Re: Experiences with automaticWindows Updates

["Hahn, Jacob" <jhahn () MONTANA EDU>]

We have deployed a solution that uses a Software Update Services (SUS) to
help in the approval of patches before releasing them to our computing
environment. This SUS server is then tied to a group policy that has all the
clients polling the server nightly for update. The testing of patches on our
core university applications, prior to release to the campus, helps reassure
management that the patches are safe for our environment.


"Sometimes it will work fine, but often it will fail to download the
updates, or download them but not install them"
This may be related to BITSadmin (Background Intelligent Transfer Service),
the mechanism for allowing trickle downloads instead of all at once. This is
true when you use a SUS server, but you may wish to check and see if
BITSadmin is running as a service. Stopping it may improve your chances of
getting updates daily.

As an aside, BITSadmin can defer your updating process to the next day if it
fails multiple times, for example the server or the network may be busy.


Jacob Hahn
Montana State University Bozeman, MT
Information Technology Center
Windows Systems Admin

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Giacobbe
Sent: Friday, June 11, 2004 7:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Experiences with automaticWindows Updates

Greetings,

Our campus is in the final stages of developing a standard Windows XP
image to be deployed on all University owned PC desktops and laptops.
Our standard image is based on XP Pro, Service Pack 1 with all of the
latest patches.

So far the only real functional problem we have run into is inconsistent
results when trying to automate Windows Update to run once a day.
Sometimes it will work fine, but often it will fail to download the
updates, or download them but not install them.

Initially we attempted to run Windows Update as a scheduled task, but
found it would only work if an Admin was logged in (the vast majority of
our users will be logging into their machines as PowerUser with added
group rights of Backup Operator and Network Config Operator.) Currently,
we have configured the Windows Updates as a System Properties task that
is running the "AUTOMATIC WINDOWS UPDATE CLIENT" (ie, wuauclt.exe) which
runs once per day at noon and (usually, but not always) downloads and
installs updates regardless of who is logged on.

Has anyone else had problems getting automated Windows Updates to work
reliably?  Any tips for configuring this beast to work as advertised?
;-)  We done a little bit of trolling on Google and found a number of
people reported bad experiences with the whole process, but others that
have it working fine.

Thanks in advance,

Jeff Giacobbe
Director of Systems, Security, and Networking
Montclair State University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.