5. Configuring Automatic Updates Through Group Policy
The
Automatic Updates client will, by default, connect to the Microsoft
Windows Update server. Once you have installed SUS in your
organization, you can direct Automatic Updates to connect to specific
intranet servers by configuring the registry of clients manually or by
using Windows Update group policies.
To
configure Automatic Updates using GPOs, open a GPO and navigate to the
Computer Configuration\Administrative Templates\Windows
Components\Windows Update node. The Windows Update policies are shown
in Figure 7.
Note
If
you edit policy on a Windows 2000 Active Directory server, the policies
might not appear. Automatic Updates policies are described by the %Windir%\Inf\Wuau.inf
administrative template, which is installed by default when Automatic
Updates is installed. If Automatic Updates has not been installed on
the domain controller to which you are connected (typically, the PDC
Emulator), you must right-click the Administrative Templates node and
choose Add/Remove Templates, click Add, and then locate the Wuau.inf
template, perhaps by copying it from a system that does have Automatic
Updates installed. |
The
following policies are available, each playing an important role in
configuring effective update distribution in your enterprise:
Configure Automatic Updates
The Configure Automatic Updates Behavior determines the behavior of the
Automatic Updates client. There are three options: Notify For Download
And Notify For Install, Auto Download And Notify For Install, and Auto
Download And Schedule The Install. These options are combinations of
the installation and download behaviors discussed earlier in the lesson.
Specify Intranet Microsoft Update Service Location
This policy allows you to redirect Automatic Updates to a server
running SUS. By default, the client will log its interactions on the
SUS server to which it connects. However, this policy allows you to
point clients to another server running IIS for statistics logging.
This dual policy provides the opportunity for clients to obtain updates
from a local SUS server, but for all clients to log SUS statistics in a
single location for easier retrieval and analysis of the log data,
which is stored as part of the IIS log, IIS logs typically reside in %Windir%\System32\Logfiles\W3svc1.
Reschedule Automatic Updates Scheduled Installations
If installations are scheduled and the client computer is turned off at
the scheduled time, the default behavior is to wait for the next
scheduled time. The Reschedule Automatic Updates Scheduled
Installations policy, if set to a value between 1 and 60, causes
Automatic Updates to reschedule installation for the specified number
of minutes after system startup.
No Auto-Restart For Scheduled Automatic Updates Installations
This policy causes Automatic Updates to forego a restart required by an
installed update when a user is logged on to the system. Instead, the
user is notified that a restart is required for installation to
complete, and can restart the computer at his or her discretion.
Remember that Automatic Updates cannot detect new updates until restart
has occurred.
Automatic Updates clients poll their SUS server every 22 hours, minus a random offset.
Any
delay in patching should be treated as unacceptable when security
vulnerabilities are being actively exploited. In such situations,
install the patch manually so that systems do not have to wait to poll,
download, and install patches.
After
approved updates have been downloaded from the SUS server, they will be
installed as configured—manually or automatically—at the scheduled
time. If an approved update is later unapproved, that update is not
uninstalled; but it will not be installed by additional clients. An
installed update can be uninstalled manually, using the Add Or Remove Programs application in Control Panel.
6. SUS Troubleshooting
Although SUS works well, there are occasions that warrant monitoring and troubleshooting.
Monitoring SUS
The
Monitor Server page of the SUS Administration Web site displays
statistics that reflect the number of updates available for each
platform, and the date and time of the most recent update. The
information is summarized from the Windows Update metadata that is
downloaded during each synchronization. Metadata information is written
to disk and stored in memory to improve performance as systems request
platform-appropriate updates.
You can also monitor SUS and Automatic Updates using the following logs:
Synchronization Log
You can retrieve information about current or past synchronizations,
and the specific packages that were downloaded by clicking View
Synchronization Log in the left navigation bar. You can also use any
text editor to open the (Extensible Markup Language) XML-based database
(History-Sync.xml) directly from the SUS Web site’s
\AutoUpdate\Administration directory in IIS.
Approval Log
For information about packages that have been approved, click View
Approval Log in the left navigation bar. Alternatively, you can open
History-Approve.xml from the SUS Web site’s \AutoUpdate\Administration
directory in IIS.
Windows Update Log The Automatic Updates client logs activity in the %Windir%\Windows Update.log file on the client’s local hard disk.
Wutrack.bin The client’s interaction with SUS is logged to the specified statistics server’s IIS logs, typically stored in the folder %Windir%\System32\Logfiles\W3svc1. These logs, which are verbose and cryptic, are designed to be analyzed by programs, not by humans.
Tip
Although
you should know what logs are available and where they are located, you
are not required in the exams to be able to interpret cryptic messages
or log entries. The Software Update Services Deployment White Paper
includes appendices with detailed information about event descriptions
and log syntax. |
SUS System Events
The
synchronization service generates event log messages for each
synchronization performed by the server, and when updates are approved.
These messages can be viewed in the System log using Event Viewer. The
events relate to the following scenarios:
Unable to connect Automatic Updates could not connect to the update service (Windows Update or the computer’s assigned SUS server).
Install ready–no recurring schedule
Updates listed in the event were downloaded and are pending
installation. An administrator must click the notification icon and
click Install.
Install ready–recurring schedule Updates listed in the event are downloaded and will be installed at the date and time specified in the event.
Installation success Updates listed in the event were installed successfully.
Installation failure Updates listed in the event failed to install properly.
Restart required–no recurring schedule
An update requires a restart. If installation behavior is set for
notification, restart must be performed manually. Windows cannot search
for new updates until the restart has occurred.
Restart required–recurring schedule
When Automatic Updates is configured to automatically install updates,
an event is registered if an update requires restart. Restart will
occur within five minutes. Windows cannot search for new updates until
after the restart has occurred.
Troubleshooting SUS
Software Update Services on a Windows Server 2003 computer might require the following troubleshooting steps:
Reloading the memory cache
If no new updates appear since the last time you synchronized the
server, it is possible that no new updates are available. However, it
is also possible that memory caches are not loading new updates
properly. From the SUS administration site, click Monitor Server and
then click Refresh.
Restarting the synchronization service If
you receive a message that the synchronization service is not running
properly, or if you cannot modify settings in the Set Options page of
the administration Web site, open the Services console, right-click
Software Update Services Synchronization Service, and choose Restart.
Restarting IIS
If you cannot connect to the administration site, or if clients cannot
connect to the SUS serve, restart the World Wide Web Publishing Service
in the same manner.
If
Automatic Updates clients do not appear to be receiving updates
properly, open the registry of a client and ensure that the following
values appear in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate:
WUSever Should have the URL of the SUS server—for example, http://SUS_servername.
WUStatusServer Should have the URL of the same SUS server or another IIS server on which synchronization statistics are logged.
And ensure the following value appears in the AU subkey:
