Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Automatic patching of Windows PCs

To keep SCS PCs current with critical security patches, SCS Facilities automatically deploys critical Windows patches to most PCs in the SCS Windows Domain. Only machines running Windows XP or Windows Vista will be patched in this manner. PCs running Windows 2000 or Windows NT will not be updated.

Patching options

By default, PCs will be patched according to the following procedure:
  1. Each Tuesday at 6:00 AM, any pending critical Windows updates will be automatically installed. If a PC is already up to date with critical patches, no further action will be taken (i.e. the machine will not be rebooted).
  2. If nobody is logged into the PC on the console, it will automatically be rebooted immediately after patches are installed. If somebody is logged into the PC, a pop-up window will appear, prompting for a reboot. If the user of the PC does not wish to reboot at that time, the reboot will be postponed. Additional prompts to reboot will be given at later times.
  3. If the PC has not been rebooted by 5:00 AM on the following Thursday, it will be automatically rebooted, even if somebody is logged into it.
A server not ordinarily used as a desktop workstation may be patched via a fully automated procedure in which missing patches are installed weekly at 3:00 AM on Monday mornings, and the machine is rebooted immediately thereafter.

It is also possible for PCs to be exempted from the automatic patching process. In those cases, the PC's primary user or administrator is responsible for ensuring that the machine is kept current with critical patches.

About the patching process

The automatic patching process uses the Microsoft's "Sofware Update Services" (SUS) and the SCS SUS server, winsus.srv.cs.cmu.edu. The SUS server maintains a repository of patches released by Microsoft and approved by SCS Facilities staff for distribution to SCS PCs. New patches are usually approved the Monday after Microsoft releases them, typically the second Tuesday of each month.

Most PCs in the SCS Windows Domain are configured to query the SUS server periodically (every 17 to 22 hours) and check whether new patches are available. Any new patches are then downloaded and queued for installation. Patch installation can be performed manually via the update icon in the taskbar, (a globe or yellow shield with an exclamation point, depending on which version of Windows you're running). The SCS autopatch process obviates this task.

Common questions

What happens if I've already patched my PC using Windows Update or some other means?
If patches are already installed, you will not be prompted to reboot and should notice no effects from the automatic patching process.
What if my PC is not a member of the SCS Windows Domain or is frequently off the network?
In that case, you should regularly run Windows Update to make sure that your PC is patched. Microsoft ordinarily releases patches on the second Tuesday of every month, so you should — at the very least — run Windows Update shortly after those dates.
In the default patching option, how often will I be prompted for a reboot before my PC is forcibly rebooted?
A pop-up window will appear on Tuesday morning, immediately after patches are installed. If you delay the reboot, you will recieve hourly reminders, starting on Wednesday, until the forced reboot on Thursday morning.
What do I do if I'm running a server or some other host with special requirements?
Send mail to <help@cs.cmu.edu> or call the SCS HelpDesk, x8-4231, and we can arrange to use the fully automatic procedure for that host or exempt it from automatic updates. Remember that, in the latter case, the host's local administrator or primary user is responsible for keeping it patched.

Related documentation

Keeping Window software up-to-date
How to keep your Windows software patched and current manually