Paula Sharick, InstantDoc #26241, August 13, 2002

Win2K SP3's Automatic Updates Client

One of the new features in Windows 2000 Service Pack 3 (SP3) is the Automatic Updates client. If you use the Windows Update site to keep your system current, youíll appreciate the fact that the Automatic Updates client performs this task automatically. Unlike the Windows XP version of Automatic Updates, the Win2K version downloads and installs only critical updates, most of which are security related. The SP3 installation offers no option to easily exclude this feature, so unless you get creative, this component will be part of every W2K SP3 system.

All update client files in the system root begin with wuau, which stands for Windows Update AutoUpdate, and the main executable is %systemroot%\system32\wuauclt.exe. If you check the services list, youíll discover a new native service called Automatic Updates. The default startup type is automatic, but the update feature remains dormant until you configure its operating parameters. You configure the preferred update mode by using either Control Panelís Automatic Updates icon or by adding the Automatic Update template to Group Policy. You must be logged on with an Administrator account to use either method.

Configuring Automatic Updates in Control Panel
The Control Panel applet is Automatic Updates and the Control Panel icon file is wuaucpl.cpl (in case you want to suppress display of this icon). The Control Panel Automatic Updates applet offers a subset of the configurable parameters available in Group Policy. Start by checking the top box, "Keep my computer up to date." Next, select one of the three possible update modes that operate with increasing degrees of autonomy. In least automatic mode, the client waits for you to confirm downloads and installations. If you select the middle option (the default), the client automatically downloads updates and prompts you when they are ready to be installed. If you select either of the first two options, the client runs every day at 3:00 A.M., and you can't change the schedule. If you select the third option, the client automatically downloads and installs updates on the day and time you specify (from daily to once per week).

Configuring Automatic Updates with Group Policy
The Group Policy method offers the same controls as the Control Panel method, plus the ability to redirect the client from WindowsUpdate to an internal server. If you opt for this method, you need to add the Automatic Update template to Group Policy. Open Group Policy, expand the Computer Configuration key, right-click Administrative Templates, and pick Add/Remove Templates. This action displays a list of currently loaded templates. Click the Add button to display the native template files in %systemroot%\inf. Click wuau.adm to add the template, then close the Add/Remove Templates window.

The Automatic Update template has two configurable policies. "Configure Automatic Updates" offers the same three choices as the Control Panel Automatic Updates applet. The second policy, "Specify intranet Microsoft Windows update service location," is optional. Here, you can enter an internal URL where the client can check for and download updates (instead of checking the default WindowsUpdate site). Then enter a URL (this can be the same URL as you entered for the download site) where the client can report the patches it has downloaded and installed. If you redirect the client to an internal server, youíll have to consider how you schedule update activity across your organization. If you use the default time slot of 3:00 A.M., 5000 systems downloading code at the same time might overwhelm the internal update server or the network.

After you configure update behavior, activate the settings on the client by typing the command

secedit /refreshpolicy machine_policy

Note that when you implement update controls in Group Policy, the settings you define appear in the Automatic Updates applet, but you can't make any changes in the Control Panel version (the options are displayed but grayed out). To revert to the Control Panel applet, start Group Policy, go to the template, check Not Configured in the "Configure Automatic Updates" policy and refresh the policy.

The ability to redirect the update client to an internal server lets you verify that the updates function properly in your environment before you distribute them. This feature also lets you define the refresh interval for desktops and server. This new model should be easier and faster than using .msi packages or Microsoft Systems Management Server (SMS). to distribute updates. Next week, Iíll give you a few tips for building an internal WindowsUpdate Web server.

Client Operation
I compared the update suggestions from a manual visit to WindowsUpdate with the results from the SP3 update client. The client indicated that I should install two critical security hotfixes. WindowsUpdate was a little more generous, suggesting that I install the same two hotfixes plus the latest Internet Explorer (IE) update. When I gave the client permission to download the hotfixes, it downloaded them silently in the background and then prompted me to install both hotfixes. If you need to interrupt a download in progress, click the Automatic Update icon and select Pause. Select Resume to restart the download at a more convenient time.

The client recorded its activity with several messages in the System Event log. The source was "Automatic Updates." Event ID 19 indicated a successful install and identified both hotfixes (but didn't include the security bulletin number). Event ID 21 indicated the client restarted the system to complete the process. Registry lovers can find update client data in the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate subkey

and wuau service information in the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\wugroup subkey.