I don't have enough systems to warrant setting up a Windows Server Update Services (WSUS) server to manage security updates; I just want all my computers to download updates from Microsoft's site as they're released. I'm comfortable with not having the option to skip certain updates; I just want our systems to stay fully patched and the process to be as automatic as possible. How can I configure this?
If your systems are part of an Active Directory (AD) environment, you can configure all of them with a Group Policy Object (GPO). If not, you can configure the settings manually.
If you have AD, edit the Default Domain Policy GPO, which is linked to the root of your domain in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Maneuver to Computer Configuration\Administrative Templates\Windows Components\Windows Update. Enable the Configure Automatic Updates policy and set it to 4 Auto download and schedule the install. This policy activates the Automatic Updates client and configures it to download and install updates without any user interaction required. This policy also allows you to configure the day and time that installations (and any necessary reboots) occur. Disable the Specify intranet Microsoft update service location policy to ensure that Automatic Updates obtains updates directly from the Microsoft site.
If you don't have AD, you can find the same settings in the local policy of each computer or you can configure the following settings in the registry as Reg_DWORD values under the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU subkey. Set AUOptions to 4. Set ScheduledInstallDay to 0 for every day, or to limit installs to once a week, specify a value from 1 through 7, where Sunday is 1. Set ScheduledInstallTime to the desired hour of day (use the 24-hour format, in which hours range from 0 to 23) for the installation.