Hello All,
The school I work at, like many others recently, has been hit hard by viruses. We have a hefty Symantec Anti-Virus server with Exchange email snap-in that keeps virus under control fairly well. However, we are looking for methods to keep all PCs on campus, including student machines (all high school students have their own laptop), up to date with Windows patches. One option we are considering is turning on fully-automatic Windows Updating. By ?fully-automatic? I am referring to the option that downloads and installs the updates automatically with no user interaction? not the option that downloads the updates and then requests user permission to install. Here are some of my thoughts on this option?
- This setting is enabled automatically over our domain by applying a group policy to all computers. This allows us to make the change at the network level and not have to touch every machine. This also means that every time a user logs in, the setting is re-enabled, even if the user has turned it off manually. Conversely, if we need to disable automatic updating in the future, we can make the change quickly without touching every machine.
- This would not require us to manage the updating of every computer via an internal server such as a Windows Update proxy server, or a software deployment server. The other benefit of avoiding reliance on an internal server is that laptops will continue to receive automatic updates no matter what internet connection they are using, at home or school, (very beneficial over the summer).
- I was worried that when the updates were installed Windows would automatically restart, possibly causing loss of work and many angry users. However, I did some testing and found that when the updates have been installed, Windows notifies the user that they should restart soon and leaves the control in the hands of the user.
- I am concerned with how much bandwidth 400-500 computers could cause if they all attempt to download updates at the same time. There is a way to schedule the updates to occur at a specific time, allowing the bandwidth to be spread out, but this matter still concerns me.
- What happens if a unit is in the process of downloading/installing and they loose network connectivity? I would presume (or hope at least) that the installation would hang in progress and then automatically continue when internet connectivity was reestablished. What if the unit is restarted unintentionally during an installation?
- There are always a few random cases where installing service packs and updates will corrupt a registry setting, or install incorrectly, and cause damage to the integrity of the Windows installation. If we accept the fact that staying current with Windows updates is necessary, then this is just a fact of life that we?ll have to face. ie. There is always a chance of an install going awry regardless of who is in possession of the machine.
These are some of my preliminary thoughts on the matter. I would love to hear other thoughts, feedback, suggestions, or other ideas/experience on how to address the task of staying current with Windows Updates. Any perspectives and thoughts would be much appreciated.
Thanks!
Epsil0n
The school I work at, like many others recently, has been hit hard by viruses. We have a hefty Symantec Anti-Virus server with Exchange email snap-in that keeps virus under control fairly well. However, we are looking for methods to keep all PCs on campus, including student machines (all high school students have their own laptop), up to date with Windows patches. One option we are considering is turning on fully-automatic Windows Updating. By ?fully-automatic? I am referring to the option that downloads and installs the updates automatically with no user interaction? not the option that downloads the updates and then requests user permission to install. Here are some of my thoughts on this option?
- This setting is enabled automatically over our domain by applying a group policy to all computers. This allows us to make the change at the network level and not have to touch every machine. This also means that every time a user logs in, the setting is re-enabled, even if the user has turned it off manually. Conversely, if we need to disable automatic updating in the future, we can make the change quickly without touching every machine.
- This would not require us to manage the updating of every computer via an internal server such as a Windows Update proxy server, or a software deployment server. The other benefit of avoiding reliance on an internal server is that laptops will continue to receive automatic updates no matter what internet connection they are using, at home or school, (very beneficial over the summer).
- I was worried that when the updates were installed Windows would automatically restart, possibly causing loss of work and many angry users. However, I did some testing and found that when the updates have been installed, Windows notifies the user that they should restart soon and leaves the control in the hands of the user.
- I am concerned with how much bandwidth 400-500 computers could cause if they all attempt to download updates at the same time. There is a way to schedule the updates to occur at a specific time, allowing the bandwidth to be spread out, but this matter still concerns me.
- What happens if a unit is in the process of downloading/installing and they loose network connectivity? I would presume (or hope at least) that the installation would hang in progress and then automatically continue when internet connectivity was reestablished. What if the unit is restarted unintentionally during an installation?
- There are always a few random cases where installing service packs and updates will corrupt a registry setting, or install incorrectly, and cause damage to the integrity of the Windows installation. If we accept the fact that staying current with Windows updates is necessary, then this is just a fact of life that we?ll have to face. ie. There is always a chance of an install going awry regardless of who is in possession of the machine.
These are some of my preliminary thoughts on the matter. I would love to hear other thoughts, feedback, suggestions, or other ideas/experience on how to address the task of staying current with Windows Updates. Any perspectives and thoughts would be much appreciated.
Thanks!
Epsil0n
