Despite my best efforts to educate users about the need to keep their systems patched with the latest security updates for Windows, they cancel Windows Update when it tries to load patches or even turn it off completely. Is there any way I can force users to keep systems patched?
Yes, there is. As you can with so many other features in Windows, you can control patching locally, computer by computer, or if your computers belong to an Active Directory (AD) domain, through Group Policy. Regardless of the way you choose, the process is actually much the same because you configure the automatic update settings in either the computer's local Group Policy Object (GPO) or in a GPO stored in AD.
To configure an individual computer, open its GPO by running gpedit.msc and maneuver to Computer Configuration\AdministrativeTemplates\WindowsComponents\Windows Update. Then open the Configure Automatic Updates policy, which Web Figure 1 (http://www.windowsitpro.com/windows security, InstantDoc ID 46197) shows. The best setting in this policy is 4 - Automatically download updates and install them on the schedule specified below because it forces Windows to download and install updates without any action by the user.
However, this setting causes the computer to download all updates from Microsoft. You might want more control over which updates are installed. Or, if you have many computers all set to download all updates, you might run into bandwidth problems when they all try to download the same updates from Microsoft at the same time. To get control of the update process and conserve bandwidth, consider using Windows Server Update Services (WSUS), formerly known as Software Update Services (SUS) and Windows Update Services (WUS). Go to http://www.microsoft.com/windows serversystem/updateservices/evalua tion/faqs.mspx for more information about WSUS.