During my task sequence I disable ' Specify intranet Microsoft Update service location ' in local group policy because I want to get updates from MS. Once the OS deployment is done, I see that it is disabled, which is what I want. However, after a couple of hours later, the setting is changed to 'Enabled' and it has our WSUS information in it. I thought it was pushed through GP but I cannot find it. I am in a domain environment, the workstation is domain joined during the TS.
Do you have any idea why the setting is getting updated to 'Enabled'? If it is coming from GP where do I look for? If not, how is it updated automatically? This is making me nuts.
Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service [or alternate download server], instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
Note: If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
Note: The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.
Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
To ensure the highest level of security, Microsoft recommends securing WSUS with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. If a proxy is required, we recommend configuring system proxy. To ensure highest levels of security, additionally leverage WSUS TLS certificate pinning on all devices.
In order to keep clients inherently secure, we are no longer allowing intranet servers to leverage user proxy by default for detecting updates. If you need to leverage user proxy for detecting updates while using an intranet server despite the vulnerabilities it presents, you must configure the proxy behavior to "Allow user proxy to be used as a fallback if detection using system proxy fails".
Detection for updates against intranet servers will fail when user proxy is needed as a fallback and the alternate proxy behavior is not configured.
Supported on: At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3, excluding Windows RT
Enable policy:
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
Value Name | UseWUServer |
Value Type | REG_DWORD |
Value | 1 |
Disable Policy:
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
Value Name | UseWUServer |
Value Type | REG_DWORD |
Value | 0 |
Set the intranet update service for detecting updates:
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\WindowsUpdate |
Value Name | WUServer |
Value Type | REG_SZ |
Default Value |
Set the intranet statistics server:
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\WindowsUpdate |
Value Name | WUStatusServer |
Value Type | REG_SZ |
Default Value |
Set the alternate download server:
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\WindowsUpdate |
Value Name | UpdateServiceUrlAlternate |
Value Type | REG_SZ |
Default Value |
[example: //IntranetUpd01]
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
Value Name | UseWUServer |
Value Type | REG_DWORD |
Default Value | 0 |
True Value | 1 |
False Value | 0 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\WindowsUpdate\AU |
Value Name | UseWUServer |
Value Type | REG_DWORD |
Default Value | 0 |
True Value | 1 |
False Value | 0 |
Select the proxy behavior for Windows Update client for detecting updates:
- Only use system proxy for detecting updates [default]
Registry Hive HKEY_LOCAL_MACHINE Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate Value Name SetProxyBehaviorForUpdateDetection Value Type REG_DWORD Value 0 - Allow user proxy to be used as a fallback if detection using system proxy fails
Registry Hive HKEY_LOCAL_MACHINE Registry Path Software\Policies\Microsoft\Windows\WindowsUpdate Value Name SetProxyBehaviorForUpdateDetection Value Type REG_DWORD Value 1
windowsupdate.admx