Enforcing Windows Update via Group Policy
Another Group Policy object that I use in the "Jameson Datacenter" (a.k.a. my home lab) is one to automatically configure Windows Update on all computers in the domain. This ensures that each server or workstation downloads updates from COLOSSUS (one of my VMs that is running Windows Server Update Services) rather than having each computer download, for example, a 577 MB service pack directly from the Internet. It also ensures that only the updates that I have approved through WSUS are applied.
To automatically configure Windows Update in the "Jameson Datacenter", I have defined a Group Policy (named Default Windows Update Policy) with the following settings:
- Computer Configuration
- Policies
- Administrative Templates
- Windows Components
- Windows Update
- Configure Automatic Updates
- Enabled
- Configure automatic updating: 4 -Auto download and schedule the install
- Scheduled install day: 0 - Every day
- Scheduled install time: 03:00
- Specify intranet Microsoft update service location
- Enabled
- Set the intranet update service for detecting updates: https://colossus
- Set the intranet statistics server: https://colossus
- Configure Automatic Updates
- Windows Update
- Windows Components
- Administrative Templates
- Policies
By linking this Group Policy to the entire domain (i.e. corp.technologytoolbox.com) Windows Update is automatically configured as soon as new computers are joined to the domain and rebooted.
This enables me to spin up new VMs with very little effort. More importantly, it takes less than a half hour to get a new Windows Server 2008 VM with all the latest patches (since I start from a SysPrep'ed VHD with Windows Server 2008 Service Pack 2).