4. To automatically renew expired certificates, update pending certificates, and remove revoked certificates, select the related check box.
5. To ensure that the latest version of certificate templates are requested and used, select the Update Certificates That Use Certificate Templates check box.
6. To notify users when a certificate is about to expire, specify when notifications are sent using the box provided. By default, notifications are sent when 10 percent of the certificate lifetime remains.
7. Tap or click OK to save your settings.
Managing Automatic Updates in Group Policy
Automatic Updates help you keep the operating system up to date. Although you can configure Automatic Updates on a per-computer basis, you’ll typically want to configure this feature for all users and computers that process a GPO-this is a much more efficient management technique.
Note that by default, Windows 8.1 and Windows Server 2012 R2 use Windows Update to download Windows Components in addition to binaries for roles, role services, and features. If the Windows diagnostics framework detects that a Windows component needs to be repaired, Windows uses Windows Update to download the component. If an administrator is trying to install a role, role service, or feature and the payload is missing, Windows uses Windows Update to download the related binaries.
Configuring Automatic Updates
When you manage Automatic Updates through Group Policy, you can set the update configuration to any of the following options:
■ Auto Download And Schedule The Install Updates are automatically downloaded and installed according to a schedule you specify. When updates have been downloaded, the operating system notifies the user so that she can review the updates that are scheduled to be installed. The user can install the updates at that time or wait for the scheduled installation time.
■ Auto Download And Notify For Install The operating system retrieves all updates as they become available, and then prompts the user when they’re ready to be installed. The user can then accept or reject the updates. Accepted updates are installed. Rejected updates aren’t installed but remain on the system, where they can be installed at a later date.
■ Notify For Download And Notify For Install The operating system notifies the user before retrieving any updates. If a user elects to download the updates, the user still has the opportunity to accept or reject them. Accepted updates are installed. Rejected updates aren’t installed but remain on the system, where they can be installed at a later date.
■ Allow Local Admin To Choose Setting Allows the local administrator to configure Automatic Updates on a per-computer basis. Note that if you use any other setting, local users and administrators are unable to change settings for Automatic Updates.
You can configure Automatic Updates in Group Policy by following these steps:
1. In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.
2. In the policy editor, access Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
3. Double-tap or double-click Configure Automatic Updates. In the Properties dialog box, you can now enable or disable Group Policy management of Automatic Updates. To enable management of Automatic Updates, select Enabled. To disable management of Automatic Updates, select Disabled, tap or click OK, and then skip the remaining steps.
4. Choose an update configuration from the options in the Configure Automatic Updating list. On Windows 8 and later as well as Windows Server 2012 and later, updates can be automatically installed during the scheduled maintenance window by selecting the Install During Automatic Maintenance check box.
5. If you select Auto Download And Schedule The Install, you can schedule the installation day and time by using the lists provided. Tap or click OK to save your settings.
By default, Windows Update runs daily at 2:00 A.M. as part of other automatic maintenance. With desktop operating systems running Windows 8 or later, Windows Update uses the computer’s power management features to wake the computer from hibernation or sleep at the scheduled update time, and then install updates. Generally, this wake-up-and-install process will occur whether the computer is on battery or AC power.
If a restart is required to finalize updates applied as part of automatic maintenance and there is an active user session, Windows caches the credentials of the user currently logged on to the console, and then restarts the computer automatically. After the restart, Windows uses the cached credentials to sign in as this user. Next, Windows restarts applications that were running previously, and then locks the session using the Secure Desktop. If BitLocker is enabled, the entire process is protected by BitLocker encryption as well.
The maintenance process does not need a user to be logged on. The maintenance process runs whether a user is logged on or not. If no user is logged on when scheduled maintenance begins and a restart is required, Windows restarts the computer without caching credentials or storing information about running applications. When Windows restarts, Windows does not log on as any user.
Because Windows automatically wakes computers to perform automatic maintenance and updates, you’ll also want to carefully consider the power options that are applied. Unless a power plan is configured to turn off the display and put the computer to sleep, the computer may remain powered on for many hours after automatic maintenance and updates.
Optimizing Automatic Updates
Generally, most automatic updates are installed only when a computer is shut down and restarted. Some automatic updates can be installed immediately without interrupting system services or requiring system restart. To ensure that some updates can be installed immediately, follow these steps:
1. In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.
2. In the policy editor, access Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
3. Double-tap or double-click Allow Automatic Updates Immediate Installation. In the Properties dialog box, select Enabled, and then tap or click OK.
By default, only users with local administrator privileges receive notifications about updates. You can enable any user logged on to a computer to receive update notifications by following these steps:
1. In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.
2. In the policy editor, access Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
3. Double-tap or double-click Allow Non-Administrators To Receive Update Notifications. In the Properties dialog box, select Enabled, and then tap or click OK.
Another useful policy is Remove Access To Use All Windows Update Features. This policy prohibits access to all Windows Update features. If enabled, all Automatic Updates features are removed and can’t be configured. This includes the Automatic Updates tab in the System utility and driver updates from the Windows Update website in Device Manager. This policy is located in User Configuration\Policies\Administrative Templates\Windows Components\Windows Update.