Windows Patch Management, Options in Windows Update
The previous article in this series presented a number of solutions using scripting and third-party freeware utilities to enable remote query registry and patch deployment. We continue our coverage of free patching methodologies with a focus on Microsoft's operating system enhancements and products. The most basic patch-related technology available in Windows 2000 and above is Windows Update. The functionality relies on cooperation between client and server components, but gives administrators a host of options for configuring the tool. We continue our patching series with a focus on these choices.
The most basic patch-related technology available in Windows ME, 2000, XP, and 2003 is Windows Update. Its mechanism is based on the cooperation between a client and server components. The client operates as the Automatic Updates service running in the security context of the Local System account (with the exception of Windows ME, where it is implemented as an executable loaded at the time of a user's logon). The service starts at the operating system startup (although you can disable it or use various customization options to alter this default behavior).
Clients are configured to connect to Windows Update servers automatically and receive a list of missing updates, based on a comparison of the client configuration data (such as operating system and Internet Explorer versions, hardware plug-and-play information, regional and language settings, and patch-level status) against Windows Update Catalog (located at http://windowsupdate.microsoft.com).
Updates for the legacy operating systems (not supporting Windows Update functionality) are available through the Microsoft Download Center at the following locations:
- http://www.microsoft.com/windows95/downloads/ for Windows 95
- http://www.microsoft.com/windowsnt/downloads/ for Windows NT 4.0
Windows Update evolved from Critical Update Notification utility available for Windows 98 and pre-SP3 Windows 2000. The first version was released around the same time as Windows 2000 SP3; however, it also works on Windows 2000 SP2 computers. The most significant improvement between the two was the Automatic Update feature, which allows custom scheduling that can be configured in several ways:
- In a graphical interface via a Control Panel applet (i.e., the Automatic Updates tab in the Properties dialog box of System applet in Windows XP and 2003 or the Automatic Updates applet in Windows 2000 and ME) the interface presents the option in a checkbox format. Its state (checked vs. unchecked) determines whether you want to use automatic updates. This also affects whether the remaining options on the same page are relevant. Assuming the checkbox is enabled, you will need to choose from three options that control the level of automating download and installation.
- Manual Download and Installation -- The user is notified (via an icon appearing in the notification area, in the right corner of the Windows taskbar) when updates are ready for download, and again when they are downloaded and ready for installation.
- Automatic Download and Manual Installation -- The user is notified when a (automatically initiated) download is completed, and at that point he or she can select updates to be installed.
- Automatic Download and Installation -- Both download and installation are transparent to a logged-on user (although, to be exact, the level of this transparency depends on the user's security privileges). Both actions are performed according to a customizable schedule (daily at a specified time or weekly on a given day of the week and at a specific time).
- In Windows 2000, XP, and 2003 local group policy is another option. To manage Windows Update with group policies, WUAU.ADM must be part of the Administrative Template. The most up-to-date version of this template (including features required for Software Update Services SP1) is available for download from the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyId=D26A0AEA-D274-42E6-8025-8C667B4C94E9&displaylang=en.
After downloading the template, copy it to the inf subfolder in the Windows installation directory (typically C:\WINDOWS\inf). Next, launch the local Group Policy Editor (gpedit.msc), expand the Computer Configuration node, right-click on Administrative Templates, and select Add/Remove Templates. If WUAU is not already listed there, add the one copied to the WINDOWS\inf subfolder.