsoft update service location): Enable... Set the intranet update service for detecting updates: http: //srv-wsus. site: 8530, Set the intranet statistics server: http: //srv-wsus. site: 8530- here you need to specify the address of your WSUS server and the statistics server (they usually coincide);
  • No auto-restart with logged on users for scheduled automatic updates installations(Do not reboot automatically when installing updates automatically if users are running on the system): Enable- disable automatic reboot if there is a user session;
  • Enableclient-sidetargeting ( Allow client to join target group): Enable... Target group name for this computer this computer): Servers- in the WSUS console, assign clients to the Servers group.

Note... When configuring the update policy, we advise you to carefully read all the settings available in each of the options in the GPO section. WindowsUpdate and set parameters that are appropriate for your infrastructure and organization.

WSUS Update Installation Policy for Workstations

We assume that updates to client workstations, in contrast to the server policy, will be installed automatically at night immediately after the updates are received. After installing updates, computers should restart automatically (warning the user 5 minutes in advance).

In this GPO (WorkstationWSUSPolicy) we specify:

  • AllowAutomaticUpdatesimmediateinstallation(Allow immediate installation automatic updates): Disabled- a ban on the immediate installation of updates when they are received;
  • Allownon-administratorstoreceiveupdatenotifications(Allow non-admin users to receive update notifications): Enabled- display a warning about new updates to non-administrators and allow their manual installation;
  • Configure Automatic Updates:Enabled... Configure automatic updating: 4 - Auto download and schedule the install. Scheduled install day: 0 - Everyday... Scheduled install time: 05:00 - upon receipt of new updates, the client downloads to the local cache and schedules their automatic installation at 5:00 am;
  • Target group name for this computer: Workstations- in the WSUS console, assign the client to the Workstations group;
  • No auto-restart with logged on users for scheduled automatic updates installations: Disabled- the system will automatically reboot 5 minutes after the installation of updates is completed;
  • Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http: //srv-wsus. site: 8530, Set the intranet statistics server: http: //srv-wsus. site: 8530–Address of the corporate WSUS server.

On Windows 10 1607 and up, even though you instructed them to get updates from internal WSUS, they might still try to access Windows servers Update on the Internet. This "feature" is called DualScan... To disable receiving updates from the Internet, you must additionally enable the policy DonotallowupdatedeferralpoliciestocausescansagainstWindowsUpdate ().

Advice... To improve the "patch rate" of computers in an organization, both policies can be configured to force the update service (wuauserv) to start on clients. To do this, in the section Computer Configuration -> Policies-> Windows Setings -> Security Settings -> System Services find windows service Update and set for it automatic start (Automatic).

Assigning WSUS policies to the Active Directory OU

The next step is to assign the created policies to the appropriate containers (OUs) in Active Directory. In our example, the structure of the OU in the AD domain is as simple as possible: there are two containers - Servers (it contains all the servers in the organization, except for the domain controllers) and WKS (Workstations - user computers).

Advice... We are looking at just one fairly simple option for binding WSUS policies to clients. In real organizations, it is possible to bind one WSUS policy to all computers in the domain (a GPO with WSUS settings is hung on the domain root), spread different kinds clients on different OUs (as in our example - we created different WSUS policies for servers and workstations), in large distributed domains you can bind, or assign GPOs based on, or combine the above methods.

To assign a policy to an OU, click on the required OU in the Group Policy Management Console, select the menu item Link as Existing GPO and select the appropriate policy.

Advice... Do not forget about a separate OU with Domain Controllers, in most cases you should bind a "server" WSUS policy to this container.

In the same way, you must assign the WorkstationWSUSPolicy policy to the AD WKS container that contains the Windows workstations.

It remains to update the group policies on clients to bind the client to the WSUS server:

All the settings for the Windows update system that we set with group policies should appear in the client's registry in the branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ WindowsUpdate.

This reg file can be used to transfer WSUS settings to other computers on which the update settings cannot be configured using GPO (computers in a workgroup, isolated segments, DMZ, etc.)

Windows Registry Editor Version 5.00

"WUServer" = "http: //srv-wsus.site: 8530"
"WUStatusServer" = "http: //srv-wsus.site: 8530"
"UpdateServiceUrlAlternate" = ""
"TargetGroupEnabled" = dword: 00000001
"TargetGroup" = "Servers"
"ElevateNonAdmins" = dword: 00000000

"NoAutoUpdate" = dword: 00000000 -
"AUOptions" = dword: 00000003
"ScheduledInstallDay" = dword: 00000000
"ScheduledInstallTime" = dword: 00000003
"ScheduledInstallEveryWeek" = dword: 00000001
"UseWUServer" = dword: 00000001
"NoAutoRebootWithLoggedOnUsers" = dword: 00000001

It is also convenient to control the applied WSUS settings on clients using rsop.msc.

And after a while (depends on the number of updates and bandwidth channel to the WSUS server), you need to check the system tray for pop-up notifications about new updates. Clients should appear in the WSUS console in the corresponding groups (the client name, IP, OS, percentage of their "patched" and the date latest updates status). Because we have linked computers and servers to different WSUS groups by politicians, they will receive only updates approved for installation on the corresponding WSUS groups.

Note... If updates do not appear on the client, it is recommended to carefully study the Windows update service log on the problem client (C: \ Windows \ WindowsUpdate.log). Please note that Windows 10 (Windows Server 2016) uses. The client downloads updates to local folder C: \ Windows \ SoftwareDistribution \ Download. To start searching for new updates on the WSUS server, you need to run the command:

wuauclt / detectnow

Also, sometimes you have to forcibly re-register the client on the WSUS server:

wuauclt / detectnow / resetAuthorization

In especially difficult cases, you can try to fix the wuauserv service. If this occurs, try changing the frequency of the WSUS server to check for updates using the Automatic Update detection frequency policy.

In the next article, we will describe the features. We also recommend that you read the article between groups on the WSUS server.

Programs

You May Also Like