Re: Experiences with automaticWindows Updates

["Barros, Jacob" <jkbarros () GRACE EDU>]

I will echo Jacob Hahn for reassurance..  We use an internal SUS and I
install updates manually on one or two machines before I approve them
for the rest of the campus.  So far (11 months) I haven't had any
problems with machines on the domain getting or installing updates from
my internal SUS.

If you have (or can get up to) a Win2K3 domain with AD, the SUS options
that force member computers to get and install (or retry) the updates
are better than with Win2K.

Our experience with windows updates using SUS has been ideal.

Jake Barros
Grace College



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hahn, Jacob
Sent: Friday, June 11, 2004 9:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experiences with automaticWindows Updates


We have deployed a solution that uses a Software Update Services (SUS)
to help in the approval of patches before releasing them to our
computing environment. This SUS server is then tied to a group policy
that has all the clients polling the server nightly for update. The
testing of patches on our core university applications, prior to release
to the campus, helps reassure management that the patches are safe for
our environment.


"Sometimes it will work fine, but often it will fail to download the
updates, or download them but not install them" This may be related to
BITSadmin (Background Intelligent Transfer Service), the mechanism for
allowing trickle downloads instead of all at once. This is true when you
use a SUS server, but you may wish to check and see if BITSadmin is
running as a service. Stopping it may improve your chances of getting
updates daily.

As an aside, BITSadmin can defer your updating process to the next day
if it fails multiple times, for example the server or the network may be
busy.


Jacob Hahn
Montana State University Bozeman, MT
Information Technology Center
Windows Systems Admin

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Giacobbe
Sent: Friday, June 11, 2004 7:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Experiences with automaticWindows Updates

Greetings,

Our campus is in the final stages of developing a standard Windows XP
image to be deployed on all University owned PC desktops and laptops.
Our standard image is based on XP Pro, Service Pack 1 with all of the
latest patches.

So far the only real functional problem we have run into is inconsistent
results when trying to automate Windows Update to run once a day.
Sometimes it will work fine, but often it will fail to download the
updates, or download them but not install them.

Initially we attempted to run Windows Update as a scheduled task, but
found it would only work if an Admin was logged in (the vast majority of
our users will be logging into their machines as PowerUser with added
group rights of Backup Operator and Network Config Operator.) Currently,
we have configured the Windows Updates as a System Properties task that
is running the "AUTOMATIC WINDOWS UPDATE CLIENT" (ie, wuauclt.exe) which
runs once per day at noon and (usually, but not always) downloads and
installs updates regardless of who is logged on.

Has anyone else had problems getting automated Windows Updates to work
reliably?  Any tips for configuring this beast to work as advertised?
;-)  We done a little bit of trolling on Google and found a number of
people reported bad experiences with the whole process, but others that
have it working fine.

Thanks in advance,

Jeff Giacobbe
Director of Systems, Security, and Networking
Montclair State University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.