ITS Windows Services
Critical Update Service
What is the ITS Windows Critical Update Service?
The Windows Critical Update Service (also known as the Patch Management Service) makes it easy for UVa faculty and staff to keep up with applying necessary maintenance updates (“patches”) on Windows machines. Using a Microsoft technology called WSUS (Windows Software Update Server), ITS downloads and tests patches, and then distributes them automatically to machines that utilize the service. If you are responsible for multiple Windows computers, using the Windows Patch Service can relieve you of the chore of maintaining each machine individually, and ensure that all are as up-to-date as possible.
WSUS works with all currently supported Microsoft Business software and currently includes 2003 Server, 2008 Server, Office 2003, 2007, and Exchange.
When Microsoft releases new patches, Microsystems officially tests those related to the Windows Premium Desktops. All commonly used applications are run to be sure the patches do not break anything. Once these are tested, patches are released to members of the ITS Windows Patch Service. Microsystems provides other patches, for example, Windows 2003 or 2008, as a courtesy to the University community but they are not tested.
What is WSUS?
WSUS is Microsoft Windows Software Update Server. It is designed to automate the process of distributing Microsoft Windows operating system and some Office patches.
It works by controlling the Automatic Updates applet already present on all Windows machines. Instead of many machines at UVa all going to the Microsoft website to download updates, the WSUS Server downloads all updates to an ITS-owned server. Workstations then look to this server for updates, which decreases the load on the University Internet connection.
Currently WSUS works with 2003 Server, 2008 Server, Office 2003, 2007, and Exchange. Please check the Microsoft TechNet website for a complete and up-to-date list, as technology changes rapidly.
How do I join?
Send an email to the ITS Virtualization and Microsoft Services group (VAMS).
If you are already in Eservices, all we need is your machine name to add you.
Note: You can find your machine name by clicking on Start | Settings | Control Panel. Open the System applet, and click on the Computer Name tab. If you are not in Eservices, and you do not have a Windows 2003 domain already, the University will purchase your Client Access Licenses, so you may join Eservices to take advantage of this service. Detailed instructions on joining your computer to the domain can be found here.
If you administer your own Windows 2003 or 2008 domain, ITS will help you set up a WSUS policy in your domain which points to the ITS WSUS server.
Your machine account in Eservices is moved into an Organization Unit, which applies a policy to your machine. The policy controls the Automatic Updates applet so that it pulls updates from ITS's WSUS server at the specified time. Once your machine is added to the OU, you can no longer make changes to the Automatic Updates configuration.
Once joined to the WSUS system, the following occurs:
- The Automatic Updates applet in Control Panel becomes “grayed out” and is no longer controllable by the user
- The user may see the automatic updates icon appear in the system tray.
- Once it does appear, the user can choose to ignore it, or to go ahead and install the updates.
- If ignored, patches will be automatically installed at 3:00AM the following morning, if the machine is on.
- If the machine is left on overnight (recommended):
- If no one is logged on:
- Patches are downloaded and installed at 3:00AM, and the machine is automatically rebooted if necessary.
- If a user is logged on:
- A dialog box will pop up, giving any active users 5 minutes to decline the installation of patches. If no buttons are pressed, installation proceeds after 5 minutes, and the machine is rebooted if necessary.
- If the machine was off at 3:00 AM, the user will be prompted to install patches one minute, after their machine boots the next time (if they are logged in).
- At that time, they have the choice of installing the patches or refusing.
- If they refuse, patches will be installed at 3:00 AM the following morning if it is on, or they will be prompted again the next time their computer boots.
- If the user was not logged in after the system had been booted for 1 minute, the patches will install automatically, and the machine will reboot as long as no one is logged in.
- If someone logs in during the install, they will be prompted to reboot, once installation is completed. They will be given the option to reboot now, or postpone until a convenient time.