Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:
- Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
- Microsoft Updates servers
If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.
If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier.
Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.
By default, this option is enabled.
Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:
- Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled in the properties of the Find vulnerabilities and required updates task and the Windows Update search mode option is set to Active in the settings of Network Agent policy.
- If you do not need Network Agent to initiate a connection to the Microsoft Windows update source and download updates when performing the Vulnerability scan task, you can set the Windows Update search mode option to Passive, while the Connect to the update server to update data option must remain enabled. This allows for you to save resources and use previously received Windows updates to scan for vulnerabilities. You can use the passive mode if you configure receiving Microsoft Windows updates in a different way. If receiving Microsoft Windows updates is not configured in another way, do not set the Windows Update search mode option to Passive, because in this case, information about updates will never be received.
- Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if the Windows Update search mode option is set to Disabled, Kaspersky Security Center Linux does not request any information about updates.
If in the network of your organization the WSUS server is used (local WSUS server), and you want to use it together with Kaspersky Security Center Administration Server, you must first ensure that Kaspersky Security Center Administration Server is not used as a WSUS server, and then do the following:
- On your managed devices running Windows, specify your local WSUS server for the Windows Update service. You can do it either manually in Windows Registry or by using a Windows group policy.
- On your local WSUS server, specify the required classifications for updates and the applications on which the updates are to be distributed.
- Synchronize your WSUS server with the upstream server (this can be either a Microsoft WSUS server or another local upstream WSUS server).
After the Find vulnerabilities and required updates task is run on the device, Network Agent uses the Windows Update service to initiate a request for Windows updates applicable to the device. The Windows Update service obtains the address of the external WSUS server from the registry and searches for updates directly from that external WSUS server. Then, the Windows Update service forwards this list to the Administration Server through Network Agent. Thus, Administration Server has an up-to-date base.