To configure Windows Updates in a Network Agent policy:
In the console tree, select Managed devices.
In the workspace, select the Policies tab.
Select a Network Agent policy.
In the context menu of the policy, select Properties.
The properties window for the Network Agent policy opens.
In the Sections pane, select Software updates and vulnerabilities.
Select the Use Administration Server as a WSUS server option to download Windows updates to the Administration Server and then distribute them to client devices through Network Agent.
If this option is not selected, Windows updates are not downloaded to the Administration Server. In this case, client devices receive Windows updates directly from Microsoft servers.
Select the set of updates that the users can install on their devices manually by using Windows Update.
On devices running Windows 10, if Windows Update has already found updates for the device, the new option that you select under Allow users to manage installation of Windows Update updates will be applied only after the updates found are installed.
Users can install all of the Microsoft Windows Update updates that are applicable to their devices.
Select this option if you do not want to interfere in the installation of updates.
When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.
Users can install all of the Microsoft Windows Update updates that are applicable to their devices and that are approved by you.
For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these approved updates on client devices.
When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.
Users cannot install Microsoft Windows Update updates on their devices manually. All of the applicable updates are installed as configured by you.
Select this option if you want to manage the installation of updates centrally.
For example, you may want to optimize the update schedule so that the network does not become overloaded. You can schedule after-hours updates, so that they do not interfere with user productivity.
If this option is selected, Administration Server with support from Network Agent initiates a request from Windows Update Agent on the client device to the update source: Windows Update Servers or WSUS. Next, Network Agent passes information received from Windows Update Agent to Administration Server.
The option takes effect only if Connect to the update server to update data option of the Find vulnerabilities and required updates task is selected.
If you select this option, Network Agent periodically passes Administration Server information about updates retrieved at the last synchronization of Windows Update Agent with the update source. If no synchronization of Windows Update Agent with an update source is performed, information about updates on Administration Server becomes out-of-date.
Select this option if you want to get updates from the memory cache of the update source.
If this option is selected, Administration Server does not request any information about updates.
Select this option if, for example, you want to test the updates on your local device first.
Select the Scan executable files for vulnerabilities when running them option if you want to scan executable files for vulnerabilities while the files are being run.
Make sure that editing is locked for all the settings that you have changed. Otherwise, the changes do not apply.