The Smart Control Resource Manager can be configured to manage Windows Updates on a SmartShield Client machine using three methods.
1. Client Windows Update
2. Schedule Update from SmartControl Resource
3. Windows Updates via WSUS/SUS (Windows Server Update Service-Software Update Service)
Client Windows Update
This update setting can be used to configure multiple machines at once from SmartControl. The setting will allow updates to run without interference by blocking the keyboard and mouse during the process. Only an administrator can unlock the keyboard and mouse during an update. The updates will begin at the time and day you choose, and will reoccur on the same time and day each week after. Your machines must be powered on in order for the updates to be completed.
To configure the Client Windows Update setting select one or more computers from your list in SmartControl Resource
*Selecting individual computers can be done manually by holding “Ctrl” and clicking each machine to be configured.
*Selecting all computers can be done by selecting “Edit” from the toolbar and then “Select All Clients” from the dropdown menu.
Right click a selected client and navigate to Client Control/Misc Configuration. Select Client Windows Update.
Alternatively, with the targeted machine(s) selected you can click “Client Control” from the toolbar.
You will be presented with a configuration window. This is the same window you would see if you configured the machine in-person. The box will be grayed-out if you are configuring your machine for the first time.
Once the “Enable Windows Update” box has been checked, you can begin configuring the options
“Frequency” options allow you run a check for updates by specific days.
Select a frequency and time of day to run Windows Updates.
The “Advanced” button holds four different Windows Update settings. There is a brief description of each option contained in the “Advanced Options” window.
Two minutes before the update runs, a pop up message will appear on the computer notifying any users of the impending update.
If protection is enabled, the computer will disable and reboot. Upon rebooting, Windows Updates will begin. The keyboard and mouse will be blocked and a red background will display a message that Windows Updates are running.
After the updates are finished, the computer will return to its previous state (SmartShield disabled or enabled).
If you are unsure whether a machine is configured for updates using this method, you can find out by right clicking and selcting “Properties” of any single machine. The “Properties” window will tell you the following information about Windows Updates for that machine – frequency, start time, maximum minutes allowed to do the updates, the level of updates chosen, and other useful information
In addition to checking the properties, SmartShield also keeps a log of updates on the client machine.
If the updates do not finish in the time allotted, SmartShield will begin the updates where the last session left off and continue during the next update period.
Scheduling Windows Updates
You can schedule Windows Updates through the “Scheduling” feature in the SCRM. This task will automatically execute the steps listed.
On this first window, you will configure start time, recurrence pattern and name the schedule. When using the SCRM's scheduler to run updates, we recommend creating a schedule with the following actions:
2. Disable Protection
4. Windows Update (Block User)
5. Delay (5 minutes)
6. Enable Protection
Note: Protection must be disabled for Windows Update (Recommended) to succeed.
Scheduling the "Windows Update (Execute Only)" task:
This task will only run Windows Updates. It only does Step 4 from the list above. It will not notify the user of the impending update, block the keyboard and mouse, change the login background, or automatically reboot the system.
Note: Protection must be disabled for Windows Update (Execute Only) to succeed.
When is this task beneficial?
This task is beneficial if you need to schedule Windows Updates to run on workstations that remain disabled and you do not want to reboot them. An example would be running Windows Updates on administrators' machines that are disabled.
WSUS / SUS Integration
The SCRM gives an administrator the ability to configure WSUS / SUS settings on a SmartShield client. This feature sets the name of the WSUS or SUS server that provides the client with the updates. It also allows for an administrator to prevent the client from modifying the Windows Update settings provided by the operating system.
Note: This setting can only be set from the SCRM.
To Set WSUS or SUS Server Settings on a client:
1. Highlight the client(s) > go to "Client Control" > “Misc. Configuration” > “Windows Update WSUS/SUS”
2. Enter the name of the WSUS or SUS server which will provide your clients with the updates.
3. If you want to prevent the client(s) from modifying the Windows Update settings provided by the operating system, check the box to do so.
4. Click the "Ok" button.
What does checking the box in the WSUS / SUS Server setting window do?
This will disable (gray-out) the Windows Update options on the client to prevent a user from changing any Windows Update settings through the control panel. It is like setting a policy to prevent modifying Windows Update settings.
If I no longer use a WSUS server, how to I remove my WSUS / SUS settings?
To remove WSUS/SUS settings, simply go through the steps above for setting the WSUS/SUS server name, only leave the name blank. This will remove the existing WSUS/SUS settings.