Saturday, December 13, 2003

Making the AU client run a little more often

I've been doing a few presentations on Patch Management (see for the slides and pointers) and got asked an interesting question relating to the speed by which an Automatic Update client can request updates from a Software Update Services (SUS) server.

The client is hard coded to go to a server every 22 hours (less a random amount of up to 20%). Thus in 'steady state' each clinet will ask for updates every 17.6 to 22 hours. But what if you want to push out an update a bit faster how can you do it? Turns out there are 2 ways - neither of them very pretty. GPO Workaround

1. Assign a temporary GPO to the appropriate part of the Organizational Unit structure and use security filtering to ensure it applies to the appropriate computers.� Note that this temporary SUS GPO should be of a higher priority then the SUS GPO which is normally in use.�

2. The policy settings within this GPO should be configured to disable the AU client and change the default Group Policy refresh interval for computers to 5 minutes.

3. Force DC replication to occur so that all domain controllers have a copy of the new group policy object.

4. Wait up to 120 minutes for all clients within the OU to refresh Group Policy (default GPO refresh time for domain members is 120 minutes).

5. Amend the policy settings within the new GPO policy so that the automatic updates client is enabled and set to automatic download and automatic installation. Automatic installation should be set to occur 1 hour from the current time.

6. Force DC replication to occur so that all domain controllers have a copy of the changed group policy object.

7. Wait for all the SUS clients to refresh the updated SUS GPO settings (which is now happening 5 minutes).� Once the GPO takes effect, the automatic update clients should begin to download the new update from the SUS server. Installation will begin once the specified time is reached.

8. Once the update has been successfully installed on all target computers, delete the temporary GPO used to make all these changes. Servers will fall back to the existing AU download and installation options once they refresh their Group Policy settings.

----------- Net Stop/Start method

1. From the cmd.exe prompt: net stop "Automatic Updates"

2. Delete HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\LastWaitTimeout (if it exists)

3. Delete HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\DetectionStartTime (if it exists)

4. Make sure that HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUState=0x2

5. Net Start "Automatic Updates"

No comments: