What role does the Microsoft Windows Update service play in enterprise-level security patch management, and how can I automate the use of Windows Update on users' desktops?
The Windows Update service lets Windows Server 2003, Windows XP, Windows 2000, Windows Me, and Windows 98 users easily download and install the latest Microsoft security patches. Users can manually run Windows Update by selecting Windows Update from the Windows Start Menu, by accessing the Windows Update Web site at http://windowsupdate.microsoft.com, or by running wupdmgr.exe from the command line. After the user takes one of these steps, Windows Update establishes a connection with the Microsoft Windows Update Web site, which Figure 1 shows. From this Web site, users must initiate a scan (by clicking Scan for updates), select the updates to install, and review and install the updates to update their systems. Windows Update prioritizes the available patches, and at a minimum, users should always install the critical patches. Because Windows Update is a Web-based tool, it can work only if the following conditions are met:
- Microsoft Internet Explorer (IE) must support cookies. To configure IE's cookie-related behavior, open the Tools menu, click Internet Options, then select the Privacy tab.
- IE must allow ActiveX controls. To configure IE's ActiveX-related behavior, open the Tools menu, click Internet Options, then select the Security tab to access the properties for IE's Internet security zone.
- The user initiating a Windows Update sequence must be a member of the local Administrators group.
You can also configure Windows Update to run automatically at predefined intervals. This feature is referred to as automatic patch updating and is available only on Windows 2003, XP, and Win2K Service Pack 3 (SP3) and later systems. You can configure automatic patch updating in different ways:
- from the properties of the My Computer object in Windows 2003, XP, and Win2K; these properties are also accessible from the Control Panel System applet
- from the Control Panel Automatic Updates applet in Win2K SP3 and later
- from the system registry
- from the Group Policy Object (GPO) settings, as Figure 2 shows, in Windows 2003 and Win2K Server
In all three cases, you have the option to enable or disable automatic patch updating. If you enable it, Windows Update can notify users before it downloads and installs patches, notify users only before it installs patches, or automatically perform both the patch download and install. To configure automatic updates from the registry-for example, in non-Active Directory (AD) environments-use the registry subkeys that Table 1 lists. These subkeys are in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate registry container. If you configure automatic patch updating to notify the user only when the system is ready to install a patch (AUOptions value 3), the system will display to the user a dialog box similar to the one that Figure 3 shows. Enterprises that want even more centralized control and staging capabilities for security patch distribution can augment the Windows Update service with other Microsoft security patch management solutions such as Software Updates Services (SUS) and the SUS Feature Pack for Microsoft Systems Management Server (SMS).