Recommended Group Policy Object (GPO) Settings
By default, computers pointed to ITS WSUS check for updates every 22 hours. Microsoft has typically been releasing 1-2 virus definition updates per day for Forefront. ITS recommends that computers check for and install new virus definitions every 6 hours. Departments can either use the ITS managed Group Policy objects (GPOs) for WSUS or modify their own.
Updating your WSUS GPO
For departments that manage their own WSUS GPOs, it is recommended that you enable settings to keep the Forefront Client up to date with the latest definitions. These settings are located in Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Update.
Allow Automatic Updates immediate installation - this will allow the computer to download and install certain updates that neither interrupt Windows services nor restart Windows (in particular, Forefront definition updates)
Automatic Updates detection frequency - Check for updates every 6 hours
Linking to the ITS GPOs
The ITS managed GPOs are named:
AUSTIN-Windows Update - WSUS for Servers. Use this GPO to download but not install updates that require a reboot. It is the responsibility of the system administrator to manually install and restart systems and ensure they are kept up-to-date. This allows virus definitions to be downloaded and installed without restarting, and provides flexibility to not interrupt critical processes.
AUSTIN-Windows Update - WSUS for Workstations. Use this GPO if it is OK to install updates that require a reboot (see more below).
Both GPOs are set to:
Use ITS WSUS for the update service location.
Allow Automatic Updates immediate installation.
Check for updates every 6 hours.
These settings allow Forefront definition updates to be installed. Additionally, the WSUS for Workstations GPO does the following:
Allow non-administrators to receive update notifications.
Schedule the install of updates for 3 a.m. (and reboot if required).
Delay restart for 1 minute for scheduled installations.
Wait 5 minutes after system startup to reschedule any scheduled updates.
Last updated September 14, 2011 @ 11:06 am