SYMPTOMS
最近在TA机器上的WAU(Windows automatically update)经常会出现如下的情况:
CAUSE & Analysis
See the analysis on the picture.
考虑到WSUS的重要性,并且不能影响TA process,有两种方案可供选择:
1) 设置合适的registry and group policy, 让WSUS能定时自动更新,自动重启(如果需要的话)
[分析]优点:简便可行;缺点:需要定时自动更新,可能会影响TA process。另外 TA机器没有实行域控制,所以如果update policy有变,需要考虑如何方便更改所有机器的update policy。
2) 使用windows update agent, 考虑自己编程完成update任务
[分析]优点:运行的时机是可控的,update policy也应该是可控的;缺点:需要 编程 cost。
Refer to: http://msdn.microsoft.com/en-us/library/aa387102(VS.85).aspx
方案1)通常registry的设置可以满足非域PC的AU要求,若是在域中应该考虑group policy的设置了。另外要注意的是,即使是非域的机器你最好也把local computer group policy 和registry在AU上设成一致,或者把所的相关的local group policy设置成No configured 以免相互影响。所以我们下同分两种pc-client来讨论:在域的和不在域中的PC
1) Configure Clients Using Group Policy in Active Directory Environment
When you configure the Group Policy settings for WSUS, you should use a Group Policy object (GPO) linked to an Active Directory container appropriate for your environment. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS settings.
After you set up a client computer, it will take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with an Active Directory-based GPO, it will take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0–30 minutes.
Option-1 : Configure Automatic Updates
Option-2: Specify intranet Microsoft Update service location
Option-3: Reschedule Automatic Updates scheduled installations
This policy specifies the amount of time that Automatic Updates should wait after system startup before proceeding with a scheduled installation that did not take place earlier.
If the status is set to Enabled, a missed installation will occur the specified number of minutes after the computer is next started.
(一个missed installation icon 将会在机器重起后一指定时间后出现)
If the status is set to Disabled, a missed installation will occur with the next scheduled installation.
(一个missed installation icon 将会在机器重起后出现)
If the status is set to Not Configured, a missed installation will occur one minute after the next time the computer is started.
Option-4: Allow Automatic Update immediate installation
2) Configure Clients in a Non–Active Directory Environment
In a non-Active Directory environment, you can configure Automatic Updates by using any of the following methods:
Ø Using Group Policy Object Editor and editing the Local Group Policy object
Ø Editing the registry directly by using the registry editor (Regedit.exe)
The registry entries for Automatic Update configuration options are located in the following subkey:
HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/Windows/WindowsUpdate/AU
The keys and their value ranges are listed in the following table.
Automatic Updates Configuration Registry Keys
| Entry name | Data type | Value range and meanings |
| AUOptions | Reg_DWORD | Range = 2|3|4|5 2 = Notify before download. 3 = Automatically download and notify of installation. 4 = Automatically download and schedule installation. (Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.) 5 = Automatic Updates is required, but end users can configure it. |
| AutoInstallMinorUpdates | Reg_DWORD | Range = 0|1 0 = Treat minor updates as other updates are treated. 1 = Silently install minor updates. |
| DetectionFrequency | Reg_DWORD | Range = n, where n = time in hours (1–22). Time between detection cycles. |
| DetectionFrequencyEnabled | Reg_DWORD | Range = 0|1 1 = Enable DetectionFrequency. 0 = Disable custom DetectionFrequency (use default value of 22 hours). |
| NoAutoRebootWithLoggedOnUsers | Reg_DWORD | Range = 0|1 1 = Logged-on user gets to choose whether or not to restart his or her computer. 0 = Automatic Updates notifies user that the computer will restart in 5 minutes. |
| NoAutoUpdate | Reg_DWORD | Range = 0|1 0 = Enable Automatic Updates. 1 = Disable Automatic Updates. |
| RebootRelaunchTimeout | Reg_DWORD | Range = n, where n = time in minutes (1–1,440). Time between prompting again for a scheduled restart. |
| RebootRelaunchTimeoutEnabled | Reg_DWORD | Range = 0|1 1 = Enable RebootRelaunchTimeout 0 = Disable custom RebootRelaunchTimeout(use default value of 10 minutes) |
| RebootWarningTimeout | Reg_DWORD | Range = n, where n = time in minutes (1–30). Length, in minutes, of the restart warning countdown, after installing updates with a deadline or scheduled updates. |
| RebootWarningTimeoutEnabled | Reg_DWORD | Range = 0|1 1 = Enable RebootWarningTimeout 0 = Disable custom RebootWarningTimeout (use default value of 5 minutes) |
| RescheduleWaitTime | Reg_DWORD | Range = n, where n = time in minutes (1–60). Time, in minutes, that Automatic Updates should wait at startup before applying updates from a missed scheduled installation time. Note that this policy applies only to scheduled installations, not deadlines. Updates whose deadlines have expired should always be installed as soon as possible. 在机器重新启动后,等待安装missed updated的时间。可参见group policy Option-3: Reschedule Automatic Updates scheduled installations
|
| RescheduleWaitTimeEnabled | Reg_DWORD | Range = 0|1 1 = Enable RescheduleWaitTime 0 = Disable RescheduleWaitTime (attempt the missed installation during the next scheduled installation time). |
| ScheduledInstallDay | Reg_DWORD | Range = 0|1|2|3|4|5|6|7 0 = Every day. 1 through 7 = The days of the week from Sunday (1) to Saturday (7). (Only valid if AUOptions = 4.) |
| ScheduledInstallTime | Reg_DWORD | Range = n, where n = the time of day in 24-hour format (0–23). |
| UseWUServer | Reg_DWORD | Range = 0|1 1 = This machine gets its updates from a WSUS server. 0 = This machine gets its updates from Microsoft Update. The WUServer value is not respected unless this key is set. |
Refer to http://technet.microsoft.com/en-us/library/cc708574(WS.10).aspx
RESOLUTION
我们暂时采取方案一,要完成以下几件事:
1) 把group policy 的所有关于WAU的项,均设成No Configured ,只使用registry
2) 更改registry 中WAU的设置如下:
[HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/WindowsUpdate]
"WUServer"="http://update.hf.webex.com"
"WUStatusServer"="http://update.hf.webex.com"
"ElevateNonAdmins"=dword:00000001
"AcceptTrustedPublisherCerts"=dword:00000001
"TargetGroupEnabled"=dword:00000001
"TargetGroup"=""
[HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/WindowsUpdate/AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000002
"ScheduledInstallTime"=dword:00000016
"UseWUServer"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000001
"RescheduleWaitTime"=dword:00000001
( 让它重启一分钟后,就安装missed installation patches)
"DetectionFrequencyEnabled"=dword:00000001
"DetectionFrequency"=dword:00000016
"AutoInstallMinorUpdates"=dword:00000001
"RebootWarningTimeoutEnabled"=dword:00000001
"RebootWarningTimeout"=dword:00000001
(win update install后,设置过X分钟后系统重启, 配合"NoAutoRebootWithLoggedOnUsers=0" , 在X分钟后就自动重启;反之过X分钟后,会有重启提示对话框出现,要求用户交互!)
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RebootRelaunchTimeout"=dword:0000000a
[表明提示重启对话框出现的间隔时间,设为16分钟,结合上面的在win update install 之后,它会在1分钟内自动重启,所以重启提示对话框永不会在此设置中出现。]
"IncludeRecommendedUpdates"=dword:00000001
"AUPowerManagement"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000000
STATUS
This behavior is by the incorrectly windows settings.
MORE INFORMATION
关于方案2,要论证一下是否值得写工具去完成WAU。
3138
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
