Automatic server updates would seem impossible with
Server Core because it lacks Internet Explorer. Yes, you can download
the update and install it manually, but this technique hasn't worked
well in the past and it probably won't work well now. Most
administrators are quite busy and forget to apply the required patches.
Of course, if you have just one server and a dedicated administrator,
downloading the patches and applying them manually can work. After all,
applying patches manually is how most administrators have worked for
years (just not very successfully in larger organizations).
Fortunately,
you don't need Internet Explorer to perform automatic updates for
Server Core. One of the features that comes with Server Core is the
Windows Update AutoUpdate Client (WUAUClt) utility. This utility
performs automatic updates of your server, but Microsoft doesn't enable
it by default and you don't have a convenient GUI method of activating
it. Use any of these techniques to enable the WUAUClt utility.
Type CScript %SYSTEMROOT%\system32\SCRegEdit.WSF /AU 4 and press Enter to set Windows Update to start every time you start the computer.
Type Net Start WUAUServ and press Enter to start Windows Update for this session only.
Either
of these commands starts Windows Update using the default parameters,
which tell the server to update automatically each morning at 3:00 AM.
Unlike other versions of Windows, Server Core lacks the interface
requirements to notify you about anything. Consequently, the only mode
available is to download the updates and install them automatically
without telling you, which is mode 4.
Fortunately,
you can control the time at which Windows Update performs its work.
However, you must use the Registry Editor to make the change. Start the
Registry Editor by typing RegEdit and pressing Enter. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update key shown in Figure 1. Change the ScheduledInstallTime
value to the update hour you want to use. For example, if you enter 13
(0x0000000d), the update will take place at 1:00 PM. The maximum value
is 23 (0x00000017)—use a value of 0 for midnight. The ScheduledInstallDay
value determines when the update occurs. If you set this value to 0,
then the update occurs every day. Otherwise, the update occurs on the
day of the week you choose starting with 1 for Sunday. The maximum
value is 7 for Saturday.
Since
Server Core lacks the interface required to obtain status information,
you must obtain it at the command prompt. To obtain Windows Update
status, type CScript %SYSTEMROOT%\system32\SCRegEdit.WSF /AU /V and press Enter. The script outputs a simple status indicator as shown in Figure 2. You may find that you want to perform the update immediately. In this case, you type WUAUClt /DetectNow and press Enter. The server uses its Internet connection to perform an immediate update.
If you choose at a later time not to perform an update, you can tell the Windows Update server to stop by typing Net Stop WUAUServ and pressing Enter. The Windows Update server stops immediately. If you want to disable Windows Update completely, type CScript %SYSTEMROOT%\system32\SCRegEdit.WSF /AU 1 and press Enter. Make sure
you also review the "Controlling Services with the SC Command" of this
chapter to discover how to control services from the command line.
Of
course, you'll want to know which updates you have installed. After
all, you want to be sure that the server really does have the required
updates. To check the list of current updates, type WMIC QFE List
(where QFE stands for Quick Fix Engineering) and press Enter. When the
server has no updates installed, you'll see a message stating, "No
Instance(s) Available."
Microsoft
provides two alternatives to using the command line for Windows Update.
The first is to use Windows Server Update Services (WSUS). WSUS is a
mini-version of Windows Update that you can set up on a local server.
Instead of requiring all of the machines on your network to update
using Windows Update directly, you can load the updates onto the WSUS
server. You then use a group policy to point all of the systems on the
network to use the WSUS server instead of Windows Update. The WSUS
server doesn't ship with Server Core, but you can find step-by-step
instructions for setting it up at http://technet2.microsoft.com/windowsserver/en/library/a68a19d2-630e-45d6-b596-d24dac987b641033.mspx.
The
second alternative is to use a group policy setting. Windows Server
2008 (including Server Core) comes with a new group policy setup for
Windows Update. These settings appear in an ADMX file, rather than the
ADM files of old and the settings are in XML format. The XML formatting
means that you can use something as simple as Notepad to make changes
to group policy. The Windows Update settings appear in the WindowsUpdate.ADMX file, which supersedes the WUAU.ADM file used in the past. Microsoft has provided a reference document for the new group policy settings at http://www.microsoft.com/downloads/details.aspx?familyid=2043b94e-66cd-4b91-9e0f-68363245c495.
