Using SUS with Windows XP Embedded Service Pack 2
by Daniel Simpson
Applies to Microsoft® Windows® XP Embedded with Service Pack 2
This white paper provides information about installing, configuring, and using Microsoft Software Update Services (SUS) with Windows XP Embedded with Service Pack 2. The contents of this white paper are specific to Windows XP Embedded with Service Pack 2 only.
Additional information on setting up and configuring SUS for Windows Server 2003 and Windows XP clients is available in the following content:
- Software Update Services Overview white paper
- Deploying Microsoft Software Update Services
- The Microsoft Server System Web site
Microsoft® Software Update Services (SUS) provides a complete servicing solution to manage distributing Windows updates to Windows clients, including Microsoft® Windows® XP Embedded. SUS leverages the Microsoft Windows Update service to download and distribute updates to your deployed run-time images.
SUS provides a variety of features, including:
- Administrators can test and approve updates before they are installed to the clients.
- Update distributions are managed by means of an intranet-hosted Windows Update Server.
- Updates can be configured to be automatically installed and systems can be automatically rebooted.
Implementing SUS servicing requires a separate SUS intranet server that manages the updates. This SUS intranet server is set up by an administrator to poll the public Microsoft Windows Update website for updates for Windows XP Professional systems. If there are new updates available, these updates are downloaded to the SUS intranet server. Before these updates are applied to your Windows XP Embedded devices, they must be approved by an administrator. Because the updates are specific to Windows XP Professional or Home editions, an administrator must inspect the update, verify that it applied to Windows XP Embedded device, and test the update. After the update has been successfully tested, it can be made available to the Windows XP Embedded clients.
Although it is possible to configure client devices to directly download updates from the public Microsoft Windows Update web site, doing so may potentially corrupt your device. Because Windows Updates are specific to Windows XP Pro or Home editions, some of the updates may not apply to Windows XP Embedded images.
SUS allows you to configure your own intranet update server that downloads Windows Updates from Microsoft. Because these Windows updates are for Windows XP Professional systems, administrators can review these updates and determine whether or not the updates apply to their Windows XP Embedded run-time images. Windows Embedded-based devices can discover the updates and run them, provided that the runtime has Automatic Updates set appropriately.
Implementing SUS requires both client and server components, as follows:
- The client-side components that support SUS are added to your run-time image in Target Designer. After your run-time image is deployed, you configure SUS by updating the group policy on the device. An administrator can also configure the group policies by means of Active Directory.
- The SUS server component allows you to configure your own intranet Windows Update server. This intranet server polls the Microsoft Windows Update site and downloads all available Windows Updates. An administrator should approve or reject each update before it is made available to your Windows XP Embedded-based devices. SUS uses Internet Information Services (IIS) and Background Intelligent Transfer Service (BITS) to download updates to clients.
The following figure shows the overall process flow for delivering and approving updates using SUS.
The basic process flow is detailed in the following list:
- The SUS intranet server polls the public Microsoft Windows Update site for Windows XP Professional updates.
- The SUS intranet server downloads any new updates.
- After new updates have been downloaded, an administrator must verify that each update applies to the Windows XP Embedded device. The administrator must then test each update on a sample device.
- After the update has been verified and tested, it is made available on the SUS intranet server to be downloaded by the Windows XP Embedded clients.
- At the next scheduled polling time, the Windows XP Embedded clients download the updates from the internal SUS server.
To enable your intranet update server to download Windows Updates from Microsoft, it must include Software Update Services Pack 1 (SUS SP1). Detailed information about installing, configuring, and deploying SUS on your Windows Server is available in the Deploying Microsoft Software Update Services white paper.
Adding SUS support to your run-time images requires the Windows Update Agent for SUS 1.0 Servers component. This component is added to your configuration in Target Designer.
Note This component has a visibility of 200. You must lower your visibility settings in Target Designer to view this component.
After you have built and deployed your run-time image, you can configure the SUS settings by updating the group policies directly on the system, or by setting Group Policies within your domain.
Use the following procedures to add and configure SUS support to your run-time images.
Your run-time images must include the Windows Update Agent for SUS components to support downloading updates from your internal SUS server. The Windows Update Agent components are new for Service Pack 2.
To add SUS support to your configuration:
- Open your configuration in Target Designer.
- Increase the Target Designer component visibility to 200, as follows:
- From the Tools menu, select Options. The Options dialog box appears
- Under the Advanced Tab, type 200 in the Minimum Visibility field.
- Choose OK.
- Add the following SUS support components to your configuration:
- Windows Update Agent
- Windows Update Agent for SUS 1.0 Servers
Note The Windows Update Agent components do not include any configurable component settings. The Windows Update Agent is configured by using the Group Policy settings after your run-time image is deployed.
- If you want to be able to change the SUS group policy settings directly on your run-time image, add the Group Policy Core Administration MMC Snap-In component. If you do not include this component, you must configure the SUS settings on your run-time image using Group Policy settings in your Active Directory environment.
- Check dependencies and resolve any conflicts.
- Build and deploy your run-time image.
There are several ways you can control the SUS policies on a run-time image:
- Update the group policies on each individual system using the Group Policy editor in the Microsoft Management Console (MMC).
- Update the group policies directly in the registry of your run-time image by using Registry Editor.
- In an Active Directory environment, update the global policies for all of the devices in your domain.
Note Group policies set by Active Directory supersede any custom group policy settings on the client.
For more information about how to configure the group policy settings using Active Directory, see the Deploying Microsoft Software Update Services white paper.
Warning OEMs should not configure SUS to download updates directly from the public Microsoft Update site. Administrators of the device should be instructed to create their own internal SUS server to deliver updates to the client devices. Administrators should examine and approve any and all updates before they are applied. If client devices automatically download updates directly from the Microsoft Windows update, the updates may damage the run-time image.
If your run-time image includes the Group Policy Core Administration MMC Snap-In component, you can update the Group Policy settings directly on your run-time image.
To configure SUS policies on your run-time image using the Group Policy editor:
- From your run-time image, run the Group Policy editor by opening a command prompt and typing:
- Expand Local Computer Policy, then Computer Configuration, then Administrative Templates, and then Windows Components.
- Select Windows Update. The Windows Update settings appear in the details pane. Specifically, you will enable the following two configuration options:
- Configure Automatic Updates, which configures the day and time that updates are installed and specifies the type of user notification.
- Specify intranet Microsoft update service location, which specifies the host name or IP address of the intranet update server.
- Enable Automatic Updates and configure the update schedule:
- Right-click the Configure Automatic Updates policy and choose Properties. The Configure Automatic Updates Properties window opens.
- Select the Enable radio button.
- Select the type of user notification in the Configure Automatic Updating list.
- Select the automatic update schedule. Choose OK when you are finished.
- Set the host name or IP address of your intranet update server.
- Right-click the Specify intranet Microsoft update service location policy and choose Properties. The Configure Automatic Updates Properties window opens.
- Select the Enable radio button and type in the host name or IP address of your intranet Microsoft update server. Choose OK when you are finished.
- Review the additional group policy settings for Windows Update. Update the policies as necessary for your environment. Click an option to view its description.
If you are not in an active directory environment, or you run-time image does not include the Group Policy Core Administration MMC Snap-In component, you can edit the registry to configure SUS.
You can use the Registry Editor directly on the run-time image, or load the hive offline.
To configure SUS policies on your run-time image by editing the registry
- Edit or add the following registry keys:
Value: <Host name or IP address of the intranet SUS server>
Example: http://intranetSUS, or 192.168.100.100
Value: <Host name or IP address of the intranet SUS statistics server>
Example: http://intranetSUS, or 192.168.100.100
- Open the following registry key and update the values to support SUS: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
|NoAutoUpdate||0: Automatic Updates enabled
1: Automatic Updates disabled
|AUOptions||2: Notify of download and installation
3: Auto-download and notify of installation
4: Auto-download and scheduled installation.
|ScheduledInstallDay||1-7: Indicates the days of the week, starting at 1 for Monday|
|ScheduledInstallTime||0-23: Time of day in 24-hour format|
|UseWUServer||1: Use the Windows Update server specified in the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer|
Complete information about downloading, approving, and releasing Windows Updates to your clients is available in the Deploying Microsoft Software Update Services white paper.