Lesson 3: Deploying Updates in the Enterprise
Along with RIS, you can use Group Policy to deploy software updates, including service packs. You can also create custom scripts to install hotfixes or other updates. In this lesson, you look at how Group Policy can simplify software deployment and use the Qchain.exe utility to simplify the installation of multiple hotfixes.
Understand the software installation features of Group Policy
Deploy a service pack using Group Policy
Use Qchain.exe to install multiple hotfixes
Using Group Policy to Deploy Software
Windows 2000 Group Policy includes features for deploying software updates. You can use this feature to deploy a service pack or other installation package across an OU or other Active Directory container.
To make effective use of this feature, you should place computers with identical operating systems and service pack levels in the same OU. If computers within the OU contain a different operating system or incompatible software, the installation process might cause errors. For the same reason, you should use computer policy rather than user policy to deploy software because a user might log on to an incompatible computer.
Group Policy is explained in detail in Chapter 1, "Group Policy."
Understanding .msi Installation Packages
Windows 2000 includes Windows Installer, a standard utility for installing software updates and other software packages. Windows Installer uses files with the .msi extension to control each installation. The distribution for each service pack includes an Update.msi file for use with the installer. Group Policy features for software installation also use .msi files. After you apply the policy to a group of computers, Windows Installer installs the file on each computer.
Windows 2000 Server also includes tools for creating custom .msi files, so you can install third-party software using Group Policy.
Creating the GPO
You can deploy a service pack using a user policy or a computer policy. A computer policy is the logical choice because it is not dependent on the logon process and automatically installs the service pack when the computer is booted and connects to the domain.
To create the Group Policy Object (GPO), right-click the OU containing the computers to be updated. Click Properties, and then click the Group Policy tab. Create a new policy, open its Computer Configuration node, and select Software Settings. You can then add the Update.msi package to the policy. This process is detailed in the "Practice: Deploying Multiple Hotfixes in the Enterprise" section.
Installing Multiple Hotfixes
When a large number of hotfixes have been released, especially critical security updates, you might find it inconvenient to install multiple hotfixes at each computer in the network, especially when a reboot is required after each installation. You can use a batch file to simplify this process and install several hotfixes at once.
Using Qchain.exe
Normally, you must reboot a computer after installing each hotfix. Microsoft provides the Qchain.exe utility to simplify this process. This utility configures the system after you install several hotfixes so that a single reboot can correctly install all the hotfixes. You can obtain Qchain.exe from the http://support.microsoft.com/ Web site. Search for Knowledge Base article #Q296861.
To use Qchain, first run the .exe file for each hotfix, as described in Lesson 1. Use the -z option to prevent the hotfix from rebooting the computer after installation, as in this example:
Q123456_w2k_sp4_x86.exe -z
After you have installed all of the hotfixes, run the Qchain.exe utility, and then reboot the computer. This ensures that the hotfixes do not conflict with each other.
The Qchain functionality is built into hotfixes for Windows 2000 after Service Pack 3 and into all Windows XP hotfixes. You do not need to use Qchain unless you are installing older hotfixes.
Using Batch Files
You can combine several hotfixes and the Qchain.exe program, if necessary, into a batch file to install multiple hotfixes in a single operation. Use the -m option with each hotfix .exe file to suppress its output, along with the -z option to prevent rebooting. If Qchain.exe is required, include it as the last command in the batch file. The following is a simple example of a batch file to install two hotfixes:
Q123456_w2k_sp4_x86.exe -m -z
Q234567_w2k_sp4_x86.exe -m -z
qchain.exe
Create the batch file as a text file with the .bat extension. You can then execute this file at each computer that requires the hotfixes.
Using Tools for Security Management
Depending on the size of the network you manage and your particular security concerns, you might find several other tools useful for checking update status and managing software updates across the enterprise. Tools available from Microsoft include the following:
Microsoft Baseline Security Analyzer (MBSA)
The HFNetChk command-line utility
Systems Management Server (SMS)
Microsoft Baseline Security Analyzer
MBSA is a graphical tool that can analyze the security of one or more systems and produce a report. MBSA can check for hotfixes or updates that have not been installed, similar to the Qfecheck.exe tool described earlier in this chapter. It also checks for common security issues, such as misconfigured Guest or Administrator accounts. MBSA can perform checks on the following server components:
Windows 2000, Windows XP, and Windows NT 4
Internet Information Services (IIS)
Internet Explorer
SQL Server 7.0 or SQL Server 2000
Exchange Server 5.5 or Exchange Server 2000
You can download MBSA from the Microsoft Technet Web site. It is distributed as a .MSI file and installed by the Windows Installer. Once you start MBSA, you can choose to scan a single computer or multiple computers across the network. After the scan has completed, MBSA stores its results in an XML (extensible markup language) file and displays it in a graphical interface.
To download MBSA or view its detailed documentation, visit the Technet Web site at http://www.microsoft.com/technet, and select Security, Tools And Checklists from the navigation tree.
HFNetChk
HFNetChk is a command-line tool that checks the patch status of one or more machines across the network. Formerly a separate command-line utility, the latest version of HFNetChk is built into MBSA version 1.1, and is used by MBSA to display information in a graphical format.
You can manually run the HFNetChk utility using the Mbsacli.exe /hf command. The Mbsacli.exe program is installed as part of MBSA. You can also use the options described in Table 14.2 on the command line.
Option | Description |
-v | Display detailed information about patches that are not installed. |
-u | Specify a user name to access remote computers. |
-p | Specify a password to access remote computers. |
-h | Specify the host (NetBIOS) names of computers to scan, separated by commas. |
-i | Specify the IP addresses of computers to scan, separated by commas. |
For more information about HFNetChk including a complete list of command-line options, visit http://support.microsoft.com and search for Knowledge Base article #303215.
SMS
Microsoft Systems Management Server (SMS) is a comprehensive tool that can manage the distribution of operating systems, applications, and software updates across the enterprise. It also includes tools for remote troubleshooting and asset management. You can use SMS to deploy updates to a large number of computers and track which computers have been updated.
SMS is a separate product available from Microsoft, and is licensed based on the number of users. For more information about SMS and to learn where to obtain licenses, visit http://www.microsoft.com/smserver.
Practice: Deploying Multiple Hotfixes in the Enterprise
In this practice, you create a GPO to deploy a Windows 2000 service pack and create a batch file to install multiple hotfixes. Because the service pack and hotfix levels on your computer can vary, be sure to use only updates you have not already installed instead of those shown in this practice.
Exercise 1: Deploying Updates with Group Policy
In this exercise, you deploy a Windows 2000 service pack by creating a GPO and adding the Update.msi file to the policy.
To deploy a service pack using Group Policy
Perform this procedure from the domain controller.
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.
In the console tree, select the Information Technology organizational unit under Department.
From the Action menu, choose Properties. The Information Technology Properties dialog box appears.
Select the Group Policy tab. The Group Policy Properties are displayed.
Click New, and name the new policy Service Pack 3.
Click Edit to edit the GPO. The Group Policy management console appears.
In the console tree, expand Computer Configuration, Software Settings, and select the Software Installation.
From the Action menu, point to New and then choose Package. The Open dialog box is displayed, as shown in Figure 14.28.
Figure 14-28. Selecting a package file
Select the C:\SP3\I386\Update\Update.msi file, and click Open.
This requires that you have extracted the service pack files to C:\SP3, as described in Lesson 1, Exercise 2.
The Deploy Software dialog box appears.
Select the Assigned option, and click OK.
The service pack will now be deployed to each computer in the OU when the computer is next booted.
Close the Group Policy console.
Click OK to close the Information Technology Properties dialog box.
Close the Active Directory Users And Computers management console.
Exercise 2: Using Qchain and Batch Files
In this exercise, you create a batch file to install multiple hotfixes using the Qchain.exe utility.
To create a batch file to install multiple hotfixes
From the command prompt, type edit fix.bat. The text editor is displayed, as shown in Figure 14.29.
Figure 14-29. Creating a batch file
Type two or more hotfix .exe file names in the batch file. Be sure to include the correct path to the location of the hotfixes.
Type Qchain.exe as the last line.
From the File menu, choose Exit.
Select Yes to save the batch file.
After you have created the batch file, you can run it by typing its name at the command prompt or in the Run dialog box, or run it on multiple computers using Group Policy.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
Which file format does Group Policy support for installation files?
What is the package file name for a service pack?
Are user or computer policies better for deploying service packs?
What is the purpose of the Qchain.exe utility?
For which hotfixes is Qchain.exe required?
Lesson Summary
You can use Group Policy to deploy a service pack or other software updates. This allows you to update all of the computers within an Active Directory container object. To accomplish this, you create a new policy and assign the package to its Software Installation node.
Group Policy deploys software in Windows Installer .msi packages. Each service pack includes an Update.msi package for this purpose, and other software is also available in this format.
You can use a batch file to deploy multiple hotfixes. With older hotfixes, the Qchain.exe utility is required to enable the hotfixes to be installed without rebooting after each one.