Updating Existing XP and 2000 Workstations

When imaged desktops undergo a configuration change, make sure to update the image that will be used on all future system configuration builds. As administrator, you can manually install these updates on the workstations using local console or remote console software such as Windows XP Remote Desktop. You can also automate the updates by using scripts that leverage command-line installation options or by creating Microsoft installer packages and deploying the application using Group Policy.

Deploying Service Packs

Microsoft provides several ways for administrators to deploy a new platform service pack to the enterprise. The service pack can be installed manually using either local or remote control software. Also, because service packs come with an MSI package, the service pack can be deployed using Group Policies. Lastly, service packs can be run from a command prompt with special switches to make the installation run silently, without prompts or notifications, if necessary.

Deploying Hotfixes and Security Updates

Hotfixes can be installed manually and individually, but they usually do not provide many more deployment options. Hotfixes can be deployed to the enterprise using the built-in command-line switches called from within computer startup or shutdown scripts in Group Policy. To simplify the installation of several Microsoft hotfixes and/or security updates, you can use a tool called Qchains.exe to install all the updates at one time to reduce the number of required reboots.

Using Windows Automatic Update for System Updates

Auto Update has an option to let the server automatically locate, download, and install the latest operating system updates for a system. If the IT staff members want a more automated approach to IT management, they may choose to enable Auto Update so that it can automatically manage updates to the systems on the network. This is good for organizations to ensure that security updates are installed on all workstations.

The one issue with Auto Update is that if a security patch causes more problems on the system, it may need to be rolled back on several workstations. As a best practice, updates should be reviewed and tested before an automatic installation is performed on multiple systems. Install and test Auto Update on a single workstation to download updates and test the configuration to make sure it successfully accepted the updates. When testing is completed and the results are successful, the updates can be deployed manually, scripted using command-line switches, or packaged into Microsoft Installer software packages deployed using Group Policy.

Choosing to Use Software Update Services for System Updates

Software Update Services (SUS) is a server option on Windows Server 2003 that enables organizations to control which updates are automatically downloaded and installed on the client workstation. SUS runs on a Windows Server 2003 (or Windows 2000) machine that is running Internet Information Services. Clients connect to a central intranet SUS server for all their security patches and updates.

SUS is not considered a replacement technology for existing software deployment solutions such as Systems Management Server (SMS) because it is limited to providing only operating system updates, not service packs or other software packages. SUS allows organizations to take control over the deployment of security patches as they become available. To learn more about SUS, refer to Chapter 12, "Server-Level Security."