From the KnowledgeBase
Windows Software Update Services (WSUS) for campus computers, including DeSC computers
Windows Software Update Service (WSUS) is a way for campus computers to use the native Windows Update service but get the patches and have them installed automatically from a Princeton server. WSUS provides security patches for Windows operating systems (see below) as well as updates for Microsoft applications such as Office 2007 programs.
Microsoft releases security patches to the public on the second Tuesday of the month. Through WSUS, Princeton releases the same patches for download to campus on the following Friday afternoon. The delay allows time for OIT to test the patches.
In order for a laptop to automatically download the patches, the laptop has to be powered on and have an Internet connection. If the laptop is powered off, it will automatically download the patches the next time it is powered on and connected to the Internet.
Once the patches have been downloaded, the laptop will attempt to install them according to schedule if it is powered on, in sleep or hibernate modes and connected to AC power. If the laptop was not powered on, the patches will install at the next scheduled event. If the laptop is in DeSC, the installation is scheduled to begin at 2 a.m. the next day. If the laptop is not in DeSC, the laptop will install the patches based on the WSUS policy for the laptop. More information about scheduling options is below.
Princeton University recommends setting laptops to hibernate mode when not in use. To confirm or change the laptop power button settings, see: kb.princeton.edu/1007.
What Does a "Force/Prompt" Policy Do?
Every device with a "force/prompt" policy that is powered up and connected to the network checks the Princeton WSUS server daily to see if there are any unapplied critical updates that have been received from Microsoft. If there are unapplied critical updates, the computer will download them. At 4:00 a.m. each morning any downloaded patches will be installed. If any of the updates requires a reboot, devices with a "Force/Prompt" policy will take one of the following actions:
- If no one is logged on, the device will be rebooted automatically.
- If a user is logged on, the user will be prompted before the reboot occurs.
- The prompt provides the administrative users with two options: Click "yes" to reboot now or click "No" to close the window without rebooting. Non-administrators can only click the "Yes" button. If an administrative user clicks the "No" button, he or she must remember to manually reboot the system as soon as possible to complete the patch process. Unlike the "Force" option, the prompt message box has no countdown timer associated with it, so it can be left open until the user has had the chance to properly close all tasks in progress.
- Note - Any device with a "Force/Prompt" policy that is not powered up at 4:00 a.m., to install previously downloaded patches, will execute the above sequence 5 minutes after being powered back on.
What Does a "Force" Policy Do?
Every device with a "force" policy that is powered up and connected to the network checks the Princeton WSUS server daily to see if there are any unapplied critical updates that have been received from Microsoft. If there are unapplied critical updates, the computer will download them. At 4:00 a.m. each morning any downloaded patches will be installed. If any of the updates requires a reboot, devices with a "Force" policy will take one of the following actions:
- If no one is logged on, the device will be rebooted automatically.
- If a user is logged on, the auto update client will begin a five minute countdown prompt to apply the patch and reboot. Non-administrative users can do nothing (reasonable) to stop the countdown. All he or she can do is save open documents and shut programs down in an orderly manner. Administrative users are given five minutes to defer the patch install/reboot for a specified period of time.
- Note - Any device with a "Force" policy that is not powered up at 4:00 a.m., to install previously downloaded patches, will execute the above sequence 5 minutes after being powered back on.
What Does a "Prompt" Policy Do?
Every device with a "Prompt" policy regularly checks to see if there are any unapplied critical updates available on the WSUS server. If there are unapplied critical updates, these devices will download the updates and take one of the following actions:
- If an any user is logged in, a bubble prompt will appear above the tray area of the Start bar indicating that updates have been downloaded, are available for installation, and asks if the patches should be applied now or be deferred. If the user responds that the update(s) should be applied, they will be and the device will be rebooted if necessary. If the user chooses to defer the application of the update(s), the prompt will be withheld until the deferral period has passed.
DeSC WSUS Policy:
All DeSC computers have been configured and set with an WSUS Force policy since 9/26/2003. Be advised that if a DeSC user is seeing the Microsoft software update alerts (aka "bubble prompts") it is because that particular user has administrative rights on the machine. A normal user (majority of DeSC users) will not see these alerts. Those that see the prompts can go ahead and allow SUS to install the patches, noting that they should exit all applications since the machine will reboot. See the “Force” definition above for more details. NOTE - DeSC machines apply downloaded patches at 2:00 a.m. every day.
Which Departments are Using WSUS?
Your department's non-DeSC Windows computers are receiving SUS updates only if:
- You applied one of the global policy objects the Windows Systems group created (i.e. Force/Prompt) to your OU or sub-OU
- You submitted a request asking for the policy to be applied
to your OU. If
a machine is not already a member of the PRINCETON domain then you must
a machine account via your SCAD, or by using this form:
- The default is and has been no updates unless the department "opts-in" to ensure that we don't unintentionally reboot a system running in the middle of a long-running process. Please check your OUs to ensure that the OUs you want to receive SUS updates have the policy applied.
Individual Workstations Can Now Participate in WSUS Updates without a GPO being applied to their OU
OIT now has user installable settings to allow machines that are not part of the Princeton domain or exist in OU's that do not have WSUS policies applied to them to participate in OIT's Software Update Service. To install it:
- Log in to the computer with an account that has administrator privileges
- Connect to \\files\software\security\sus
- Read the ReadMe.txt document to understand the policy types
- Run the .reg file that corresponds to the type of policy you want to apply
- Click OK to complete the install of the registry settings
- Reboot the machine or restart the 'Automatic Updates" service
- NOTE-There is a .vbs file that a user can run if they no longer want to participate in having our server give them the Windows Update files. This will remove the SUS settings and restore their original settings.
For more information on these settings that can run by individuals on their own machines, please see Solution 9769.
How to check for WSUS push success
- On the Desktop (Windows 2000) or Start Menu (Windows XP and Vista), right-click the My Computer (Windows 2000 and Windows XP) or Computer (Vista) icon
- From the context menu, choose Manage
- When the Computer Management console appears (this can take several seconds), select System Tools -->Event Viewer -->System to display System events in the right-hand pane
- Click on the column header labeled Source to sort events alphabetically by source.
- Scroll to the 'A's and look for messages from Automatic Updates
- For each successful WSUS push, you should see three
Automatic Updates events:
- a. One event indicating that the patches were downloaded
- b. One event, at 2am or 4am depending on which group policy is applied to the machine, indicating that the installation has begun
- c. One event, at most a few minutes later than event 6.b, indicating that the installation was successful and (if necessary) the machine is waiting to reboot.
- NOTE- the time stamp on entry 6.c, then re-sort the events by clicking on the Date column-header. Within a few minutes after the entry for 6.c (successful completion of the update), you should see log entries from the 'eventlog' source indicating that a reboot occurred.
Additionally, there is a file in the base Windows directory (usually C:\windows or c:\winnt) of each machine titled "Windows Update.log" that has a textual listing of all the updates that have been placed on the computer. It is rather raw in the way that it displays information and thus it is not recommended as the normal way for users to review WSUS pushes.
WSUS requires the client machine to be:
- Windows Vista (Business, Enterprise, and Ultimate)
- Windows 2000 Pro/Server SP3 or higher
- Windows 2003 Server (x32 or x64)
- Windows XP SP1 or higher
- Windows XP (x64)
- If you have Windows 2000 SP2 or less OR Windows XP (no SP), these machines need to have their service packs upgraded manually to the above levels to work with WSUS. WSUS does not support Windows NT 4.0, Windows ME, or Windows 9x.