Windows Update Installation Filters

When installing Windows Updates, you have a number of options to select from in order to determine where the updates are retrieved from and which updates are downloaded and installed. Let’s take a moment to go through everything.

Start by taking a look at the Windows Update settings screen under Tools > Settings > Windows Update.

Server Selection:
The Server Selection radio buttons control where target computers will retrieve updates from. When BatchPatch is operating with cached mode disabled (it is disabled, by default), all target computers will retrieve their updates from either a managed WSUS server, Windows Update, or Microsoft Update.

Default / Managed: BatchPatch instructs each target computer to use its existing configuration to determine where to search for updates. A computer’s existing configuration would either come from group policy or manual configuration at the console. In either case, when ‘Default/Managed’ is selected, it just means that BatchPatch will use the target’s configuration. This is frequently what the administrator wants. However, in some cases the administrator might specifically want to instruct computers to bypass their own WSUS server in order to search Windows Update or Microsoft Update instead.

Windows Update: BatchPatch instructs each target computer to bypass its own configuration and search for updates on Microsoft’s public server. This includes only Windows updates.

Microsoft Update: BatchPatch instructs each target computer to bypass its own configuration and search for updates on Microsoft’s public server. This includes Windows updates AND updates for other Microsoft products. However, before using Microsoft Update, target servers must be opted-in to the service, otherwise they will throw an exception when the search for available updates is executed. See Actions > Windows Updates > Opt-in…

Search Preferences: When a search for updates is initiated, BatchPatch uses the Search Preferences to determine what search query is used.

Software and Drivers: When both the ‘Software’ and ‘Drivers’ boxes are checked, BatchPatch instructs target machines to search for *all* available updates. This is the most expansive search allowed. However, if only one of these boxes is checked, the search scope is limited to include only the checked option, while excluding the unchecked option.

Important and Recommended: As you might have noticed when looking at the regular control panel Windows Update interface on any given computer, Microsoft makes its own determination of what updates are considered ‘Important’ vs ‘Recommended’ vs ‘Optional.’ BatchPatch provides you with capability to mimic this behavior, so if you want your computers to only find updates that are ‘Important’ and/or ‘Recommended,’ you are able to do so. If both checkboxes are checked, then the search scope is limited to include important and recommended updates while excluding ones that Microsoft considers optional.

Update Classification Filtering: During the download and/or installation process you are able to further refine which updates are downloaded and/or installed on target computers by checking/unchecking different classification filter options. Every Windows Update that Microsoft publishes is categorized into one of the following groups:

  • Critical Updates
  • Security Updates
  • Definition Updates
  • Updates
  • Update Rollups
  • Service Packs
  • Feature Packs
  • Drivers
  • Tools

If you want to ensure that a service pack or a driver is never installed on your target computers, then leave the Service Packs and Drivers checkboxes unchecked at all times.

For environments that use a WSUS server, we recommend setting the ‘Search Preferences’ to include both software and drivers. Then check every box in the ‘Update Classifications’ section. In this case BatchPatch will *not* restrict or limit the updates that are seen by or installed on target computers. Instead, it’s the approval settings on your WSUS server that will control which updates are available to computers. When BatchPatch is used in this case, generally the administrator wants BatchPatch to detect all updates that have been approved by the WSUS, rather than having BatchPatch restrict which updates are downloaded/installed.

For environments that do *not* use a WSUS server, we recommend checking both the ‘Important’ and ‘Recommended’ checkboxes, so that BatchPatch installs all the updates that Microsoft deems important and recommended. Optional updates will not be installed.

EULA Behavior: Every once in a great while, Microsoft will release an update that requires the user to agree to a EULA (End User License Agreement) before the update is able to be installed. Generally speaking I don’t see a reason to ever uncheck this box as I have only ever seen this feature be used for an update to Internet Explorer. 99.9% of updates will install with no EULA. If an update *does* require a EULA to be accepted (this is exceedingly rare), then if this checkbox is *not* checked, BatchPatch will skip the update without installing it.

Cached Mode / Offline Updates:‘Cached mode’ turns BatchPatch into a central distribution point that will cache Windows Updates and act as a conduit for the cached updates to be applied to target computers. ‘Offline mode’ provides a facility to apply Windows Updates to computers that do not have access to the internet or a WSUS server. For more information on either of these features, please visit Cached Mode and Offline Updates

This entry was posted in Blog, General, Tutorials. Bookmark the permalink. Both comments and trackbacks are currently closed.