Hack 86 Use Automatic Updates Effectively

figs/moderate.gif figs/hack86.gif

Automatic Updates is an easy way to ensure that your Windows servers are properly patched against critical vulnerabilities, but there are some nuances to using it effectively.

The other day, a power blackout temporarily knocked out my company's servers. I should have tested the UPS more often, but you know how it is. Anyway, when the power came back on, the servers rebooted. I was sitting at the console of one of them, about to log on, when the server suddenly rebooted itself again. Virus? Disk problem? I stared at the screen, worried for a moment, and then suddenly realized: Automatic Updates! Whew!

Automatic Updates is a patch-management feature that replaces the earlier Critical Update Notification utility that you used to download from Microsoft's web site for Windows 98 or later. Microsoft first made Automatic Updates available for download for Windows 2000 systems running Service Pack 2. Later, when Service Pack 3 was released, Automatic Updates was included as a component of that service pack. Automatic Updates is also included on both the Windows Server 2003 and Windows XP platforms. Automatic updates lets administrators schedule the automatic downloading and installation of critical security updates from Microsoft's Windows Update web site, making it no longer necessary for administrators to use Windows Update to keep their systems patched manually.

Using Automatic Updates

The way you configure Automatic Updates depends on your platform. On Windows Server 2003 and Windows XP Service Pack 1, use Control PanelSystem and select the Automatic Updates tab. On Windows 2000 Service Pack 3 or later, use Control PanelAutomatic Updates.

Whichever platform you use, the configuration options are the same. Figure 9-3 shows the configuration options for Windows Server 2003.

Figure 9-3. Automatic Updates feature in Windows Server 2003

The checkbox lets you enable or disable Automatic Updates on the machine. By default, Automatic Updates is enabled and the second option under Settings is selected. The three Settings options represent different levels of automation.

The first option?"Notify me before downloading any updates and notify me again before installing them on my computer"?is the least automated solution. Windows automatically checks the Windows Update web site for new updates shortly after system startup and every 22 hours thereafter (minus a random offset of up to 5 hours). If new updates are available for download, a notification message appears above the status area at the bottom right of the logged-on user's desktop. However, only administrators can download and install these updates.

If the second option?"Download the updates automatically and notify me when they are ready to be installed"?is selected, Windows automatically checks for new updates according to the scheduled described previously. But this time, if updates are found, they are automatically downloaded in the background. Once downloading is complete, a notification message asks if you want to install them.

The third option?"Automatically download the updates, and install them on the schedule that I specify"?is the most automated solution for keeping your system up-to-date with critical security patches. Windows still checks for new updates according to the previously described schedule, but it then allows you to schedule when downloaded updates should be automatically installed. You can schedule installation of updates every day or once a week at a time of your choosing (the default time, 3:00 a.m., is a good choice, because system and user activity is usually low then).

What actually happens when the scheduled time arrives depends. If a user is logged on at the scheduled installation time, a notification message gives the user five minutes to log off before installation starts. By default, the machine reboots when these five minutes are up, but this behavior can be changed by editing the Registry (we'll see how in a moment). On the other hand, if the user is an administrator, he has the option of declining installation until the next scheduled day and time. If no one is logged on to the machine, the updates are installed automatically and, if necessary, the machine reboots (this is usually the case). Finally, if the machine is down when the scheduled time occurs, installation of updates commences approximately one minute after the machine finishes booting (this time interval can also be changed only by editing the Registry).

If you choose one of the first two methods, a list of available updates is displayed and you can download and/or install only the updates you choose by deselecting the updates you want to decline. If you choose the third option, everything is automatic. Which approach is best? While keeping your systems up-to-date with the latest patches is important, there have been occasions when a patch has broken one feature while fixing another, resulting in systems freezing up or becoming unstable. On critical servers, it's probably best to download updates automatically but not install them until you've had a chance to install them on a test machine to ensure that no system problems or application incompatibilities result. We'll talk about how you can do this in a moment.

There's another reason for not using the fully automated option on critical servers: Microsoft sometimes releases multiple patches at a time, and if you install all of them and the machine becomes unstable, it's hard to trace which patch caused the problem. I suggest that when multiple patches become available and you've tested them, use the following hack to safely install them on your critical servers.

First, click the Automatic Updates notification icon in the status area and click Details to display a list of available updates, as shown in Figure 9-4. Deselect all the patches in the list except the one you want to install first. This will download and/or install only the selected patch (if you're installing updates that have already been downloaded, it will delete all other downloaded updates from your system). Note that the declined patches will not be displayed in future lists generated by Automatic Updates, but by clicking the Declined Updates button (see Figure 9-3 again) you can choose to have Windows notify you again about the updates you declined so you can download/install them later. Once you've installed the first update on your production system and verified it hasn't caused any negative effect, repeat the process to install the second update, third update, and so on.

Figure 9-4. List of downloaded updates ready to be installed

The main downside of this hack is that your system might require extra reboots. The advantage is that it's safer and helps you pinpoint the source of any problems that arise. For more details on how to keep Windows systems patched and up-to-date, see [Hack #79].

To remove an installed update that's causing problems, go to Control PanelAdd or Remove ProgramsChange or Remove Programs and uninstall the offending update.

Hacking Automatic Updates

While basic configuration of Automatic Updates is done through the GUI, you can tweak it further by hacking the Registry. This approach is useful mainly in a workgroup environment; to learn how to configure Automatic Updates in an Active Directory environment, see [Hack #87].

To configure Automatic Updates by hacking the Registry, run regedit.exe and find the following key:


Under this key, add a subkey named WindowsUpdate, and under that key add a subkey named AU:


Then, populate this key the following values and assign them data values as desired (all of them are of type Reg_DWORD). First, the NoAutoUpdate value determines whether Automatic Updates is enabled (0) or disabled (1) on your system. The AUOptions value then determines which of the three scheduling options is used: a value of 2 causes Windows to notify you before downloading updates, a value of 3 automatically downloads updates but notifies you before installing them, and a value of 4 automatically downloads and installs updates without user intervention.

The ScheduledInstallDay value determines the day on which downloaded updates are installed when AUOptions has a data value of 4. A value of 0 for ScheduledInstallDay means that downloaded updates are installed every day, while values 1 through 7 mean that updates are installed once a week on Sunday (1) through Saturday (7), respectively. The ScheduledInstallTime value determines the time on which downloaded updates are installed when AUOptions has a data value of 4. ScheduledInstallTime can have any integral data value from 0 through 23, representing the hours of midnight through 11 p.m., respectively.

The offset time, in minutes, that Automatic Updates waits after the computer restarts before it tries installing overdue updates is determined by RescheduleWaitTime and can range from 1 to 60 (1 is the default). The NoAutoRebootWithLoggedOnUsers value determines whether Automatic Updates is allowed to reboot (0) or prevented from rebooting (1) the machine to complete the installation of updates when a user is currently logged on to the machine. Note that if you set the value of NoAutoRebootWithLoggedOnUsers to 1, Automatic Updates won't be able to check the Windows Update site for new updates until the system is rebooted.

Finally, if UseWUServer is set to 1, the computer will obtain updates from an internal SUS server instead of from the Windows Update web site. Note that this value applies only when Software Update Services (SUS) is being used to deploy critical updates across your network.

Once you've made these Registry modifications, they won't take effect until you reboot your machine. After rebooting, if you try to configure Automatic Updates using the GUI, you'll see that all the options are grayed out, even if you're an administrator. Don't worry, though; just delete the HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate key and its contents, reboot, and you'll again be able to configure Automatic Updates by using the GUI!