William Stanek - Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

■ Notify For Download And Notify For InstallThe operating system notifies the user before retrieving any updates. If a user elects to download the updates, the user still has the opportunity to accept or reject them. Accepted updates are installed. Rejected updates aren’t installed but remain on the system, where they can be installed at a later date.

■ Allow Local Admin To Choose SettingAllows the local administrator to configure Automatic Updates on a per-computer basis. Note that if you use any other setting, local users and administrators are unable to change settings for Automatic Updates.

You can configure Automatic Updates in Group Policy by following these steps:

1.In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.

2.In the policy editor, access Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.

3.Double-tap or double-click Configure Automatic Updates. In the Properties dialog box, you can now enable or disable Group Policy management of Automatic Updates. To enable management of Automatic Updates, select Enabled. To disable management of Automatic Updates, select Disabled, tap or click OK, and then skip the remaining steps.

4.Choose an update configuration from the options in the Configure Automatic Updating list. On Windows 8 and later as well as Windows Server 2012 and later, updates can be automatically installed during the scheduled maintenance window by selecting the Install During Automatic Maintenance check box.

5.If you select Auto Download And Schedule The Install, you can schedule the installation day and time by using the lists provided. Tap or click OK to save your settings.

By default, Windows Update runs daily at 2:00 A.M. as part of other automatic maintenance. With desktop operating systems running Windows 8 or later, Windows Update uses the computer’s power management features to wake the computer from hibernation or sleep at the scheduled update time, and then install updates. Generally, this wake-up-and-install process will occur whether the computer is on battery or AC power.

If a restart is required to finalize updates applied as part of automatic maintenance and there is an active user session, Windows caches the credentials of the user currently logged on to the console, and then restarts the computer automatically. After the restart, Windows uses the cached credentials to sign in as this user. Next, Windows restarts applications that were running previously, and then locks the session using the Secure Desktop. If BitLocker is enabled, the entire process is protected by BitLocker encryption as well.

The maintenance process does not need a user to be logged on. The maintenance process runs whether a user is logged on or not. If no user is logged on when scheduled maintenance begins and a restart is required, Windows restarts the computer without caching credentials or storing information about running applications. When Windows restarts, Windows does not log on as any user.

Because Windows automatically wakes computers to perform automatic maintenance and updates, you’ll also want to carefully consider the power options that are applied. Unless a power plan is configured to turn off the display and put the computer to sleep, the computer may remain powered on for many hours after automatic maintenance and updates.

Generally, most automatic updates are installed only when a computer is shut down and restarted. Some automatic updates can be installed immediately without interrupting system services or requiring system restart. To ensure that some updates can be installed immediately, follow these steps:

1.In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.

2.In the policy editor, access Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.

3.Double-tap or double-click Allow Automatic Updates Immediate Installation. In the Properties dialog box, select Enabled, and then tap or click OK.

By default, only users with local administrator privileges receive notifications about updates. You can enable any user logged on to a computer to receive update notifications by following these steps:

1.In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.

2.In the policy editor, access Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.

3.Double-tap or double-click Allow Non-Administrators To Receive Update Notifications. In the Properties dialog box, select Enabled, and then tap or click OK.

Another useful policy is Remove Access To Use All Windows Update Features. This policy prohibits access to all Windows Update features. If enabled, all Automatic Updates features are removed and can’t be configured. This includes the Automatic Updates tab in the System utility and driver updates from the Windows Update website in Device Manager. This policy is located in User Configuration\Policies\Administrative Templates\Windows Components\Windows Update.

On networks with hundreds or thousands of computers, the Automatic Updates process can use a considerable amount of network bandwidth, and having all the computers check for updates and install them over the Internet doesn’t make sense. Instead, consider using the Specify Intranet Microsoft Update Service Location policy, which tells individual computers to check a designated internal server for updates.

The designated update server must run Windows Server Update Services (WSUS), be configured as a web server running IIS, and be able to handle the additional workload, which might be considerable on a large network during peak usage times. Additionally, the update server must have access to the external network on port 80. The use of a firewall or proxy server on this port shouldn’t present any problems.

The update process also tracks configuration information and statistics for each computer. This information is necessary for the update process to work properly, and it can be stored on a separate statistics server (an internal server running IIS) or on the update server itself.

To specify an internal update server, follow these steps:

1.After you install and configure an update server, open the GPO with which you want to work for editing. In the policy editor, access Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.

2.Double-tap or double-click Specify Intranet Microsoft Update Service Location. In the Properties dialog box, select Enabled.

3.In the Set The Intranet Update Service For Detecting Updates text box, enter the URL of the update server. In most cases, this is http:// servername , such as http://CorpUpdateServer01 .

4.Enter the URL of the statistics server in the Set The Intranet Statistics Server text box. This doesn’t have to be a separate server; you can specify the update server in this text box.

NOTE If you want a single server to handle both updates and statistics, enter the same URL in both boxes. Otherwise, if you want a different server for updates and statistics, enter the URL for each server in the appropriate box.

5.Tap or click OK. After the applicable GPO is refreshed, systems running appropriate versions of Windows will look to the update server for updates. You’ll want to monitor the update and statistics servers closely for several days or weeks to ensure that everything is working properly. Directories and files will be created on the update and statistics servers.