Tech Tip: Practice effective patch management with Windows Update

Learn how to practice effective patch management with Windows Update.

By Mike Mullins

Patch management is one of the most crucial and intricate parts of Windows security. In the past few years, this issue has mushroomed due to the increased frequency of critical Microsoft patches.

For small business networks, the patch management solution of choice is the Windows Update service. Let's look at how you can manage patches with Windows Update.

Deployment schedule

New patches are available for download on the second Tuesday of each month. The exception is critical releases, which Microsoft publishes as needed.

The Windows Update service runs in the security context of the Local System account and starts at the operating system startup (which you can disable). Clients connect automatically to the Windows Update servers and receive a list of missing updates.

Let's look at how you can manage updates via Active Directory and the registry.

Manage updates via Active Directory

With Windows 2000, XP, and Server 2003, you can easily manage Windows Update through group policies. If you don't already have the Wuau.adm template, download it from Microsoft, and save it to the C:\Windows\inf folder on the Active Directory (AD) domain controller.

To load policy settings by using Group Policy in Active Directory, follow these steps:

  1. On the AD domain controller, go to Start | Run.
  2. Type dsa.msc to load the Active Directory Users And Computers snap-in.
  3. Right-click the organizational unit or domain in which you want to create the policy, and select Properties.
  4. On the Group Policy tab, select New.
  5. Enter a name for the policy, and click Edit.
  6. Under either Computer Settings or User Settings, right-click Administrative Templates, choose Add/Remove Templates, and select Add.
  7. Enter the name of the Automatic Updates .adm file (for example, windows\inf\wuau.adm), and click Open.

This creates the following entries in the Computer Configuration | Administrative Templates | Windows Components | Windows Update folder:

  • Configure Automatic Updates: Choose from one of three options: notification for both download and installation, automatic download and notification for installation, or automatic download and scheduled installation. If you select the third option, you can also specify an installation schedule.
  • Specify Intranet Microsoft Update Service Location: This entry is necessary only if you're running a Software Update Services server.
  • Reschedule Automatic Updates Scheduled Installations: This determines when the system should reapply scheduled updates that didn't occur according to the schedule.
  • No Auto-restart For Scheduled Automatic Updates Installations: This blocks automatic startup after installing patches that require a restart to complete.

In addition, the User Configuration | Administrative Templates | Windows Components | Windows Update folder contains a single entry: Remove Access To Use All Windows Update Features. If enabled, this disables user-initiated downloads from the Windows Update Web site.

Manage updates via the registry

On any Windows 2000, XP, or Server 2003 system, go to Start | Run, type regedit.exe, and click OK. Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU.

Add the following settings. (All value types are Reg_DWORD.)

  • NoAutoUpdate
    Value data: 0 or 1
    0 enables Automatic Updates. (This is the default.)
    1 disables Automatic Updates.
  • AUOptions
    Value data: 2 to 4
    2 notifies of download and installation.
    3 automatically downloads and notifies of installation.
    4 automatically downloads and schedules installation.
  • ScheduledInstallDay
    Value data: 0 to 7
    0 specifies every day.
    1 through 7 designate a specific weekday, where Sunday is 1 and Saturday is 7.
  • ScheduledInstallTime
    Value data: n, where n equals the time of day in a 24-hour format (i.e., 0 to 23).
  • UseWUServer
    Value data: Setting this value to 1 configures Automatic Updates to use a server that runs Software Update Services instead of Windows Update.
  • RescheduleWaitTime
    Value data: m, where m equals the amount of time in minutes (i.e., 1 to 60) to wait before proceeding with a scheduled installation.
  • NoAutoRebootWithLoggedOnUsers
    Value data: 0 or 1
    1 specifies that Automatic Updates doesn't automatically restart a computer while users are logged on.

Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.

Final thoughts

Windows Update depends on the rights of logged-on users. If you decide to use notifications and let users decide which updates to download and install, updates will fail if a user doesn't have local admin privileges.

I recommend always scheduling automatic download and installation. That way, your updates won't depend on logged-on users.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox