Network management Toolkit

Is your patch programme up to scratch?

Deb Shinder Tech Republic

Published: 27 May 2005 11:10 BST

Windows Update: better than nothing
Relying on Windows Update is better than avoiding the issue altogether, but it's still not the idea solution. If there are only 10 computers on your network, you may be able to ensure that each system is properly configured and getting all its updates regularly, but that strategy doesn't scale very well. You also must remember that the automatic update feature only delivers updates deemed to be "high priority". And what if your network is running Windows NT or Windows 98 machines? Those versions don't support automatic updates (although they can be updated via the Windows Update Web site).

Windows Update is an excellent solution for keeping consumer computers up to date, and it will work in a small workgroup environment where users are responsible for their own machines. But as the network grows, you need more centralised control.

One thing you can do, in an Active Directory environment, is configure Group Policy to administer the Automatic Update settings on computers in the domain. This at least keeps you from having to physically visit each computer to configure or verify its settings. You can also use the Group Policy setting (found in Computer Configuration\Administrative Templates\Windows Components\Windows Update) to schedule the day and time for installations. You might also want to enable the Group Policy setting to Remove Access to Use All Windows Update Features in the User Configuration node (User Configuration\Administrative Templates\Windows Components\Windows Update) so that even users who are local administrators won't be able to install updates manually. Automatic Updates will still run and install updates as scheduled.

By default, the updates will be downloaded from the public Windows Update site. However, you can gain more control over the update process by specifying that the updates be downloaded from an intranet update service.

Centralised software deployment
In a large organisation, you are likely to have proprietary applications that may cause conflicts with some updates. That can create a nightmare if you don't have more control over which updates get installed to which machines.

There are several ways to centrally deploy updates in a Windows domain. You can use Group Policy's Software Installation functionality to deploy and install service packs and some updates. Note that you'll need to obtain or create .msi packages for the software that you install this way.