Windows Patch Management, Options in Windows Update
The previous article in this series presented a number of solutions using scripting and third-party freeware utilities to enable remote query registry and patch deployment. We continue our coverage of free patching methodologies with a focus on Microsoft's operating system enhancements and products.
The most basic patch-related technology available in Windows ME, 2000, XP, and 2003 is Windows Update. Its mechanism is based on the cooperation between a client and server components. The client operates as the Automatic Updates service running in the security context of the Local System account (with the exception of Windows ME, where it is implemented as an executable loaded at the time of a user's logon). The service starts at the operating system startup (although you can disable it or use various customization options to alter this default behavior).
Clients are configured to connect to Windows Update servers automatically and receive a list of missing updates, based on a comparison of the client configuration data (such as operating system and Internet Explorer versions, hardware plug-and-play information, regional and language settings, and patch-level status) against Windows Update Catalog (located at http://windowsupdate.microsoft.com).
Updates for the legacy operating systems (not supporting Windows Update functionality) are available through the Microsoft Download Center at the following locations:
- http://www.microsoft.com/windows95/downloads/ for Windows 95
- http://www.microsoft.com/windowsnt/downloads/ for Windows NT 4.0
Windows Update evolved from Critical Update Notification utility available for Windows 98 and pre-SP3 Windows 2000. The first version was released around the same time as Windows 2000 SP3; however, it also works on Windows 2000 SP2 computers. The most significant improvement between the two was the Automatic Update feature, which allows custom scheduling that can be configured in several ways:
- In a graphical interface via a Control Panel applet (i.e., the Automatic Updates tab in the Properties dialog box of System applet in Windows XP and 2003 or the Automatic Updates applet in Windows 2000 and ME) the interface presents the option in a checkbox format. Its state (checked vs. unchecked) determines whether you want to use automatic updates. This also affects whether the remaining options on the same page are relevant. Assuming the checkbox is enabled, you will need to choose from three options that control the level of automating download and installation.
- Manual Download and Installation -- The user is notified (via an icon appearing in the notification area, in the right corner of the Windows taskbar) when updates are ready for download, and again when they are downloaded and ready for installation.
- Automatic Download and Manual Installation -- The user is notified when a (automatically initiated) download is completed, and at that point he or she can select updates to be installed.
- Automatic Download and Installation -- Both download and installation are transparent to a logged-on user (although, to be exact, the level of this transparency depends on the user's security privileges). Both actions are performed according to a customizable schedule (daily at a specified time or weekly on a given day of the week and at a specific time).
- In Windows 2000, XP, and 2003 local group policy is another option. To manage Windows Update with group policies, WUAU.ADM must be part of the Administrative Template. The most up-to-date version of this template (including features required for Software Update Services SP1) is available for download from the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyId=D26A0AEA-D274-42E6-8025-8C667B4C94E9&displaylang=en.
After downloading the template, copy it to the inf subfolder in the Windows installation directory (typically C:\WINDOWS\inf). Next, launch the local Group Policy Editor (gpedit.msc), expand the Computer Configuration node, right-click on Administrative Templates, and select Add/Remove Templates. If WUAU is not already listed there, add the one copied to the WINDOWS\inf subfolder.
This creates the following entries in the Computer Configuration->Administrative Templates->Windows Components->Windows Update folder.
- Configure Automatic Updates is equivalent to the options available via the Control Panel updates previously described. If this setting is enabled, you can choose from one of three options (i.e., notification for both download and installation; auto download and notification for installation; and auto download and scheduled installation). If you select the third option, you can also specify an installation schedule.
- Specify Intranet Microsoft Update Service Location is relevant when using Software Update Services.
- Reschedule Automatic Updates Scheduled Installations determines when scheduled updates not applied according to the schedule should be re-applied. This can happen at either the next scheduled interval or after a specific number of minutes following next computer startup.
- No Auto-restart for Scheduled Automatic Updates Installations blocks automatic startup after installing patches that require a restart to complete. Obviously, in such cases you will need to provide an alternate way to reboot the computer.
In addition, the User Configuration portion of the Windows Update settings (located in the User Configuration->Administrative Templates->Windows Components->Windows Update folder) contains a single entry "Remove access to use all Windows Update features." Once enabled, it prevents logged-on users from obtaining Windows Updates via any user-initiated methods (such as manual downloads from the Windows Update Web site, manual installations of already downloaded updates, or driver updates via Device Manager if they originate from the Windows Update Web site).
This will, however, still allow you to use the scheduled automatic Windows Update (corresponding to the third option in the group policy). Similar results are achieved when the "Remove links and access to Windows Update from User Configuration->Administrative Templates->Start Menu and Taskbar folder are enabled. We will explain the distinction between these two settings when we discuss Software Update Services in greater detail.
- Active Directory group policy settings are identical to the ones discussed previously. The WUAU.ADM template is also required to implement them (and it must reside in the WINDOWS\inf subfolder on the domain controllers and on the systems where Group Policy Editor is launched). Obviously, in this case, the impact of policy settings is much larger. Settings are controlled via a number of methods (such as applying policy on an Organizational Unit or a site level, or using security or WMI filtering).
- Windows Update can also be managed with registry modifications. Registry modifications are Active Directory group policy based methods that cannot be applied if the client computers reside in a workgroup or a Windows NT 4.0 domain (which is still frequently the case). In such situations, the choice is the already-described local group policy or to apply changes directly to the registry. If you decide to use the second approach, the relevant registry entries are located in three areas of the registry:
For the complete listing, refer to the Windows Knowledge Base Article Q328010.
- In a Windows NT 4.0 domain, a considerably more convenient alternative to direct registry edits (in terms of deployment) is to use system policies. To accomplish this, combine Windows Update registry settings (listed in the previous section) into a template file and make it part of the domain system policy.
In addition to the Windows Update configuration settings described above (regardless of the way they are applied), update behavior depends on the rights of logged-on user (or whether any user is logged on at all). If you decide to use notifications and leave it up to users to decide which updates should be downloaded and installed, this right will be limited to members of the local administrators group. If users do not have administrative privileges (typically the case in a business environment), you should schedule automatic download and installation. This way, both actions can be completed even when nonadministrative users are logged-on.
With scheduled updates, administrators will be given a five-minute interval to decide whether to postpone installation, once the update files are downloaded (which will delay it until the next restart or scheduled interval -- depending on registry settings). If the installation requires a reboot (which is frequently the case) a user will be presented with a modal (i.e., positioned in front of the other windows) dialog box reminding her of the need to reboot (by default, the reboot will not be forced, although this can be changed by modifying the registry entry).
With scheduled updates, even if no one is logged on to a system, the update will complete fully unattended (followed by automatic restart, if required).
Article courtesy of ServerWatch