Policy selection for ADMX packs

Policy overview

Key metadata and intent for this policy.

ClassComputer

CategoryWindows Components > Windows Update > Manage updates offered from Windows Server Update Service

Supported onAt least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3, excluding Windows RT

Supported OS tags: Windows2000, Windows7, Windows8, WindowsServer2003, WindowsServer2008, WindowsServer2012, WindowsVista, WindowsXP

Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them. If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service. The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server. Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. Note: If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates. Note: The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set. Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. To ensure the highest level of security, Microsoft recommends securing WSUS with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. If a proxy is required, we recommend configuring system proxy. To ensure highest levels of security, additionally leverage WSUS TLS certificate pinning on all devices. In order to keep clients inherently secure, we are no longer allowing intranet servers to leverage user proxy by default for detecting updates. If you need to leverage user proxy for detecting updates while using an intranet server despite the vulnerabilities it presents, you must configure the proxy behavior to "Allow user proxy to be used as a fallback if detection using system proxy fails". Detection for updates against intranet servers will fail when user proxy is needed as a fallback and the alternate proxy behavior is not configured.

Internal name

CorpWuURL

Policy ID

0cbdca31b38f

Elements

Registry values

How enabled and disabled states update the registry.

Registry location	Type	Enabled value	Disabled value
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer	REG_DWORD	1	0

Policy elements

Inputs and configuration options exposed by this policy.

Element	Type	Registry mapping	Constraints & behavior
Set the intranet update service for detecting updates: ID CorpWUURL_Name	text	HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer Type REG_SZ	None
Set the intranet statistics server: ID CorpWUStatusURL_Name	text	HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer Type REG_SZ	None
Set the alternate download server: ID CorpWUContentHost_Name	text	HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\UpdateServiceUrlAlternate Type REG_SZ	None
Select the proxy behavior for Windows Update client for detecting updates: ID SetProxyBehaviorForUpdateDetection	enum	HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\SetProxyBehaviorForUpdateDetection Type REG_DWORD	Options: Only use system proxy for detecting updates (default) (0), Allow user proxy to be used as a fallback if detection using system proxy fails (1)
Download files with no Url in the metadata if alternate download server is set. ID CorpWUFillEmptyContentUrls	boolean	HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\FillEmptyContentUrls Type REG_DWORD	Options: true (), false () True: None · False: None
Do not enforce TLS certificate pinning for Windows Update client for detecting updates. ID CorpWUDoNotEnforceEnterpriseTLSCertPinningForUpdateDetection	boolean	HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection Type REG_DWORD	Options: true (), false () True: None · False: None

Other policies in this category

Explore related policies at the same level.