Configuring Automatic Updates Through Group Policy

To configure the new Windows 2000 Service Pack 3 (SP3) Automatic Updates feature through Group Policy, you first need to add the Windows Update Administrative Template. Open the Microsoft Management Console (MMC) Group Policy snap-in, expand the Computer Configuration object, right-click Administrative Templates, then select Add/Remove Templates. This action displays a list of currently loaded templates. Click Add to display the native template files in %systemroot%\inf, click wuau.adm to add the Automatic Updates template, then close the Add/Remove Templates dialog box. Group Policy adds this template to the Windows Components object.

Next, expand the Windows Components object and click the Windows Update object to display the two configurable policies in the right-hand pane. The first policy, Configure Automatic Updates, controls Automatic Update's behavior; the second policy, Specify intranet Microsoft update service location, controls where the client obtains updates.

Double-click the Configure Automatic Updates policy to bring up the Configure Automatic Updates Properties dialog box, which Figure A shows. If you don’t modify the default setting of Not Configured, an administrator can configure update activity locally through the Control Panel Automatic Updates applet. When you select the Enabled or Disabled option, an administrator can display but not change the Automatic Updates settings you configure through Group Policy.

When you enable update activity, you must select an update mode in the Configure automatic updating drop-down list. The least automatic mode is 2 - Notify for download and notify for install. When you use this mode, the client waits for confirmation before it downloads crucial updates and waits again for confirmation before it installs the updates. When you select 3 - Auto download and notify for install, the client silently downloads updates but waits for confirmation before installing the updates. When you select either of these options, the client runs every 22 hours with a random offset; you can't change this schedule. When you choose silent mode (4- Auto download and schedule the install), the client downloads and installs updates on the day and time you specify (which can range from daily to weekly), without user intervention.

You can use the Specify intranet Microsoft update service location second policy to direct Automatic Updates to an internal Software Update Services (SUS) server. When you use this policy, Automatic Updates scans for and download updates from the internal server instead of from Windows Update. To use this feature, you must download and install the SUS server software on a Win2K system running Microsoft IIS.

Double-click the policy to bring up the Specify intranet Microsoft update service location Properties dialog box, which Figure B shows. In the Set the intranet update service for detecting updates text box, enter the URL that points to your SUS server. In the Set the intranet statistics server text box, enter the URL for the server to which the client reports downloaded and installed patches. The settings that Figure B shows direct Automatic Updates clients to poll the IIS server named Eagle for updates and to record updates that have been downloaded on the same machine. When you redirect the client to an internal server, you need to give some thought as to how you schedule update activity across your organization (5000 systems downloading code at the same time might overwhelm the SUS server or the available network bandwidth). You will most likely need multiple GPOs to effectively manage update activity inhouse.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.