Configure Windows Update in Group Policy

Here's a quick tip on how to configure Group Policy to perform Windows Updates automatically for servers and PCs.

Enterprise management packages, such as Symantec's Altiris, Microsoft System Center Systems Management Server, Microsoft Software Update Services, and BMC BladeLogic Server Automation Suite, are good, but sometimes all we really need is a way to centrally manage updates for server and client operating systems. In Active Directory domains, Group Policy can provide a limited way of achieving this functionality.

Within Group Policy, there are a number of options in the Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update section. Figure A shows one area of the Windows Update section. Figure A

Click the image to enlarge.

The biggest limitation with this configuration is that, if there is an update that you do not want deployed automatically, it cannot be explicitly withheld; likewise, if you want something pushed out now, this isn't the best tool.

The other strategy for system updates is to stick to maintenance times, and the best way to do that is to assign this setting at the Organizational Unit (OU) level. In this configuration, an OU would be created for a category of like servers. These OUs would all undergo their Windows Updates at the same time that is configured in the GPO for that OU. This can also be an easy way to address patching for Windows Server Core systems (read my TechRepublic tip on patching Windows Server 2008 Core Edition).

One thing I don't like is that the Configure Automatic Updates option for when the updates are to be applied is a weekly schedule; for the workplace, many environments may prefer a monthly schedule. The 16 options in this area of Group Policy allow a basic update policy to be configured, and if multiple OUs are introduced, it can integrate better into small to medium environments.

Like the enterprise system management options, managing updates centrally can pose problems for applications and startup sequencing. You can easily get into an overly complicated script situation to keep applications happy, so consider putting any corresponding scripts or remediation activities central in Group Policy to pair with the Group Policy Object for Windows Update.

Do you use Group Policy to manage Windows Updates? If so, what tricks have you implemented?