This topic describes how to configure Windows Update settings on a Windows Elastic Compute Service (ECS) instance.
Alibaba Cloud WSUS server
In the default group policy configurations of Windows ECS instances, the update source is the Windows Server Update Services (WSUS) server of Alibaba Cloud, rather than the official Microsoft Windows Update server. To prevent potential risks associated with Microsoft Windows security updates, Alibaba Cloud checks the Windows security updates received from Microsoft and publishes the updates that pass the check to the Alibaba Cloud WSUS server.
Alibaba Cloud configures the following Windows Update group policies for Windows ECS instances:
To view and verify the Windows Update group policies, perform the following steps:
Open the Run dialog box.
Enter gpedit.msc and press OK.
In the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > Windows Components > Windows Update.
NoteAfter you modify a group policy, open the Command Prompt window as an administrator and run the
gpupdate /forcecommand for the modification to take effect.
Configure Automatic Updates
Double-click Configure Automatic Updates to open the Configure Automatic Updates dialog box. By default, the Configure Automatic Updates parameter is set to Enabled and the Configure automatic updating parameter in the Options section is set to 2-Notifiy for download and notify for install. The settings allow you to receive a notification and manually install updates based on your business requirements.
You can modify the settings based on your business requirements.
To manually manage the update configurations, select 5-Allow local admin to choose setting from the Configure automatic updating drop-down list or set the Configure Automatic Updates parameter to Not Configured.
To manually download and install Windows updates based on your business requirements, set the Configure Automatic Updates parameter to Disabled.
Specify intranet Microsoft Update service locations
Double-click Specify intranet Microsoft Update service location to open the Specify intranet Microsoft Update service locations dialog box. By default, the Specify intranet Microsoft Update service location parameter is set to Enabled.
This setting allows you to specify the update server and statistics server. After you modify the group policy, you can run the telnet command to perform a test. If you can access port 80 of the corresponding server, the connection between the instance and the update server is normal.
For Windows ECS instances in the classic network, the following default servers are used:
Update server:
http://windowsupdate.aliyun-inc.comStatistics server:
http://windowsupdate.aliyun-inc.com
For Windows ECS instances in the virtual private cloud (VPC), the following default servers are used:
Update server:
http://update.cloud.aliyuncs.comStatistics server:
http://update.cloud.aliyuncs.com
Allow Automatic Updates immediate installation
Double-click Allow Automatic Updates immediate installation to open the Allow Automatic Updates immediate installation dialog box. By default, the Allow Automatic Updates immediate installation parameter is set to Disabled. This setting prevents updates from being automatically installed. To allow updates to be automatically installed, select Enabled.
Use the official Microsoft Windows Update server
The Alibaba Cloud WSUS server checks the received Microsoft Windows security updates and lags behind the official Microsoft Windows Update server in publishing Windows security updates. To use the official Microsoft Windows Update server to receive Windows updates in real time, perform one of the following operations:
Modify Group Policy settings
Open the Run dialog box.
Enter gpedit.msc and click OK.
In the Local Group Policy Editor window, choose Computer Configuration > Administrative Templates > Windows Components > Windows Update.
Double-click Specify Intranet Microsoft Update service locations and select Not Configured.
Open the Command Prompt window as an administrator and run the
gpupdate /forcecommand for the modification to take effect.
Modify the registry to change configurations
In this example, Windows Server 2012 is used to show how to modify the registry to use the official Microsoft Windows Update server.
Open the Run dialog box.
Enter regedit and click OK to open the Registry Editor window.
Perform the following steps to back up the registry entries in the WindowsUpdate directory:
Navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdatedirectory.In the top navigation pane of the Registry Editor window, choose File > Export.
In the Export Registry File dialog box, select a file path, enter a name such as reg-backup for the exported file, and then click Save.
Perform the following steps to modify the registry:
In the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate directory, click AU.
Double-click the UseWUServer key in the right-side pane, change the value of Value data to 0, and then click OK.
Double-click the AUOptions key in the right-side pane, change the value of Value data to 4 or 2, and then click OK.
NoteWhen the AUOptions key is changed to 4, the Configure automatic updating parameter is set to 4-Auto download and schedule the install. In this case, the ECS instance may be automatically restarted to complete the update. To receive a notification before the update, set the AUOptions key to 2, which is the default value.
For more information, see Microsoft documentation.
Open the Command Prompt window and run the following commands to restart the WuAuServ service. Then, you can obtain the updates from the official Microsoft Windows Update server.
net stop WuAuServ net start WuAuServA command output similar to the following one is displayed.