		Home About IS&T Contact IS&T Site Map	Search Advanced Search

	Administrator Control via Policies

	MIT's Windows Automatic Update Service Features Advanced Installation and Configuration Instructions Explanation of Registry Settings Approved Updates


	Help Desk computing-help@mit.edu 617.253.1101

MIT Windows Automatic Update Service: Windows 2000 Domain Machines

Administrator Control via Policies

Automatic Updates can be enabled by configuring Group Policy settings in an Active Directory environment. Administrator-defined configuration options driven by Group Policy always take precedence over user-defined options. In addition, Automatic Updates Control Panel options are disabled on the target computer when administrative policies have been set. By using this service, you agree to have your patch installation statistics recorded by the server. These statistics are extremely useful to IS&T to determine what percent of the Windows user community is protected when high-profile vulnerabilities arise.

Configuring Automatic Updates Setting
This Group Policy setting (located in Computer Configuration\Administrative Templates\Windows Components\Windows Update) specifies whether this computer receives security updates and other important downloads through Automatic Updates. When enabled, it also specifies the download and installation behavior, just like the user options in Control Panel. See Figure 5.

Figure 5. Group Policy setting to configure Automatic Updates service

If the Automatic Updates service is enabled via this Group Policy setting, one of the following three options must be set (in the drop-down menu below Configure Automatic Updating):

Notify for download and notify for install. This option notifies a logged-on administrative user prior to the download and prior to the installation of the updates.
Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user prior to installing the updates.
Auto download and schedule the install. Typically, if Automatic Updates is configured to perform a scheduled installation, the recurring scheduled installation day and time is also set.

Possible options for scheduled installation days and times are:

Day: Every day or Every Sunday to Every Saturday
Time: 12 A.M. to 11 P.M. in 24-hour format (00:00 to 23:00)

Note: Setting the policy to perform scheduled installations disables the Remind Me Later button in the Ready to Install Update dialog box. If this policy is disabled, Automatic Updates does not perform system updating, and available updates must be downloaded and installed manually or by going to Microsoft's Windows Update site.

Important: If the Remove access to use all Windows Update features Group Policy setting (located in User Configuration\Administrative Templates\Windows Components\Windows Update) is enabled, Automatic Updates is disabled for that logged-on user. Because this is a user-based value, it makes a local administrator appear as a non-administrator so that user will not be able to install updates. With this policy enabled, Automatic Updates still runs and, if configured as such, a scheduled installation can still occur.

Configuring your container to run Software Update Services
Administrators can use Group Policy in an Active Directory environment or can configure registry keys to specify a server running Software Update Services. Computers running Automatic Updates then use this specified server to get updates. Administrators can also use a Web server to log statistical information from Automatic Updates about updates that have been downloaded and their installation status. These statistics are sent using the HTTP protocol, so the Web server can collect this information in its logs. The statistics server must be a computer running IIS 5.0 or greater with logging enabled.

For the MIT service, set both these values to http://sus.mit.edu.

Figure 6. Group Policy setting to specify your server running Software Update Services

If you specify a server running Software Updates Services, computers running Automatic Updates use that server for updates. If you do not specify a server running Software Update Services, Automatic Updates gets updates from the public Windows Update service.

If you specify a server running Software Update Services and specify a Web server for collecting statistics, computers running Automatic Updates send success or failure information about the download and installation status to the log files of the Web server.

Note: Both the server running Software Update Services and the statistics server can be the same computer.

Policy Templates
The Software Update Services installation package includes a policy template file, Wuau.adm, which contains the Group Policy settings. These settings can be loaded into Group Policy Editor for deployment. These policies are also included in the System.adm file in Windows 2000 Service Pack 3, Windows Server 2003, and Windows XP Service Pack 1.

[Back to top]


		Home \| Getting Started \| Getting Services \| Getting Help \| About IS&T \| Accessibility Ask a technology question or send a comment about this web page.