| Automatic Updates help you keep the Windows Server 2003 operating system up to date. It compares the programs, operating system components , and drivers installed on a system to a master list of items available at the Microsoft Web site and determines whether there are updates that should be installed. An Overview of Automatic Updates You configure Automatic Updates using the System utility. When Automatic Updates are enabled, an update icon appears in the system tray when there are updates to download or install. The background process running the update process is the Automatic Updates service. This service is responsible for periodically checking for compatible updates for a system. When an automatic update is available, you'll see a bubble over the update icon announcing the update's availability. Automatic Updates appear in the Install/Uninstall tab of the Add/Remove Programs dialog box just like any other program you install. You can remove an automatic update from there the same way that you uninstall any other program. For details, see the section entitled "Removing Automatic Updates to Recover from Problems" in this chapter. You can use Automatic Updates in several ways. You can configure systems to -
Keep My Computer Up To Date Controls whether automatic updates are used. If you clear this check box, automatic updates are disabled and you aren't notified about updates. You can, however, download updates manually from the Windows Update Web site (http://windowsupdate.microsoft.com/). -
Notify Me Before Downloading Any Updates And Notify Me Again Before Installing Them On My Computer With this option, the operating system notifies you before retrieving any updates. If you elect to download the update, you still have the opportunity to accept or reject it. Accepted updates are installed. Rejected updates aren't installed but remain on the system, where you can install them later. -
Download The Updates Automatically And Notify Me When They Are Ready To Be Installed With this option, the operating system retrieves all updates as they become available and then prompts you when they're ready to be installed. You can then accept or reject the update. Accepted updates are installed. Rejected updates aren't installed but remain on the system, where they could be installed later. -
Automatically Download The Updates, And Install Them On The Schedule That I Specify With this option, updates are automatically downloaded and installed according to a schedule that you specify. When updates have been downloaded, the operating system notifies you so you can review the updates that are scheduled to be installed. You can install the updates then or wait for the scheduled installation time. Configuring Automatic Updates If you want to use Automatic Updates on a system, complete the following steps: -
From the Control Panel, double-click System, then select the Automatic Updates tab as shown in Figure 5-3. Figure 5-3. Configure Automatic Updates differently for different needs. Choose the option that makes the best sense for your environment.  -
To disable automatic updates, clear Keep My Computer Up To Date. This option turns off Automatic Updates completely, requiring manual installation of updates. Security Alert To ensure the integrity of production systems, you might want to disable automatic updates. Before applying updates to operational servers, you should test the updates on nonproduction (development or test) servers. The test period should last one to two weeks, or longer, in most cases to ensure that problems don't crop up when you least expect them. After you finish testing the updates, you can manually apply them to your production systems.
-
To enable automatic updates, ensure that Keep My Computer Up To Date is selected and then choose one of the following update options: -
Notify Me Before Downloading Any Updates And Notify Me Again Before Installing Them On My Computer This option allows you to control whether downloads occur at all. Use this option when you need more control over the application of updates. -
Download The Updates Automatically And Notify Me When They Are Ready To Be Installed This is the best option to use when you want to be sure updates are downloaded, but it doesn't ensure that updates will be installed. -
Automatically Download The Updates, And Install Them On The Schedule That I Specify This option is good when you don't want the installation of updates to interfere with business operations. The update schedule is either Every Day at a specific hour, such as 3:00 a.m. or on a specific day of the week and hour , such as Every Sunday at 5:00 a.m. If you're logged on to the system as an administrator, you'll be notified of pending installations and have the opportunity to postpone the installation. If a restart is required as a result of an update and you're logged on as an administrator, you'll have the opportunity to postpone the restart. Other users don't have this option. Local users and terminal services users will be notified, however, of a pending restart. Other users, such as those accessing an application or file on the system, won't be notified. Caution Sometimes installing updates might make a system less responsive and might require a system restart. Because of this, you might want to manually install updates or schedule installation of updates for nonbusiness or nonpeak usage hours. In this way, there should be less impact on users and business operations. It won't prevent data loss, however, if active users are working with resources on the system.
-
If you decide to schedule installation of updates, click OK. Another way to configure Automatic Updates is to do so through Group Policy. The most useful policies for Automatic Updates are: -
Windows Automatic Updates Whenever a user connects to the Internet, Windows searches for updates that are available for the computer. If you don't want the operating system to search for updates, enable this policy. This policy is located in User Configuration\Administrative Templates\System. -
Turn Off Automatic Update Of ADM Files Group Policy can be modified by the automatic updates process. Typically, this means that new policies are installed and made available the next time you open the Group Policy Object Editor. If you don't want Group Policy to be updated through the automatic updates process, enable this policy. This policy is located in User Configuration\Administrative Templates\System\Group Policy, and its settings are ignored if the policy Always Use Local ADM Files For The Group Policy Object Editor is enabled. -
Remove Access To Use All Windows Update Features Prohibits access to all Windows Update features. If enabled, all Automatic Updates features are removed and can't be configured. This includes the Automatic Updates tab in the System utility, the Windows Update link on the Start Menu and on the Tools menu in Internet Explorer, and driver updates from the Windows Update Web site in the Device Manager. This policy is located in User Configuration\Administrative Templates\Windows Components\Windows Update. -
Configure Automatic Updates Configures automatic updates settings for a domain, site, organizational unit, or local computer through Group Policy. If enabled, you set the options to use much as you do in the Automatic Updates tab of the System utility. If disabled, automatic updates must be manually installed. This policy is located in Computer Configuration\Administrative Templates\ Windows Components\Windows Update. -
Specify Intranet Microsoft Update Service Location Designates an internal Web server rather than the Windows Update Web site as the location to check for and download updates from. This policy is located in Computer Configuration\Administrative Templates\Windows Components\Windows Update and is discussed in the next section. Configuring Update Servers On networks with hundreds or thousands of computers, the automatic updates process could use a considerable amount of network bandwidth, and having all the computers check for updates and install them over the Internet won't make sense. Instead, you'll want to consider enabling this policy, which tells individual computers to check a designated internal server for updates. The designated update server must be configured as a Web server running Microsoft Internet Information Services (IIS) and must be able to handle the additional workload, which might be considerable on a large network during peak usage times. Additionally, the update server must have access to the external network on port 80. The use of a firewall or proxy server on this port shouldn't present any issues. The update process also tracks configuration and statistics information for each computer. This information is necessary for the update process to work properly and can be stored on a separate statistics server (an internal server running IIS) or on the update server itself. To specify an internal update server, follow these steps: -
Configure the necessary server(s) as previously discussed. -
In Group Policy for the appropriate domain, site, or organizational unit Group Policy Object, access Computer Configuration\Administrative Templates\ Windows Components\Windows Update, and then double-click Specify Intranet Microsoft Update Service Location. -
Select Enabled. -
Type the Uniform Resource Locator (URL) of the update server in the Set The Intranet Update Service For Detecting Updates fields. In most cases, this is http:// servername , such as http://CorpUpdateServer01 . -
Type the URL of the statistics server in the Set The Intranet Statistics Server text box. This doesn't have to be a separate server; you can specify the update server in this text box. -
Click OK. Once the applicable Group Policy Object is refreshed, systems running Windows 2000 Service Pack 3 or later, Windows XP Service Pack 1 or later, and Windows Server 2003 will look to the update server for updates. You'll want to monitor the update and statistics server(s) closely for several days or weeks to ensure that everything is working properly. Directories and files will be created on the update and statistics server(s). Downloading and Installing Automatic Updates When Automatic Updates are enabled and an automatic update is available, you'll see a bubble over the update icon announcing the update's availability. Click the AutoUpdate icon to open the Updates window. From that window, click Install/Download if you've chosen to autodownload or if you've chosen to be notified before the download. This starts the Automatic Updates process. You can also click Remind Me Later to postpone the update. If you want to see more information about the update or be able to selectively enable or disable update components, click the Details button. You then see descriptive information on each update. To disable an update for a specific component, clear the related check box. When you're ready to proceed, click Install. Caution Some updates require you to reboot the computer. Rather than bring down a production server, you might want to schedule the install and reboot for a specific date and time.
Removing Automatic Updates to Recover from Problems If an automatic update caused a problem on a system, don't worry. You can remove the automatic update in the same way that you uninstall any other program. Simply follow these steps: -
In the Control Panel, double-click Add/Remove Programs. The Add Or Remove Programs dialog box is displayed with the Change Or Remove Programs button selected. -
Select the automatic update that you want to remove and then click Change/Remove. Repeat this step to remove other updates as desired. -
Click Close. If the system needs to be restarted, you'll see a restart prompt.  |
![Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant](/icons/blank_book.jpg "Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant"){kind=icon}