Windows Patch Management, Options in Windows Update Page 2
This creates the following entries in the Computer Configuration->Administrative Templates->Windows Components->Windows Update folder.
- Configure Automatic Updates is equivalent to the options available via the Control Panel updates previously described. If this setting is enabled, you can choose from one of three options (i.e., notification for both download and installation; auto download and notification for installation; and auto download and scheduled installation). If you select the third option, you can also specify an installation schedule.
- Specify Intranet Microsoft Update Service Location is relevant when using Software Update Services.
- Reschedule Automatic Updates Scheduled Installations determines when scheduled updates not applied according to the schedule should be re-applied. This can happen at either the next scheduled interval or after a specific number of minutes following next computer startup.
- No Auto-restart for Scheduled Automatic Updates Installations blocks automatic startup after installing patches that require a restart to complete. Obviously, in such cases you will need to provide an alternate way to reboot the computer.
In addition, the User Configuration portion of the Windows Update settings (located in the User Configuration->Administrative Templates->Windows Components->Windows Update folder) contains a single entry "Remove access to use all Windows Update features." Once enabled, it prevents logged-on users from obtaining Windows Updates via any user-initiated methods (such as manual downloads from the Windows Update Web site, manual installations of already downloaded updates, or driver updates via Device Manager if they originate from the Windows Update Web site).
This will, however, still allow you to use the scheduled automatic Windows Update (corresponding to the third option in the group policy). Similar results are achieved when the "Remove links and access to Windows Update from User Configuration->Administrative Templates->Start Menu and Taskbar folder are enabled. We will explain the distinction between these two settings when we discuss Software Update Services in greater detail.
In addition to the Windows Update configuration settings described above (regardless of the way they are applied), update behavior depends on the rights of logged-on user (or whether any user is logged on at all). If you decide to use notifications and leave it up to users to decide which updates should be downloaded and installed, this right will be limited to members of the local administrators group. If users do not have administrative privileges (typically the case in a business environment), you should schedule automatic download and installation. This way, both actions can be completed even when nonadministrative users are logged-on.
With scheduled updates, administrators will be given a five-minute interval to decide whether to postpone installation, once the update files are downloaded (which will delay it until the next restart or scheduled interval -- depending on registry settings). If the installation requires a reboot (which is frequently the case) a user will be presented with a modal (i.e., positioned in front of the other windows) dialog box reminding her of the need to reboot (by default, the reboot will not be forced, although this can be changed by modifying the registry entry).
With scheduled updates, even if no one is logged on to a system, the update will complete fully unattended (followed by automatic restart, if required).