Use Group Policy to simplify the configuration of Automatic Updates in an Active Directory environment.
Configuring Automatic Updates is a lot of work if you have to do it separately on every machine on your network. Fortunately, in an Active Directory environment, you can use Group Policy to simplify the job.
First, open an existing Group Policy Object (GPO), such as the Default Domain Policy, or create a new GPO and link it to the appropriate domain, organizational unit (OU), or site. Then, add the wuau.adm template to the GPO so that the Group Policy settings for Automatic Updates will be added to your GPO. This is done as follows.
Tip
These steps are unnecessary if you have Windows Server 2003.
Begin by expanding Computer Configuration to show Administrative Templates. Next, right-click on Administrative Templates, select Add/Remove Template, click Add, select wuau.adm from the list of templates in the %Windir%\Inf folder, click Open, and then click Close.
Now, configure the GPO settings for Automatic Updates by expanding Computer Configuration→Administrative Templates→Windows Components and selecting Windows Update in the pane on the left, as shown in Figure 2-1.
Let’s dig into what the various settings in Figure 2-1 mean. The first setting, “Configure Automatic Updates,” lets you perform basic configuration of Automatic Updates for computers in the domain, OU, or site to which the GPO is linked. The options here are the same as the options available when you manually configure the feature using the Control Panel’s Automatic Updates utility (Windows 2000) or System utility (Windows Server 2003 and Windows XP). The next setting, “Specify intranet Microsoft update service location,” applies only if you plan on using Software Update Services (SUS) to deploy updates.
The “Reschedule Automatic Updates schedule installations” option determines how long Automatic Updates will wait after the computer restarts before installing updates that have already been downloaded and are past the scheduled time for installation. The value ranges from 1 to 60 (minutes); the default is 1 if the setting is not configured and 5 when the policy is enabled. Disabling this policy defers the installation of overdue updates until the next scheduled installation day and time.
Finally, “No auto-restart for scheduled Automatic Updates installations” determines whether the logged-on user will be forcibly logged off in order to complete the installation process when a reboot is required. Enabling this policy means that machines will not be forcibly rebooted. While this might seem like a good idea (so users won’t lose their work), it does have a downside: Automatic Updates won’t be able to check the Windows Update web site for new updates until the machine is rebooted.
Enabling these policy settings will override any configuration of Automatic Updates that was done locally using the Control Panel and will prevent you from making such changes locally, even as an administrator. However, changing these policy settings back to Not Configured will restore the manual settings previously configured for Automatic Updates (though a reboot is required). And while changes made to these policies are automatically applied to client computers every 90 minutes (plus a random offset of up to 30 minutes), you can test the settings immediately by forcing a policy refresh with the command secedit /refreshpolicy machine_policy on Windows 2000 or gpupdate /force on Windows Server 2003.
If you want to configure different Automatic Updates policies for different users or computers, you have two options: (1) create multiple GPOs, link each to a different OU, and place users and computers into these OUs accordingly; or (2) filter the GPO settings to prevent their inheritance by specific users, computers, or groups.
You can also check the Security log in the Event Viewer if you want to see whether the machine has been rebooted to install scheduled updates. Look for the following Event IDs:
- Event ID 21
“Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates.”
- Event ID 22
“Restart Required: To complete the installation of the following updates, the computer will be restarted within five minutes. Until this computer has been restarted, Windows cannot search for or download new updates.”
There’s another policy that controls how Automatic Updates works, but it’s not found under Computer Configuration. Instead, it’s found at User Configuration→Administrative Templates→Windows Components→Windows Update→“Remove access to use all Windows Update features.”
This policy prevents the currently logged-on user from opening the Windows Update web site in Internet Explorer, in order to manually download and install updates on his machine. When the user attempts to access the URL http://windowsupdate.microsoft.com, an “Access Denied” page appears, explaining that a policy is preventing him from using the site. Enabling this policy also has the effect of preventing Automatic Updates from notifying users when new updates are ready to install. In other words, no notification icon will appear in the status area to inform the logged-on user that updates are ready to install. Even local administrators on the machine are affected by this policy, as are domain administrators.
So, why would you want to use this policy? While it prevents users from visiting or interacting with the Windows Update site, it doesn’t prevent Automatic Updates from operating if the feature has been configured at the computer level using the policies discussed in the previous section. This is because this setting is a per-user policy, not a per-machine one. In other words, it affects only users; it doesn’t affect configuration done at the machine level.
Enabling this policy might be a good idea, because it prevents users from trying to download and install updates on their own, even if they have administrative privileges.
Tip
Microsoft says that this policy works only on Windows XP and Windows Server 2003, but in my experience it also works on Windows 2000.
While this policy prevents users from using the Windows Update site, it still leaves the Windows Update icon in the Start menu, tempting users to explore and see what it does. You can remove this icon from the Start menu by enabling another policy: User Configuration→Administrative Templates→Start Menu & Taskbar→“Disable and remove links to Windows Update.”
This removes all temptation for users to try to keep their machines up-to-date by themselves. Administrators would do well to use such policies and to explore similar restrictions on user activity provided by Group Policy.
Mitch Tulloch