Recipe2.2.Configuring Automatic Updates
Recipe 2.2. Configuring Automatic UpdatesProblemYou want to configure how updates are applied using the Automatic Updates feature. SolutionUsing a graphical user interfaceTo configure Automatic Updates locally on a system, do the following:
To configure Automatic Updates using Group Policy, do the following:
Using a command-line interfaceThe following commands enable Automatic Updates to automatically download new updates and notify when installation is ready to proceed: > reg add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /t REG_DWORD /v NoAutoUpdate /d 0 > reg add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /t REG_DWORD /v AUOptions /d 3 > net stop wuauserv > net start wuauserv You must restart the Automatic Updates service before the changes take effect. See the Discussion for the complete list of Automatic Updates-related registry values. The following commands, placed in a batch file, will enable Automatic Updates to automatically download new updates from a Software Update Services (SUS) v1.1 Server and notify when installation is ready to proceed: set SUSSERVER=<SUSServerName> net stop wuauserv if exist temp.reg del temp.reg echo Windows Registry Editor Version 5.00>>temp.reg echo.>>temp.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]>>temp.reg echo "WUServer"="http://%SUSSERVER%">>temp.reg echo "WUStatusServer"="http://%SUSSERVER%">>temp.reg echo.>>temp.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]>> temp.reg echo "NoAutoUpdate"=dword:00000000>>temp.reg echo "AUOptions"=dword:00000003>>temp.reg echo "UseWUServer"=dword:00000001>>temp.reg echo "ScheduledInstallDay"=dword:00000001>>temp.reg echo "ScheduledInstallTime"=dword:00000003>>temp.reg echo.>>temp.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]>>temp.reg echo "AUState"=dword:00000002>>temp.reg echo "LastWaitTimeOut"="2000.01.01 00:00:01">>temp.reg echo "SusServerVersion"=dword:00000001>>temp.reg echo "ConfigVer"=dword:00000001>>temp.reg regedit /s temp.reg del temp.reg net start wuauserv
DiscussionPatching systems is a critical issue system administrators face today. Many of the viruses and worms that spread like wildfire throughout the Internet could have been prevented if administrators had been more diligent in applying security updates. With Windows 2000 SP2, Microsoft introduced Automatic Updates, which lets your computers automatically download and install these updates from Microsoft. In the late 1990s, you couldn't blindly trust new patches from Microsoft, so you had to test them thoroughly before deploying them. Now, patches are much more reliable. You also don't have as much time to test them to ensure they won't introduce new problems. These factors make Automatic Updates a good solution to solve the problem. You can have updates download automatically and decide whether they should be installed automatically, periodically, or manually. If you have many computers, you should consider using Software Update Services, SUS, (http://www.microsoft.com/windowsserversystem/sus/default.mspx) or Windows Update Services, WUS. These tools let you download updates to a central server from which internal computers can install the updates. There are two distinct advantages to this approach. First, you can optimize network utilization for the updates by downloading them only once. Second, you can selectively choose which updates clients will install. This gives you more control over how and where updates are installed in your environment. The command-line batch file presented in the command-line solution is suitable, with modifications for your environment, to use for deploying SUS via registry control. While not as elegant as a group policy-based solution, it has the advantage of allowing you to easily customize SUS options for differing groups of computers (for example, you may wish for workstation computers to automatically reboot after patch application, but you almost certainly do not wish that to occur for server computers). This is a feature that will be built into WUS. The command-line batch file also illustrates a mechanism for forcing the Automatic Updates service to restart a full update cycle. The last four echo commands cause the service to basically behave as if it had never been executed before. This corrects what I see as a bug in SUSif additional patches are approved after a computer has already downloaded patches, but before it has installed them (and rebooted if necessary), then the Automatic Updates service will not process them until all of the prior patches have been installed. There are desired scenarios that cannot feasibly be automated with SUS. Most of these limitations are expected to be overcome in WUS when it is released some time in 2005. Using this batch file, in combination with psexec and the shutdown tool can allow you to fully manage your patch application needs for small- to medium-sized environments. For an example of a well-developed and full-featured script utilizing this concept, see http://googleit.aptonline.net/pages/cmdscripts.html#SUSUR. Large environments will likely be utilizing Microsoft's SMS or another centralized deployment application. The SUS whitepaper (Patch Management Using Software Update Services 1.0 SP1 available at http://www.microsoft.com/downloads/details.aspx?FamilyId=38D7E99B-E780-43E5-AA84-CDF6450D8F99&displaylang=en) contains detailed information about all of the Automatic Updates service registry keys and their impact on SUS. MS KB 328010 contains a much more concise set of material suitable for most needs. See AlsoMS KB 294871 (Description of the Automatic Updates feature in Windows), MS KB 327850 (How to configure and use Automatic Updates in Windows 2000), MS KB 327838 (HOW TO: Schedule Automatic Updates in Windows XP, Windows 2000, or Windows Server 2003), and MS KB 328010 (How to configure automatic updates by using Group Policy or registry settings) |
EAN: 2147483647
Pages: 380