Lesson 1: Updating Windows 7 CHAPTER 12 613 FIGURE 12-14 Windows Update policies  configured, Install Updates and Shut Down is the default option if updates are available for installation. This policy is deprecated when the Do Not Display “Install Updates And Shut Down” Option In Shut Down Windows Dialog Box policy is enabled. n Enabling Windows Update Power Management To Automatically Wake The System To Install Scheduled Updates This policy allows Windows Update to wake a hibernating computer to install updates. Updates does not install if the computer is hibernating on battery power. n Configure Automatic Updates This policy, shown in Figure 12-15, allows you to configure update detection, download, and installation settings. Several of these settings are similar to the ones that you can configure through the Windows Update control panel. You can configure the following settings using this policy: • Notify For Download And Notify For Install Windows Update does not download updates. Windows Update notifies the user that updates are available for download and installation. • Auto Download And Notify For Install Windows Update downloads updates and notifies the user that updates are available for installation. • Auto Download And Schedule The Install Windows Update downloads and installs updates without user intervention. • Allow Local Admin To Choose Setting This setting configured using Windows Update control panel is used for update download and notification. • Install Day and Install Time Use these settings to configure the day and time that Windows Update will install updates. 6 1 4 CHAPTER 12 Windows Update and Windows Internet Explorer FIGURE 12-15 Configuring the Automatic Updates policy n Specify Intranet Microsoft Update Service Location This policy, shown in Figure 12-16, allows you to specify the location of an internal update server, such as one running WSUS. This policy is the only way that you can configure Windows Update to use an alternate update server. Using this policy, you can specify the update server and the statistics server. In most cases, these are the same servers. The updates server is where the updates are downloaded from, and the statistics server is the server where clients report update installation information. n Automatic Updates Detection Frequency Configure this policy to specify how often Windows Update checks the local intranet update server for updates. This policy does not work if you configure a client to retrieve updates from the Windows Update servers. n Allow Non-Administrators To Receive Update Notifications This policy specifies whether users who are not members of the local Administrators group are able to install updates. n Turn On Software Notification When you enable this policy, Windows Update presents users with information about optional updates. n Allow Automatic Updates Immediate Installation When you enable this policy, updates that do not require a restart install automatically. Updates that do require a restart are not installed until the conditions set in the Configure Automatic Updates policy are met. Lesson 1: Updating Windows 7 CHAPTER 12 615 FIGURE 12-16 Specifying intranet update location n Turn On Recommended Updates Via Automatic Updates Use this policy to configure Windows Update to install recommended updates as well as important updates. n No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installation When you enable this policy, Windows Update waits until the currently logged on user logs off if Windows Update installs updates that requiring a restart. If you disable or do not configure this policy and the Configure Automatic Updates policy is set to install updates at a specific time, Windows Update gives the logged-on user a 5-minute warning prior to restarting to complete the installation. n Re-prompt For Restart With Scheduled Installations Use this policy to set the amount of time that a user can postpone a scheduled restart when the Configure Automatic Updates policy is set to install updates at a specific time. n Delay Restart For Scheduled Installations Through this policy, you can specify the amount of time that Windows waits before automatically restarting after a scheduled installation. This policy applies only if the Configure Automatic Updates policy is set to install updates at a specific time. n Reschedule Automatic Updates Scheduled Installations You can use this policy to configure a computer that has missed a scheduled update to perform the update a specific number of minutes after startup. For example, use this policy to ensure 6 1 6 CHAPTER 12 Windows Update and Windows Internet Explorer that a computer that was switched off at the scheduled update time installs updates 1 minute after starting up. Disabling this policy means that updates install at the next scheduled time. n Enable Client-Side Targeting This policy allows you to place computers into different software update groups. Different software update groups allow the software update administrator to target the deployment of updates, allowing updates to be deployed to specific groups of computers in the organization rather than all computers in the organization. n Allow Signed Updates From An intranet Microsoft Update Service Location This policy allows updates from third-party vendors to be distributed from the Automatic Updates location so long as those updates are digitally signed by a trusted publisher. Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (MBSA) tool allows you to scan client computers to determine if they have all currently available software updates installed. This tool allows administrators in environments that do not use a central update solution like WSUS to locate client computers that are not up to date with security updates. If you do not use a utility like the MBSA tool, you need to access Windows Update on each computer to determine whether a particular computer has all updates installed. The MBSA tool is important in the latter stages of an operating system’s life cycle. This is because more updates are available for an operating system the longer that operating system is available, and it becomes increasingly time consuming to determine if a particular update is missing. As Figure 12-17 shows, the MBSA tool can check a computer for updates based on Microsoft Update, or can scan a computer based on updates that were approved on a WSUS server. You can also use the MBSA tool to determine if there are problems with a computer’s security configuration, such as whether common administrative vulnerabilities are present and weak passwords are set. You can use the MBSA tool to scan servers as well as clients, so it is possible to check for other vulnerabilities, such as those that are present in Internet Information Server (IIS) and Microsoft SQL Server. To scan a computer, you need to have administrator access on the local computer and administrator access on any remote computer that you are scanning. This requirement ensures that you cannot use the MBSA tool as an attack tool to scan other people’s computers to determine which vulnerabilities they may possess. You cannot use version 2.1 and earlier of the MBSA tool to scan computers running Windows 7. More Info MBSA To get more information about the MBSA, consult the following Microsoft TechNet Web page: http://technet.microsoft.com/en-au/security/cc184923.aspx. eXaM tIP Remember the function of the Specify Intranet Microsoft Update Service Location policy. Lesson 1: Updating Windows 7 CHAPTER 12 617 FIGURE 12-17 Microsoft Baseline Security Analyzer Practice Configuring Windows Update In this practice, you configure Windows Update using both the Windows Update control panel and the Local Group Policy Editor. exercise 1 Configure Windows Update Using the Control Panel In this exercise, you configure Windows Update so that it can obtain updates not only for the operating system and the default applications that ship with Windows, but so that it can obtain updates for other Microsoft applications such as Office. To complete this practice, you must connect computer Canberra to the Internet and perform the following steps: 1. Log on to computer Canberra using the Kim_Akers user account. 2. In the Search Programs And Files text box, type Windows Update and then press Enter. 3. On the Windows Update control panel, click the Find Out More item next to Get Updates For Other Microsoft Products. This opens a Web browser window, as shown in Figure 12-18. 4. Select the I Agree To The Terms Of Use For Microsoft Updates check box and then click Install. When presented with the User Account Control dialog box, click Yes. 5. Close the Web browser windows. In the Windows Update control panel, click the Change Settings item. 6. Verify that the Give Me Updates For Microsoft Products And Check For New Optional Microsoft Software When I Update Windows item is present and enabled. 6 1 8 CHAPTER 12 Windows Update and Windows Internet Explorer FIGURE 12-18 Getting more updates 7. Use the drop-down menu to set the installation update time to Friday at 5.00 p.M. Verify that settings match those shown in Figure 12-19 and then click OK. Close the Windows Update control panel. FIGURE 12-19 Verifying practice exercise settings Lesson 1: Updating Windows 7 CHAPTER 12 619 exercise 2 Configuring Windows Update Through Group Policy You can configure several Windows Update settings using the Local Group Policy Editor that you cannot configure using the Windows Update control panel. In this exercise, you configure a computer to wake if it is in hibernation when the assigned automatic update period occurs, you allow updates to install automatically if they do not require a restart, and you ensure that an automatic restart does not occur if a user is currently logged on to the computer. To complete this exercise, perform the following steps: 1. If you have not done so already, log on to computer Canberra with the Kim_Akers user account. 2. In the Search Programs And Files text box, type gpedit.msc and then press Enter. The Local Group Policy Editor opens. 3. Navigate to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node. 4. Enable the Enabling Windows Update Power Management To Automatically Wake Up The System To Install Scheduled Updates policy. 5. Enable the Allow Automatic Updates Immediate Installation policy. 6. Enable the No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installations policy. 7. Close the Local Group Policy Editor, type gpupdate /force into the In the Search Programs And Files text box, and press Enter. Lesson Summary n Windows Update allows software updates to be downloaded automatically to clients running Windows 7 from the Microsoft Update servers or a local update source, such as a WSUS server. n You can configure Windows Update to automatically download and install updates, download and notify the logged-on user that updates are available for installation, or notify the logged-on user that updates are available for download and installation. n Users with standard privileges are able to install and check for updates using Windows Update. Only users with administrative privileges are able to change Windows Update settings or change the update source from Microsoft Update to a local WSUS server. n Users with administrative privileges are able to hide updates. A hidden update is not installed on the computer. A hidden update can be unhidden and installed at a later stage. Users with administrative privileges are able to uninstall previously installed updates. An uninstalled update becomes available for installation again unless hidden by an administrator. 6 2 0 CHAPTER 12 Windows Update and Windows Internet Explorer Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Updating Windows 7.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. When Windows 7 is configured according to its default settings, which of the following tasks can a standard user perform with respect to Windows Update? a. Uninstall updates B. Install updates c. Change when updates are installed D. Change update download and installation behavior e. Hide updates 2. You have just discovered that an update rated as Important and published through Windows Update last week causes a conflict with a custom software package that is critical to your organization’s business process when installed on clients running Windows 7. This conflict stops the custom software package from running. You have talked to the custom software package’s vendor and you have been assured that it will have a fix ready within two months. All clients running Windows 7 are configured with the default Windows Update settings. What steps should you take to allow the custom software package to run while also ensuring that normal users do not install the update at any time before the fix from the vendor becomes available but do not miss out on other important updates published through Windows Update? (Choose all that apply; each answer forms part of a complete solution.) a. Change update settings B. Uninstall the update c. Hide the update D. Install the update 3. Even though you have configured scheduled updates to occur during the lunch hour, you have found that a significant percentage of the computers are not turned on at this time. You want to ensure that any updates scheduled for installation install soon after these computers start up again. Which of the following policies should you configure to accomplish this goal? a. Re-Prompt For Restart With Scheduled Installations B. Delay Restart For Scheduled Installations Lesson 1: Updating Windows 7 CHAPTER 12 621 c. Reschedule Automatic Updates Scheduled Installations D. No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installation 4. Which of the following policies should you configure if you want a client running Windows 7 to use a WSUS server located at updates.contoso.internal as a source of updates rather than the Microsoft Update servers? a. Turn Off Software Notification B. Automatic Updates Detection Frequency c. Configure Automatic Updates D. Specify Intranet Microsoft Update Service Location 5. You manage 30 separate clients running Windows 7 in an organization that does not use a WSUS server. All clients are members of a Windows Server 2008 Active Directory Domain Services (AD DS) domain. Which of the following tools can you use to determine if a particular software update is missing from these computers? a. Microsoft Update B. WSUS c. Group Policy Management Console D. MBSA 6 2 2 CHAPTER 12 Windows Update and Windows Internet Explorer Lesson 2: Configuring Internet Explorer Although alternatives are freely available, Internet Explorer is the browser most commonly used with Windows. A large number of settings make Internet Explorer highly configurable, but at the same time, it is a little daunting to manage for the uninitiated administrator. In this lesson, you learn the specifics of configuring Internet Explorer to render pages in Compatibility View; configuring Internet Explorer security; and configuring add-ons to enhance the browser’s functionality, manage certificates, and manage InPrivate mode browsing. After this lesson, you will be able to: n Configure Internet Explorer Compatibility View. n Configure Internet Explorer security settings. n Configure Internet Explorer providers. n Manage Internet Explorer add-ons. n Control InPrivate mode. n Manage certificates for secure Web sites. Estimated lesson time: 40 minutes Internet Explorer Compatibility View Internet Explorer Compatibility View allows sites designed for previous versions of Internet Explorer to display correctly for users of Internet Explorer 8. You can enable Compatibility View for a page by clicking the broken page icon at the end of the address bar. You can configure Compatibility View settings through the Compatibility View Settings dialog box. You can access this dialog box by clicking Compatibility View Settings on the Tools menu of Internet Explorer. Through this dialog box, you can configure Internet Explorer to use Compatibility View automatically for a list of Web sites distributed through Windows Update. This list includes high-profile Web sites that function better in Compatibility View, as well as other Web sites that have submitted their details to Microsoft. By default, Internet Explorer displays all intranet sites in Compatibility View. Intranet sites are determined based on the Local Intranet zone. You will learn about zones later in this lesson. You can disable Compatibility View for intranet sites using the Compatibility View Settings dialog box. You can also use this dialog box to configure Internet Explorer to display specific Web sites with Compatibility View. Figure 12-20 shows Internet Explorer configured to display the Web site Contoso.com in Compatibility View. You can also force Internet Explorer to display all Web sites in Compatibility View by checking the Display All Websites In Compatibility View option. . 1: Updating Windows 7 CHAPTER 12 6 17 FIGURE 1 2- 17 Microsoft Baseline Security Analyzer Practice Configuring Windows Update In this practice, you configure Windows Update using both the Windows Update. Software When I Update Windows item is present and enabled. 6 1 8 CHAPTER 12 Windows Update and Windows Internet Explorer FIGURE 1 2-1 8 Getting more updates 7. Use the drop-down menu to set the. Figure 1 2-1 9 and then click OK. Close the Windows Update control panel. FIGURE 1 2-1 9 Verifying practice exercise settings Lesson 1: Updating Windows 7 CHAPTER 12 619 exercise 2 Configuring Windows