Planning a Windows 7 Client Update Strategy : Deploying Updates to Clients

1. Managing Windows Update Clients

Managing Windows Update clients requires you to ensure that all client computers on your organizational network receive updates. Only client computers that are WSUS server clients are present in a WSUS server’s reports. Unless you scan all the hosts on the network with a tool like the Microsoft Baseline Security Analyzer, you might be unaware of clients on your network that need updates because they have not checked in with the WSUS server.

Another method through which you can ensure that client computers on the organizational network are receiving and installing updates is to implement Network Access Protection (NAP). When you implement NAP, you can configure the network so that clients that are not up to date with software updates are denied access to network resources. You can also configure NAP to force noncompliant clients into remediation. Remediation is a process that allows clients to access and install update files so that they become compliant with network policies.

More Info

NETWORK ACCESS PROTECTION

To find out more about Network Access Protection, consult the following link on TechNet: http://technet.microsoft.com/en-us/network/bb545879.aspx.

Prior to connecting a client computer running the Windows 7 operating system to a WSUS server, you might need to update the Windows Update client to the latest version. Clients that connect to a WSUS server are automatically prompted to update to new client software, provided by the WSUS server, if they need to. Figure 1 shows an update to the Windows Update client.

Figure 1. Updating the Windows Update client

2. Configuring Update-Related Group Policy

Except for a few minor settings that can be configured through the Windows Update control panel, the majority of settings related to update deployment for computers running the Windows 7 operating system are configured through Group Policy. The majority of Windows Update–related policies are located in the Computer Configuration\Administrative Templates\Windows Update node of a standard Group Policy object. Some policies, which you learn about later, are also duplicated in the User Configuration node. The policies that are available in the Computer Configuration node are as follows:

• Configure Automatic Updates. This policy allows you to configure update detection, download, and installation settings. You can configure the following settings using this policy:

  • Notify for Download And Notify For Install. Logged-on user is notified that updates are available for download and installation.

  • Auto Download And Notify For Install. Logged-on user is notified that updates have been downloaded and are available for installation.

  • Auto Download And Schedule The Install. When configured, this setting allows the computer to download the update and then install it at a specific time. This setting is most likely to be used by enterprise desktop administrators. When you choose this setting, you must also specify an installation day and time. The options are to install every day or to install on a specific weekday. You can choose installation times only in full-hour increments.

• Enabling Windows Update Power Management To Automatically Wake Up The System To Install Scheduled Updates. This policy allows computers with an appropriately configured BIOS to wake from hibernation to install updates. From a deployment perspective, this has the advantage of ensuring that users will not be interrupted in the performance of their work duties because the update installation can be configured to occur in the middle of the night when the computer has been set to hibernate. This policy is effective only if the Configure Automatic Updates policy is configured to schedule installation at a specific time when the target computer is in hibernation. Keep in mind that the computer will not be able to automatically wake from a fully powered-off state, only from a hibernation state.

• Specify Intranet Microsoft Update Service Location. This policy allows you to configure the location of the local WSUS server. This policy is critically important when you are configuring client computers running Windows 7 to use WSUS rather than Windows Update. You configure this policy in the practice exercise at the end of this lesson.

• Enable Client-Side Targeting. This policy allows administrators to assign computers to specific WSUS groups. If this policy is used to assign a computer to a WSUS group that does not exist on the WSUS server, the computer is assigned to the Unassigned Computers group.

• No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installations. When this policy is configured, Windows waits until the currently logged-on user logs off before attempting to install any updates that require the computer to be restarted. Configure this policy if you want to minimize the disruption caused by update installation when you cannot configure computers to wake from hibernation.

• Automatic Updates Detection Frequency. This policy determines how often the Windows Update client checks the location configured in the Specify Intranet Microsoft Update Service Location policy. Unless this policy is configured, the Windows Update client checks for updates every 22 hours by default. This policy allows for more frequent checks to be made. You cannot configure update checks to occur less frequently than once every 22 hours.

• Do Not Display ‘Install Updates And Shut Down’ Option In Shut Down Windows Dialog Box. When enabled, the Install Updates And Shut Down option on the Start button’s Shut Down menu is disabled.

• Do Not Adjust Default Option To ‘Install Updates And Shut Down’ In Shut Down Windows Dialog Box. Unless this policy is enabled, if updates are available for installation, the default shutdown option will be ‘Install Updates and Shut Down’. If this policy is enabled, the user’s last shutdown choice will be the default shutdown option.

• Allow Non-Administrators To Receive Update Notifications. This policy, when enabled, allows users that are not members of the administrators local group to install updates. If this policy is not enabled, nonadministrator users who attempt to install updates will be prompted by a User Account Control dialog box.

• Turn On Software Notifications. This policy determines whether users will be notified about the availability of optional updates. In a managed environment, the WSUS administrator controls the deployment of optional updates and this policy is not necessary.

• Allow Automatic Updates Immediate Installation. When this policy is enabled, any update that does not require a client computer restart is installed automatically.

• Turn On Recommended Updates Via Automatic Updates. Enabling this policy configures Windows Update to automatically install updates with the Recommended classification.

• Re-Prompt For Restart With Scheduled Installations. This policy configures the amount of time that a user can postpone a restart when the Configure Automatic Updates policy is set to install updates at a specific time.

• Delay Restart For Scheduled Installations. This policy determines how long Windows waits before automatically restarting after a scheduled installation.

• Reschedule Automatic Updates Scheduled Installations. This policy allows you to configure how long a computer waits after startup before it attempts update installation if it was powered off during the scheduled update installation time.

• Allow Signed Updates From An Internet Microsoft Update Service Location. This policy allows the installation of signed updates from third-party publishers.

Although Windows Update policies are available in both the Computer Configuration and User Configuration nodes of Group Policy, only three policies are available in the User Configuration\Administrative Templates\Windows Update node, all of which are present in the Computer Configuration node. The policies that can be applied to users are as follows:

• Do Not Display ‘Install Updates And Shut Down’ Option In Shut Down Windows Dialog Box

• Do Not Adjust Default Option To ‘Install Updates And Shut Down’ In Shut Down Windows Dialog Box

• Remote Access To Use All Windows Update Features

3. Scheduling Deployment and Restart

After you approve an update on a WSUS server, the WSUS server deploys the update to approved clients that contact the WSUS server from that time forward. You cannot use WSUS to schedule an update for deployment at a specific future time. You can configure an update deadline, but an update deadline is a time in the future by which a deployed update must be installed by a Windows Update client. Organizations that need to schedule updates to be deployed at specific times should deploy System Center Configuration Manager. System Center Configuration Manager allows updates to be deployed at specific future times and dates. System Center Configuration Manager also supports Wake On LAN functionality, which allows compatible clients to be wakened from hibernation by the update server for the deployment and installation of updates.

Although you cannot schedule update deployment with WSUS, you can schedule when the Windows Update client on each client computer installs updates. So although you cannot fine-tune when an update will be downloaded from the WSUS server to the client, you can fine-tune when the client will actually attempt to install that update. You can configure this using the Configure Automatic Updates policy and specifying a scheduled install day and install time. Windows Update then always attempts to install any available updates according to this schedule.

4. Rolling Back Updates

Occasionally, even with rigorous testing, you might only find out that an update causes a conflict after it has been deployed to all computers in your organization. If the update was deployed with WSUS, you might be able to approve the update for removal, as shown in Figure 2. Keep in mind that not all updates support removal. If you cannot roll back the installation of an update through WSUS, you might be able to manually remove the update using a logon script or through the Installed Updates section of the Programs And Features control panel.

Figure 2. Update approved for removal

Exam Tip

Know which policy you need to configure to point a client computer running the Windows 7 operating system at a local WSUS server.

Practice: Configuring Update-Related Policies

In large organizations, you configure update policy centrally through Group Policy. In this exercise, you configure some of the most common update-related Group Policy items.

EXERCISE 1 Setting Local Update Policy

In this practice, you configure policy so that the local WSUS server is used for updates, updates are immediately installed, the computer wakes (if it is in a sleep state) to install updates, and the computer does not automatically restart to complete update installation if a user is currently logged on. To complete this practice, perform the following steps:

1. If you have not done so already, log on to computer WKSTN1 with the Mark Lee user account.

2. In the Search Programs And Files text box, type gpedit.msc, and then press Enter. The Local Group Policy Editor opens.

3. Navigate to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node.

4. Enable the Configure Automatic Updates policy. Set the policy to Automatically Download And Schedule The Install. Set the Scheduled Install Day to Every Day at 5:00 A.M., as shown in Figure 3.

   

   Figure 3. Configuring automatic updates

5. Enable the Allow Automatic Updates Immediate Installation policy.

6. Enable the Enabling Windows Update Power Management To Automatically Wake Up The System To Install Scheduled Updates policy.

7. Enable the No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installations policy.

8. Edit and enable the Specify Intranet Microsoft Update Service Location policy. Set the policy as shown in Figure 4.

   

   Figure 4. WSUS server location

9. Close the Local Group Policy Editor.