Windows Patch Management, Options in Windows Update - Page 2

By Marcin Policht | Posted Mar 12, 2004
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Continued From Page 1

This creates the following entries in the Computer Configuration->Administrative Templates->Windows Components->Windows Update folder.

  • Configure Automatic Updates is equivalent to the options available via the Control Panel updates previously described. If this setting is enabled, you can choose from one of three options (i.e., notification for both download and installation; auto download and notification for installation; and auto download and scheduled installation). If you select the third option, you can also specify an installation schedule.
  • Specify Intranet Microsoft Update Service Location is relevant when using Software Update Services.
  • Reschedule Automatic Updates Scheduled Installations determines when scheduled updates not applied according to the schedule should be re-applied. This can happen at either the next scheduled interval or after a specific number of minutes following next computer startup.
  • No Auto-restart for Scheduled Automatic Updates Installations blocks automatic startup after installing patches that require a restart to complete. Obviously, in such cases you will need to provide an alternate way to reboot the computer.

In addition, the User Configuration portion of the Windows Update settings (located in the User Configuration->Administrative Templates->Windows Components->Windows Update folder) contains a single entry "Remove access to use all Windows Update features." Once enabled, it prevents logged-on users from obtaining Windows Updates via any user-initiated methods (such as manual downloads from the Windows Update Web site, manual installations of already downloaded updates, or driver updates via Device Manager if they originate from the Windows Update Web site).

This will, however, still allow you to use the scheduled automatic Windows Update (corresponding to the third option in the group policy). Similar results are achieved when the "Remove links and access to Windows Update from User Configuration->Administrative Templates->Start Menu and Taskbar folder are enabled. We will explain the distinction between these two settings when we discuss Software Update Services in greater detail.

  • Active Directory group policy settings are identical to the ones discussed previously. The WUAU.ADM template is also required to implement them (and it must reside in the WINDOWS\inf subfolder on the domain controllers and on the systems where Group Policy Editor is launched). Obviously, in this case, the impact of policy settings is much larger. Settings are controlled via a number of methods (such as applying policy on an Organizational Unit or a site level, or using security or WMI filtering).

  • Windows Update can also be managed with registry modifications. Registry modifications are Active Directory group policy based methods that cannot be applied if the client computers reside in a workgroup or a Windows NT 4.0 domain (which is still frequently the case). In such situations, the choice is the already-described local group policy or to apply changes directly to the registry. If you decide to use the second approach, the relevant registry entries are located in three areas of the registry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    For the complete listing, refer to the Windows Knowledge Base Article Q328010.

  • In a Windows NT 4.0 domain, a considerably more convenient alternative to direct registry edits (in terms of deployment) is to use system policies. To accomplish this, combine Windows Update registry settings (listed in the previous section) into a template file and make it part of the domain system policy.

    In addition to the Windows Update configuration settings described above (regardless of the way they are applied), update behavior depends on the rights of logged-on user (or whether any user is logged on at all). If you decide to use notifications and leave it up to users to decide which updates should be downloaded and installed, this right will be limited to members of the local administrators group. If users do not have administrative privileges (typically the case in a business environment), you should schedule automatic download and installation. This way, both actions can be completed even when nonadministrative users are logged-on.

    With scheduled updates, administrators will be given a five-minute interval to decide whether to postpone installation, once the update files are downloaded (which will delay it until the next restart or scheduled interval -- depending on registry settings). If the installation requires a reboot (which is frequently the case) a user will be presented with a modal (i.e., positioned in front of the other windows) dialog box reminding her of the need to reboot (by default, the reboot will not be forced, although this can be changed by modifying the registry entry).

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers

    With scheduled updates, even if no one is logged on to a system, the update will complete fully unattended (followed by automatic restart, if required).

    Article courtesy of ServerWatch

  • Comment and Contribute
    (Maximum characters: 1200). You have
    characters left.
    Get the Latest Scoop with Enterprise Networking Planet Newsletter