Keeping servers clean and updated seems to be the most important thing for systems administrators these days. A Windows Server 2008 Server Core installation comes without most of the easily targeted components but can not easily kept up to date.
There are two main problems. The first problem is you can only enable or disable Automatic Updates from the console as a whole. The second problem is you won’t find any balloons asking you or remembering you to install updates.
Using the console
It is possible to configure Automatic Updates from the Server Core Console. Microsoft made the configuration of Automatic Updates available within SCregEdit.wsf (along with some other important settings). SCregEdit.wsf is a Server Core only script.
Viewing the status of Automatic Updates
You can view the status of Automatic Updates by issuing the command:
cscript SCregEdit.wsf /AU /v
When you receive an error than try changing your directory (using cd) to C:\windows\system32 before executing the command.
Enabling Automatic Updates
The most remarkable thing is Windows Server 2008 Server Core doesn’t have Automatic Updates enabled by default. If you configure Automatic Updates regularly you might remember the Automatic Updates feature has three pre-configured modes. In Windows Vista and Windows Server 2008 Windows Update offers four pre-configured modes:
2 – Notify before downloading any updates and notify again before installing them. When Windows finds updates that apply to this computer, an icon appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates to download. Windows then downloads the selected updates in the background. When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
3 – (Default setting) Download the updates automatically and notify when they are ready to be installed. Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
4 – Automatically download updates and install them on the schedule specified below. Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)
5 – Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. With this option, the local administrators will be allowed to use the Automatic Updates control panel to select a configuration option of their choice. For example they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates’ configuration.
Something else you might remember is the little balloon pop-up Windows shows when you select 2 or 3. It notifies you can (download and) install new updates.
Windows Server 2008 Server Core isn’t able to show these balloons since it lacks explorer.exe as shell. As a consequence SCregEdit.wsf doesn’t offer you 2 or 3 as a choice. Since Server Core doesn’t come with a Control Panel option 5 isn’t really an option as well. When you want to enabling Automatic Updates you may select scenario 4 by typing:
cscript SCregEdit.wsf /AU 4
Net stop wuauserv
Net start wuauserv
SCregEdit.wsf doesn’t offer you to specify a scheduled time to reboot the box when updates require a reboot. By default a Windows Server 2008 Server Core installation with Automatic Updates enabled from the console will automatically download updates and install these updates at 3:00 AM followed by a reboot if necessary. Imagine your surprise every second Tuesday of some months when your Server Core installation miraculously reboots in the middle of the night…
Disabling Automatic Updates
I can imagine this might not be desired behavior. The command for disabling Automatic Updates and the Windows Automatic Updates Service is:
cscript SCregEdit.wsf /AU 1
Net stop wuauserv
Using Active Directory
People that know me know I am a enormous fan of Active Directory. I’ll resort to it to change the default Automatic Updates behavior of Windows Server 2008 Server Core. Of course I will also call in the help from Windows Server Update Services, since this is the expert when it comes to tweaking Automatic Updates.
Automatic Updates Group Policy Objects
Windows Server 2008 comes with a bunch of new Group Policy Settings. (along with a new Group Policy format, a Group Policy Client Service and a new concept called the Central Store) Microsoft offers a Reference document (LonghornGPsettings.xls) with details for all of the settings available for Windows Server 2008 Beta 3. One of the new Administrative Templates is WindowsUpdate.admx which holds all of the Windows Update settings. (and supersedes wuau.adm)
WindowsUpdate.admx offers the following Automatic Updates settings:
- Computer Settings\Administrative Templates\Windows Components\Windows Update
- Allow Automatic Updates immediate installation
- Allow non-administrators to receive update notifications
- Allow signed content from intranet Microsoft update service location
- Automatic Updates detection frequency
- Configure Automatic Updates
- Delay Restart for scheduled installations
- Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box
- Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box
- Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
- No auto-restart for scheduled Automatic Updates installations
- Re-prompt for restart with scheduled installations
- Reschedule Automatic Updates scheduled installations
- Specify intranet Microsoft update service location
- Turn on recommended updates via Automatic Updates
- User Settings\Administrative Templates\Windows Components\Windows Update
- Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box
- Remove access to use all Windows Update features
- User Settings\Administrative Templates\System
- Windows Automatic Updates
Most of these settings apply to Windows Server 2008 Server Core, except when the option entails the notification of the (logged on) user. Using Group Policies in your Active Directory environment will add customizations to Automatic Updates for your machines, especially your Server Core machines.
Windows Server Update Services
Another way to customize the Automatic Update behavior of your Windows boxes is Windows Server Update Services. (WSUS) This doesn’t merely apply to Server Core.
Windows Server Update Services (WSUS) is a free add-on to Windows Server which allows you to run a local version of the Windows Update website. Through the use of Group Policies you can point your Windows boxes towards your Windows Server Update Services instead of the Windows Update website. The key to pointing your boxes towards your Windows Server Update Services is the ‘Specify intranet Microsoft update service location’ Group Policy setting.
Microsoft offers a great deal of assistance in deploying Windows Server Update Services (WSUS) 3.0 and Windows Server Update Services (WSUS) 2.0. As of last week Software Update Services (SUS) is no longer supported, but if you’re still running it you can find how to migrate to Windows Server Update Services 2.0 here.
Using the registry
People that know me know that every time I mention Group Policies or any other cool Active Directory usage scenario I also give hints how to use the information in non-Active Directory environments.
If you do not have an Active Directory environment you can still use regedit.exe on your Server Core console. Use the information in the previously linked Group Policy Reference for Windows Server 2008 to discover the corresponding registry values you’d like to edit manually.
I recommend using SCregEdit.wsf /AU to make the initial configuration changes and tweaking the settings in the registry afterwards. (unless you know what you’re doing)
Making a *.reg file might make your life a lot easier if you want to configure Automatic Update customization settings on a whole farm of Server Core boxes.
Of course using the registry to specify Automatic Update settings in no way limits you to not using Windows Server Update Services.
In order to troubleshoot Automatic Updates in Windows Server 2008 Server Core a couple of commands need to be available. While writing this post I played with Automatically updating my Server Core installation and found the following commands invaluable:
Forcing an update check
A neat trick to perform on the Windows Server 2008 Server Core console is an on-demand check for updates. You can initiate this check by running:
Checking which updates are installed
Another neat trick is the ability to query the list of all installed Windows Updates. This might help when you are trying to figure out whether an update is installed and the server needs rebooting or whether an update is not installed. (in which case you probably won’t need to reboot) The command to use is:
wmic qfe list
Automatic Updates is one of the regions in which much needed or much anticipated functionality is not available directly from the console. Fortunately yo can use the registry to tweak many of the Automatic Updates behavior of your Server Core box(es).
If your game is to tweak the Automatic Updates behavior of a whole farm of Server Core boxes I suggest you put Active Directory and Windows Server Update Services (WSUS) to good use.
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide
Server Core and Windows Updates
Group Policy Settings Reference Windows Server 2008 Beta 3
How to configure automatic updates by using Group Policy or registry settings
Longhorn Server Core – Quick Command Dump
Manipulate Automatic Updates Behavior Using Command-line Options
Managing Group Policy ADMX Files Step-by-Step Guide
How to create a Central Store for Group Policy Administrative Templates in Window Vista
Step-by-Step Guide to Getting Started with Windows Server Update Services 3.0
Step-by-Step Guide to Getting Started with Windows Server Update Services 2.0
Step-by-Step Guide to Migrating from Software Update Services to Windows Server Update Services 2.0
Disclaimer Beta Software
The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.