Windows Server Hack [Electronic resources] نسخه متنی

Hack 87 Use Group Policy to Configure Automatic Updates

Use Group Policy to simplify the configuration
of Automatic Updates in an Active Directory environment.

Configuring Automatic Updates [Hack #86] is a lot of work if you have
to do it separately on every machine on your network. Fortunately, in
an Active Directory environment, you can use Group Policy to simplify
the job.

First, open an existing Group Policy Object (GPO), such as the
Default Domain Policy, or create a new GPO and link it to the
appropriate domain, organizational unit (OU) or site. Then, add the
wuau.adm template to the GPO so that the Group
Policy settings for Automatic Updates will be added to your GPO. This
is done as follows (note that these steps are unnecessary if you have
Windows Server 2003). Begin by expanding Computer Configuration to
show Administrative Templates. Then, right-click on Administrative
Templates, select Add/Remove Template, click Add, select
wuau.adm from the list of templates in the
%Windir%\Inf folder, click Open, and then click
Close.

Now, configure the GPO settings for Automatic Updates by expanding
Computer ConfigurationAdministrative
TemplatesWindows Components and selecting Windows
Update in the pane on the left, as shown in Figure 9-5.

Figure 9-5. Using Group Policy to configure Automatic Updates

Let's dig into what the various settings in Figure 9-5 mean. The first setting,
"Configure Automatic Updates," lets
you perform basic configuration of Automatic Updates for computers in
the domain, OU, or site to which the GPO is linked. The options here
are the same as the options available when you manually configure the
feature using Control Panel's Automatic Updates
utility (Windows 2000) or System utility (Windows Server 2003 and
Windows XP); refer to Figure 9-3 for details. The
next setting, "Specify intranet Microsoft update
service location," applies only if you plan on using
Software Update Services (SUS) to deploy updates.

The "Reschedule Automatic Updates schedule
installations" option determines the time that
Automatic Updates will wait after the computer restarts before
installing updates that have already been downloaded and are past the
scheduled time for installation. Value ranges from
1 to 60 (values are in
minutes); the default is 1 if the setting is not
configured and 5 when the policy is enabled. By
disabling this policy, the installation of
overdue updates is deferred until the next scheduled installation day
and time.

Finally, "No auto-restart for scheduled Automatic
Updates installations" determines whether the
logged-on user will be forcibly logged off in order to complete the
installation process when a reboot is required. Enabling the policy
means that machines will not be forcibly rebooted. While this would
seem like a good idea (so users won't lose their
work), it does have a downside: Automatic Updates
won't be able to check the Windows Update web site
for new updates until the machine is rebooted.

Enabling these policy settings will override any configuration of
Automatic Updates that was done locally using Control Panel and will
prevent you from making such changes locally, even as an
administrator (the options in the properties sheet of Figure 9-3 would be grayed out). However, changing these
policy settings back to Not Configured will
restore the manual settings previously configured for Automatic
Updates (though a reboot is required). And while changes made to
these policies are automatically applied to client computers every 90
minutes (plus a random offset of up to 30 minutes), you can test the
settings immediately by forcing a policy refresh with the command
secedit /refreshpolicy machine_policy on Windows
2000 or gpupdate /force on Windows Server 2003.

Some Recommendations

If you want to configure different Automatic Updates policies for
different users or computers, either create multiple GPOs, link each
to a different OU, and place users and computers into these OUs
accordingly, or filter the GPO settings to prevent their inheritance
by specific users, computers, or groups.

You can also check the Security log in Event Viewer if you want to
see whether the machine has been rebooted to install scheduled
updates. Look for the following Event IDs:

Event ID 21

"Restart Required: To complete the installation of
the following updates, the computer must be restarted. Until this
computer has been restarted, Windows cannot search for or download
new updates."

Event ID 22

"Restart Required: To complete the installation of
the following updates, the computer will be restarted within five
minutes. Until this computer has been restarted, Windows cannot
search for or download new updates."

Digging Deeper

There's another policy that controls how Automatic
Updates works, but it's not found under Computer
Configuration. Instead, it's found in User
ConfigurationAdministrative
TemplatesWindows
ComponentsWindows
Update"Remove access to use all
Windows Update features."

This policy prevents the currently logged-on user from opening the
Windows Update web site in Internet Explorer, in order to manually
download and install updates on his machine. Actually, when you open
, an
"Access Denied" page appears,
explaining that a policy is preventing you from using the site.
Enabling this policy also has the effect of preventing Automatic
Updates from notifying users when new updates are ready to install.
In other words, no notification icon will appear in the status area
to inform you that updates are ready to install. Finally, even local
administrators on the machine are affected by this policy! And domain
administrators are affected too!

So, why would you want to use this policy? While it prevents users
from visiting Windows Update or interacting with Windows Update, it
doesn't prevent Automatic
Updates from operating if the feature has been configured at the
computer level by using the policies discussed in the previous
section. This is because this setting is a per-user policy, not a
per-machine one, so it affects only users; it
doesn't affect configuration done at the machine
level.

Enabling this policy might be a good idea, because it prevents users
from trying to download and install updates on their own, even if
they have administrative privileges.

While this policy is present on Windows 2000, Microsoft says it works only on Windows XP and Windows Server 2003. But my own experience is that it also works on Windows 2000.

While this policy prevents users from using the Windows Update site,
it still leaves the Windows Update icon in the Start menu, tempting
users to explore and see what it does. You can remove this icon from
the Start menu by enabling another policy: User
ConfigurationAdministrative
TemplatesStart Menu &
Taskbar"Disable and remove links
to Windows Update."

This removes even users' temptation to try to keep
their machines up-to-date by themselves. Administrators would do well
to use such policies and to explore similar restrictions on user
activity provided by Group Policy.