Hack 87 Use Group Policy to Configure Automatic Updates

figs/expert.gif figs/hack87.gif

Use Group Policy to simplify the configuration of Automatic Updates in an Active Directory environment.

Configuring Automatic Updates [Hack #86] is a lot of work if you have to do it separately on every machine on your network. Fortunately, in an Active Directory environment, you can use Group Policy to simplify the job.

First, open an existing Group Policy Object (GPO), such as the Default Domain Policy, or create a new GPO and link it to the appropriate domain, organizational unit (OU) or site. Then, add the wuau.adm template to the GPO so that the Group Policy settings for Automatic Updates will be added to your GPO. This is done as follows (note that these steps are unnecessary if you have Windows Server 2003). Begin by expanding Computer Configuration to show Administrative Templates. Then, right-click on Administrative Templates, select Add/Remove Template, click Add, select wuau.adm from the list of templates in the %Windir%\Inf folder, click Open, and then click Close.

Now, configure the GPO settings for Automatic Updates by expanding Computer ConfigurationAdministrative TemplatesWindows Components and selecting Windows Update in the pane on the left, as shown in Figure 9-5.

Figure 9-5. Using Group Policy to configure Automatic Updates

Let's dig into what the various settings in Figure 9-5 mean. The first setting, "Configure Automatic Updates," lets you perform basic configuration of Automatic Updates for computers in the domain, OU, or site to which the GPO is linked. The options here are the same as the options available when you manually configure the feature using Control Panel's Automatic Updates utility (Windows 2000) or System utility (Windows Server 2003 and Windows XP); refer to Figure 9-3 for details. The next setting, "Specify intranet Microsoft update service location," applies only if you plan on using Software Update Services (SUS) to deploy updates.

The "Reschedule Automatic Updates schedule installations" option determines the time that Automatic Updates will wait after the computer restarts before installing updates that have already been downloaded and are past the scheduled time for installation. Value ranges from 1 to 60 (values are in minutes); the default is 1 if the setting is not configured and 5 when the policy is enabled. By disabling this policy, the installation of overdue updates is deferred until the next scheduled installation day and time.

Finally, "No auto-restart for scheduled Automatic Updates installations" determines whether the logged-on user will be forcibly logged off in order to complete the installation process when a reboot is required. Enabling the policy means that machines will not be forcibly rebooted. While this would seem like a good idea (so users won't lose their work), it does have a downside: Automatic Updates won't be able to check the Windows Update web site for new updates until the machine is rebooted.

Enabling these policy settings will override any configuration of Automatic Updates that was done locally using Control Panel and will prevent you from making such changes locally, even as an administrator (the options in the properties sheet of Figure 9-3 would be grayed out). However, changing these policy settings back to Not Configured will restore the manual settings previously configured for Automatic Updates (though a reboot is required). And while changes made to these policies are automatically applied to client computers every 90 minutes (plus a random offset of up to 30 minutes), you can test the settings immediately by forcing a policy refresh with the command secedit /refreshpolicy machine_policy on Windows 2000 or gpupdate /force on Windows Server 2003.

Some Recommendations

If you want to configure different Automatic Updates policies for different users or computers, either create multiple GPOs, link each to a different OU, and place users and computers into these OUs accordingly, or filter the GPO settings to prevent their inheritance by specific users, computers, or groups.

You can also check the Security log in Event Viewer if you want to see whether the machine has been rebooted to install scheduled updates. Look for the following Event IDs:

Event ID 21

"Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates."

Event ID 22

"Restart Required: To complete the installation of the following updates, the computer will be restarted within five minutes. Until this computer has been restarted, Windows cannot search for or download new updates."

Digging Deeper

There's another policy that controls how Automatic Updates works, but it's not found under Computer Configuration. Instead, it's found in User ConfigurationAdministrative TemplatesWindows ComponentsWindows Update"Remove access to use all Windows Update features."

This policy prevents the currently logged-on user from opening the Windows Update web site in Internet Explorer, in order to manually download and install updates on his machine. Actually, when you open windowsupdate.microsoft.com, an "Access Denied" page appears, explaining that a policy is preventing you from using the site. Enabling this policy also has the effect of preventing Automatic Updates from notifying users when new updates are ready to install. In other words, no notification icon will appear in the status area to inform you that updates are ready to install. Finally, even local administrators on the machine are affected by this policy! And domain administrators are affected too!

So, why would you want to use this policy? While it prevents users from visiting Windows Update or interacting with Windows Update, it doesn't prevent Automatic Updates from operating if the feature has been configured at the computer level by using the policies discussed in the previous section. This is because this setting is a per-user policy, not a per-machine one, so it affects only users; it doesn't affect configuration done at the machine level.

Enabling this policy might be a good idea, because it prevents users from trying to download and install updates on their own, even if they have administrative privileges.

While this policy is present on Windows 2000, Microsoft says it works only on Windows XP and Windows Server 2003. But my own experience is that it also works on Windows 2000.

While this policy prevents users from using the Windows Update site, it still leaves the Windows Update icon in the Start menu, tempting users to explore and see what it does. You can remove this icon from the Start menu by enabling another policy: User ConfigurationAdministrative TemplatesStart Menu & Taskbar"Disable and remove links to Windows Update."

This removes even users' temptation to try to keep their machines up-to-date by themselves. Administrators would do well to use such policies and to explore similar restrictions on user activity provided by Group Policy.