Configuring Windows Update Settings
Many organizations utilize the Internet services provided by Microsoft known as Windows Update and Microsoft Update. The main difference between the two is that Microsoft Update also includes updates for other products such as Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, Microsoft Internet Security and Acceleration Server, and many more. Starting with Windows XP and Windows Server 2003, all Windows systems are now capable of downloading and automatically installing Windows updates out of the box. To upgrade the Windows Update client to support updates for other Microsoft applications through Microsoft Update, these machines might need to be upgraded manually, upgraded using a GPO software installation, or upgraded using Microsoft Windows Server Update Services (WSUS). A WSUS server can be configured to update the client software automatically, which is the preferred approach. Depending on whether the organization utilizes an internal WSUS server or wants to utilize the Windows/Microsoft Internet-based services to configure these settings using group policies, the settings are located in the following sections:
- Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
- User Configuration\Policies\Administrative Templates\Windows Components\Windows Update
For more information and recommendations on best practices for configuring Windows Updates, please refer to the WSUS website located at www.microsoft.com/wsus and also located at http://technet.microsoft.com/wsus.
Creating a Wireless Policy
Wireless networks are becoming more and more common in both public and private networks. Many organizations are choosing to deploy secure wireless networks to allow for flexible connections and communications for mobile users, vendors, and presentation rooms. As a best practice, organizations commonly deploy wireless networks as isolated network subnets with only Internet access or the ability to connect to the company network via VPN. As wireless networks become more sophisticated and secure, the configuration of a wireless network on an end user's machine becomes complicated. In an effort to simplify this task, wireless network configurations can be saved on USB drives and handed off to users to install and they can also be preconfigured and deployed to Windows systems using domain policies. Group Policy wireless policies can be created for Windows Vista or Windows XP compatible systems as each treats and configures wireless networks differently. Windows 7 and Windows Server 2008 systems will use the Windows Vista wireless policies. If defined in domain policies, these wireless network settings will only be used if no third-party wireless network management software is installed and activated on the desired systems.
Wireless networks are commonly unique to each physical location, and the GPO-configured wireless policies should be applied to systems in an Active Directory site or to a specific location-based organizational unit that contains the desired computer accounts. Furthermore, if the wireless policy GPO contains only Windows Vista workstations for the wireless policy, WMI filtering should be applied to the GPO so that only Windows Vista, Windows 7, and Windows Server 2008 systems process and apply the policy. To create a wireless network for a Windows Vista, Windows 7, and Windows Server 2008 system using a domain policy, perform the following steps:
- Log on to a designated Windows Server 2008 R2 administrative server.
- Click Start, click All Programs, click Administrative Tools, and select Group Policy Management.
- Add the necessary domains to the GPMC as required.
- Expand the Domains node to reveal the Group Policy Objects container.
- Create a new GPO called WirelessPolicyGPO and open it for editing.
- After the WirelessPolicyGPO is opened for editing in the Group Policy Management Editor, expand the Computer Configuration node, expand the Policies node and select Windows Settings.
- Expand Windows Settings, expand Security Settings and select Wireless Network (IEEE 802.11) Policies.
- Right-click Wireless Network (IEEE 802.11) Policies and select Create a New Wireless Network Policy for Windows Vista and Later Releases. Because this is a new group policy, this option appears, but if the group policy already has a wireless network policy for Windows Vista and later releases, the Windows Vista policy will be available beneath the Wireless Network policy node.
- When the New Wireless Network Policy window opens, type in an acceptable name and description for the policy.
- If Windows will manage the wireless network configuration and connection of the Windows Vista systems, check the Use Windows WLAN AutoConfig Service for Clients check box, if it is not already checked.
- In the Wireless Network Profile section near the bottom of the window, click the Add button to define a new wireless network, and click the Infrastructure link.
- When the new profile opens, type in a descriptive name and in the Network Name(s) SSID section, type in the SSID name of the network, and click the Add button.
- If there is an existing "NEWSSID" network name, select it and click Remove.
- If the client machine should automatically connect to this wireless network when the network is within range, and if the SSID of the wireless network is not broadcasted, check the Connect Even If the Network Is Not Broadcasting check box and check the Connect Automatically When This Network Is in Range check box.
- Select the Security tab and configure the security properties of the wireless network, including the default authentication and encryption specifications. When finished, click OK to close the profile window.
- Back in the Wireless Network Policy window, select the Network Permissions tab. From this tab, administrators can restrict the configuration. Click OK to close out of the Vista and Later Wireless Policy Properties window.
- Back in the Group Policy Management Editor window, close the GPO.
- In the Group Policy Management Console, link the new WirelessPolicyGPO GPO to an OU with a Windows Vista or later system that can be used to test the policy.
- On the client workstation, after the group policy applies, in the Available Wireless Network, the network matching the wireless profile name should be listed. Click on this profile and if a security key is required, enter this key now. If a key is required, it must be provided by an administrator as certain authentication and encryption schemes in GPO wireless policies that require keys do not allow the keys to be entered into the GPO.
- After the testing is completed, configure security filtering and possibly also WMI filtering to limit the application scope of the WirelessPolicyGPO policy and link it to the desired organizational unit(s), domain, or site.
One important point to note is that for Windows to manage the wireless networks and populate wireless profiles via Group Policy, the WLAN AutoConfig service needs to be installed and started on Windows Vista and later operating systems.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations