Automatic Updates check
Applies To: Forefront Client Security
The Automatic Updates SSA check identifies whether the Automatic Updates feature is enabled on the scanned computer, and if so, how it is configured. Automatic Updates can keep a computer up to date automatically with the latest updates from Microsoft by delivering them directly to the computer from the Microsoft Update site, Windows Update site, or from a local WSUS server if the computer is in a managed environment. Automatic Updates is available on computers running Windows Server 2003, Windows XP, or Windows 2000 Server Service Pack 3 (SP3).
Automatic Updates can be configured to automatically download and install updates on a computer; download updates for the user, but let the user choose when to install them; or notify the user, but don't automatically download or install updates on a computer.
Resolutions for potentially unacceptable scores
For High and Medium scores, it is recommended that, on the scanned computer, you configure Automatic Updates to download and install updates automatically.
If you use Group Policy, it is recommended that you use Group Policy to control Automatic Updates and disallow users to change these settings.
Scoring and results
Scoring for the Automatic Updates check is divided into four categories, depending upon Group Policy configuration or the absence of Automatic Updates settings.
Group Policy controls Automatic Updates
The following table shows how Client Security determines the score resulting from performing this check when Group Policy controls Automatic Updates settings on the scanned computer. It also shows the results message that appears in related reports.
All scores for Automatic Updates settings controlled by Group Policy are Informational. It is assumed that settings dictated by Group Policy are intentional and reflect the standards of your organization. If this setting does not reflect your organization's standards, investigate the Group Policy applied to the scanned computer.
| Score | Automatic Updates configuration | Results message |
|---|---|---|
Informational |
Automatic Updates disabled |
Automatic Updates are managed through Group Policy on this computer. Setting: the Automatic Updates feature is disabled. |
|
Notify before download |
Automatic Updates are managed through Group Policy on this computer. Setting: updates are not automatically downloaded or installed on this computer. |
|
Automatic download but notify before install |
Automatic Updates are managed through Group Policy on this computer. Setting: updates are automatically downloaded, but not automatically installed. |
|
Automatic download and scheduled installation |
Automatic Updates are managed through Group Policy on this computer. Setting: updates are automatically downloaded and installed. |
Group Policy allows users to control Automatic Updates
The following table shows how Client Security determines the score resulting from performing this check when Group Policy allows users to control Automatic Updates settings on the scanned computer. It also shows the results message that appears in related reports.
Note
It is recommended that you consider using Group Policy to enforce your organization's standards for Automatic Updates. The resolution shown in the following table assumes that your Group Policy implementation intentionally allows users to control Automatic Updates.
| Score | Automatic Updates configuration | Results message |
|---|---|---|
Medium |
Automatic Updates not configured |
The Automatic Updates feature is not configured on this computer. |
|
No settings exist |
The Automatic Updates feature is not configured on this computer. |
|
Automatic Updates disabled |
The Automatic Updates feature is disabled on this computer. |
|
Notify before download |
Updates are not automatically downloaded or installed on this computer. |
|
Automatic download but notify before install |
Updates are automatically downloaded (but not automatically installed) on this computer. |
Low |
Automatic download and scheduled installation |
Updates are automatically downloaded and installed on this computer. |
No Group Policy settings affect Automatic Updates
The following table shows how Client Security determines the score resulting from performing this check when no Group Policy settings affect Automatic Updates and users have full control of Automatic Updates settings on the scanned computer.
| Score | Automatic Updates configuration | Results message |
|---|---|---|
High |
Automatic Updates not configured |
The Automatic Updates feature is not configured on this computer. |
|
Automatic Updates disabled |
The Automatic Updates feature is disabled on this computer. |
Medium |
Notify before download |
Updates are not automatically downloaded or installed on this computer. |
|
Automatic download but notify before install |
Updates are automatically downloaded (but not automatically installed) on this computer. |
Low |
Automatic download and scheduled installation |
Updates are automatically downloaded and installed on this computer. |
No Automatic Updates settings
The following table shows how Client Security determines the score resulting from performing this check when there are no Automatic Updates settings on the scanned computer.
| Score | Automatic Updates configuration | Results message |
|---|---|---|
High |
No settings exist |
The Automatic Updates feature is not configured on this computer. |