DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

— Kiaasa Dhanori Pune

Configure Automatic Updates in Windows

To configure Automatic Updates in Windows, open the Local Group Policy Editor with gpedit.msc, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update, and enable the Configure Automatic Updates policy. This single panel lets a system administrator control when patches download, when they install, and whether updates are pulled from Microsoft directly or from an internal WSUS server.

Patch management is one of the highest-value tasks in system administration: unpatched machines are the number-one entry point for ransomware and worms. Centralizing update behavior through Group Policy turns a manual, easily-forgotten chore into a consistent, auditable policy that applies to every machine in the organizational unit (OU) at once.

The Problem: Inconsistent Patching Across Machines

Left on their defaults, individual computers download and install updates on their own schedules. That creates real headaches:

  • Unexpected reboots interrupt users in the middle of work, especially when an installation reschedules itself.
  • Bandwidth spikes occur when dozens of machines pull the same large cumulative update from Microsoft simultaneously.
  • Compliance gaps appear when some machines lag weeks behind on security fixes with no central visibility.
  • No change control means a faulty Patch Tuesday update can hit every machine before you have tested it.

The fix is to define Automatic Updates behavior centrally so every targeted machine downloads, schedules, and installs patches the same predictable way — and, in a managed environment, pulls those patches from your own approval server rather than directly from the internet.

The Solution: Configure Automatic Updates with Group Policy

There are two scopes for the same set of settings:

  • Local Group Policy Editor (gpedit.msc) — configures a single machine. Useful for a standalone server, a test box, or a workgroup PC. Note that gpedit.msc ships only with Pro, Enterprise, and Education editions; Windows Home does not include it.
  • Domain Group Policy (gpmc.msc, the Group Policy Management Console) — configures every machine in an OU from a domain controller. This is the real-world choice for fleets, because you edit one Group Policy Object (GPO) and link it to the OUs you want.

The policy paths and option names are identical in both editors. Everything below lives under Computer Configuration > Administrative Templates > Windows Components > Windows Update.

Step-by-Step: Enable Configure Automatic Updates

  1. Press Win + R, type gpedit.msc, and press Enter. (On a domain controller, run gpmc.msc instead, then create or edit a GPO and click Edit.)
  2. Expand Computer Configuration > Administrative Templates > Windows Components > Windows Update. On Windows 10/11 and Server 2019+, the per-policy settings sit in the child folder Manage end user experience.
  3. Double-click Configure Automatic Updates and set it to Enabled.
  4. Choose a value under Configure automatic updating. The most common production choice is 4 - Auto download and schedule the install, then set the install day and time (for example, every Sunday at 03:00).
  5. Click OK.

The four behavior options mean:

ValueBehavior
2 - Notify before downloadUser is told an update is available and must approve both download and install.
3 - Auto download and notify for installUpdates download automatically; the user chooses when to install.
4 - Auto download and schedule the installUpdates download and install on a defined day/time. Best for managed fleets.
5 - Allow local admin to choose settingLocal administrators pick the option in the Windows Update UI. (Deprecated on Windows 10+.)

Step-by-Step: Point Machines at an Internal WSUS Server

If you run Windows Server Update Services (WSUS), redirect clients so they pull approved updates from your server instead of Microsoft Update directly. This is the Specify intranet Microsoft update service location policy referenced in older runbooks.

  1. In the same Windows Update node, double-click Specify intranet Microsoft update service location and set it to Enabled.
  2. Set Set the intranet update service for detecting updates to your WSUS URL, including the port — for example http://wsus.contoso.com:8530 (or https://wsus.contoso.com:8531 if SSL is configured).
  3. Set Set the intranet statistics server to the same URL so reporting flows back to WSUS.
  4. Click OK.

Be careful with the port: WSUS defaults to 8530 (HTTP) and 8531 (HTTPS) on modern installations. A wrong or missing port is the most common reason clients silently fail to report in.

Step-by-Step: Control Reboots and Missed Schedules

Two more settings smooth out the user experience and catch machines that were powered off during the scheduled window:

  1. Double-click Reschedule Automatic Updates scheduled installations, set it to Enabled, and choose the wait time in minutes after startup (for example, 5 minutes). If a machine misses its install window because it was off, it will catch up shortly after the next boot rather than waiting a full cycle.
  2. Double-click Automatic Updates detection frequency, set it to Enabled, and specify the interval in hours (the default is 22 hours). This controls how often the client checks the update source for new approvals. The client also applies a random offset of up to 20% so thousands of machines do not all check in at the same instant.
  3. On Windows 10/11, also review No auto-restart with logged on users for scheduled automatic updates installations to prevent forced reboots while someone is signed in.

A small correction worth noting: the detection frequency value is measured in hours, not as an on/off-only toggle — enabling it without setting a sensible interval just applies the policy default. Set the number deliberately.

Apply and Force a Policy Refresh

Group Policy refreshes on its own roughly every 90 minutes (plus a random offset), but you should not wait. From an elevated command prompt:

  1. Force a Group Policy update: gpupdate /force
  2. Trigger an immediate update scan: usoclient StartScan (Windows 10/11) or the legacy wuauclt /detectnow on older systems.
  3. On a WSUS client, reset the client ID if a machine refuses to appear in the WSUS console: stop the service, clear the SusClientId, then re-register — net stop wuauserv, delete the relevant registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate, net start wuauserv, then wuauclt /resetauthorization /detectnow.

Common Pitfalls When You Configure Automatic Updates

  • Editing the wrong scope. Changing local policy on a domain-joined machine is futile — the domain GPO wins on the next refresh. Make changes in the domain GPO via gpmc.msc.
  • Mismatched WSUS URL or port. The intranet service URL must be exact, reachable, and use the correct port (8530/8531). Test from the client with a browser or Test-NetConnection wsus.contoso.com -Port 8530 in PowerShell.
  • Conflicting Windows Update for Business settings. On Windows 10/11, mixing legacy WSUS policies with newer deferral and feature-update policies can produce a "dual scan" state where the client unexpectedly reaches out to Microsoft Update. Set Do not allow update deferral policies to cause scans against Windows Update when you want clients locked to WSUS only.
  • Home edition. gpedit.msc is absent on Windows Home; configure the equivalent values under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate in the registry, or manage the device with Intune/MDM instead.
  • Forgetting maintenance-window reboots. Value 4 will reboot machines on schedule. Pair it with reboot-deferral and active-hours settings so you do not knock production servers offline mid-day.

Verification: Confirm the Policy Actually Applied

Never assume a GPO took effect. Verify it:

  1. Run gpresult /h C:\gpreport.html and open the report. Under Computer Settings, confirm Configure Automatic Updates and Specify intranet Microsoft update service location show your values and the correct winning GPO.
  2. Check the registry on the client: the applied values land under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and its \AU subkey (look for UseWUServer=1, WUServer, and NoAutoUpdate).
  3. Open Settings > Windows Update. A managed client shows "Some settings are managed by your organization."
  4. In the WSUS console, confirm the machine appears under Computers with a recent Last Status Report time after the next detection cycle.

Modern Equivalent: Windows Update for Business and Intune

The Group Policy method above is fully supported and still widely used on Windows Server and on-premises domains. However, Microsoft has shifted strategic investment toward cloud management. WSUS was officially deprecated in September 2024 — it still works and ships in current Windows Server, but no major new features are planned.

For Windows 10 and Windows 11 fleets, the modern path is:

  • Windows Update for Business — deferral, quality/feature-update rings, and active hours configured via GPO or MDM, with patches still served by Microsoft.
  • Microsoft Intune with Update rings and Windows Autopatch for cloud-driven, policy-based patching of internet-connected devices without an on-premises server.

If you are building a new environment, evaluate Intune/Windows Update for Business first. If you maintain an existing domain or air-gapped network, the gpedit.msc/WSUS approach in this guide remains the right tool.

Key Takeaways

  • Configure Automatic Updates lives under Computer Configuration > Administrative Templates > Windows Components > Windows Update; enable it and pick option 4 for managed scheduled installs.
  • Use domain Group Policy (gpmc.msc) for fleets and gpedit.msc only for standalone machines — the domain GPO always wins on join.
  • Point clients at WSUS with Specify intranet Microsoft update service location, using the exact URL and ports 8530/8531.
  • Always verify with gpupdate /force, gpresult /h, and the registry under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.
  • WSUS is deprecated as of 2024 — for new Windows 10/11 deployments, prefer Windows Update for Business or Intune/Windows Autopatch.

Frequently Asked Questions

How do I configure Automatic Updates if my PC has no gpedit.msc?

Windows Home editions do not include the Local Group Policy Editor. Set the same controls directly in the registry under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU (for example, NoAutoUpdate and AUOptions), or enroll the device in an MDM such as Microsoft Intune to push the policy from the cloud.

What is the difference between AUOptions 3 and 4?

Option 3 downloads updates automatically but lets the user decide when to install them. Option 4 both downloads and installs on a schedule you define, which is the standard choice for managed environments where you want guaranteed, unattended patching during a maintenance window.

Why is my machine not reporting to WSUS after I set the policy?

The usual causes are a wrong WSUS URL or port, a missing gpupdate /force, or a duplicate SusClientId from a cloned image. Verify the URL with Test-NetConnection, force a scan with usoclient StartScan, and if needed reset the client ID and run wuauclt /resetauthorization /detectnow.

Is WSUS still supported in 2026?

Yes — WSUS still ships and functions in current Windows Server, but Microsoft deprecated it in September 2024, meaning no new feature development. It remains supported for now, while Microsoft steers customers toward Windows Update for Business and Intune for cloud-managed patching.

For more hands-on Windows administration and patch-management walkthroughs, subscribe to @explorenystream on YouTube.