Lesson 3:Deploying Updates on Existing Clients

 < Day Day Up > 



The vast majority of the energy you dedicate to updating will involve updating existing clients. Deploying updates to thousands of computers in an enterprise has always been a challenge. However, as the number of mobile computers and remote users increases, so does the challenge of keeping a large number of computers up to date.

Exam Tip 

This lesson describes the specific steps required to configure various methods for deploying updates. For information on choosing which methods to use for your environment, refer to Lesson 2 in Chapter 5, “Planning a Patch Management Infrastructure.” In addition to the methods described in this lesson, you can deploy updates by using Add/Remove Programs in Control Panel, or Microsoft Systems Management Server. Chapter 5 includes an overview of these techniques, but you do not need to know specifically how to deploy updates by using these techniques for the exam.

After this lesson, you will be able to

  • Manually install updates to a computer.

  • Use the Windows Update Web site to assess a computer and apply service packs and critical updates.

  • Configure SUS to make approved updates available to your organization’s computers.

  • Configure the Automatic Updates client to download and install updates from either Windows Update or a local SUS server.

  • Distribute service packs by using a Group Policy object.

Estimated lesson time: 75 minutes

Manually Applying Updates

Microsoft distributes updates by using executable files that automatically install themselves when run. However, all Microsoft updates also support standardized command- line parameters to change the default installation behavior. Table 6.3 lists the parameters available for updates. The parameters listed in the New Parameter column can be used with updates released on or after September 17, 2003. You must use the parameters listed in the Old Parameter column for updates released prior to September 17, 2003. As of the time of this writing, new updates support the old parameters. However, backward compatibility with the old parameters might be dropped at some point, so you should always use the new parameters when possible.

Table 6.3: Update Parameters

New parameter

Old parameter

Description

/passive

/u

Performs an unattended installation while displaying a progress bar. By default, this also selects the /warnrestart switch.

/quiet

/q

Performs an unattended installation similar to that of the /u option; however, no progress bar is displayed. By default, the program restarts the computer with no prompt or warning if the update requires a restart for the changes to take effect.

/norestart

/z

Prevents the computer from automatically restarting after a service pack is applied.

/warnrestart:seconds

N/A

Invokes a dialog box that warns the user that a restart will occur in the specified number of seconds (it defaults to 30 seconds if no value is specified). For example, to warn that a restart will occur in 60 seconds, type /warnrestart:60. The dialog box contains a Cancel button and a Restart Now button. If the user clicks Cancel, the computer is not restarted.

/promptrestart

N/A

Notifies the user that the computer must be restarted for the changes to take effect. The user can choose whether to restart the computer.

/forcerestart

/f

Forces applications to close without saving files before restarting the computer.

/D folder

/D folder

Stores backed up files in the specified folder. This parameter can only be used with service packs.

/n

/n

Saves disk space by not backing up files that are replaced. You should only use this option on new computers or computers that can be quickly recovered from a backup.

/o

/o

Causes the service pack to overwrite OEM-supplied files. You should only use this option if you have tested the service pack before and determined that OEM-supplied files have been updated by Microsoft and that the update files are compatible with your hardware. This parameter can only be used with service packs.

/l

/l

Lists installed updates in a dialog box. Do not use this option from a script.

/uninstall

N/A

Uninstalls the previously installed update.

/S folder

/S folder

Slipstreams the service pack into installation files, as described in Lesson 2. This parameter can only be used with service packs.

/log

N/A

Enables the user to define the path for the local log file. This switch invokes the default logging behavior.

/extract

/x

Enables you to extract the installation files to a specified folder.

/help

/h

Displays a dialog box that shows the correct usage of the update executable file, including a list of all its command- line switches and their behaviors.

Windows Update Web Site

The quickest way to manually detect missing updates and install them on a computer is to directly access the Windows Update Web site. To update a computer with critical updates, security updates, and service packs by using Windows Update:

  1. Click Start, point to All Programs, and then click Windows Update.

    Note 

    If the computer lacks an icon for Windows Update, as some older versions of Windows do, start Microsoft Internet Explorer and visit http://windowsupdate.microsoft.com.

  2. Click Scan For Updates.

  3. Click Review And Install Updates.

  4. Click Install Now.

    The updates will be downloaded and installed. You might be prompted to accept a license agreement.

  5. Restart the computer and return to step 1 until all critical updates and service packs have been installed.

See Also 

For more information on Windows Update, refer to Chapter 5, “Planning a Patch Management Infrastructure.”

Software Update Services

SUS, a free download that can be installed on Windows 2000 Server–based and Windows Server 2003–based computers that have Internet Information Services (IIS) installed, provides administrators with a local alternative to the Microsoft Windows Update servers. Using the Automatic Updates client, computers on your network can automatically download and install updates from your SUS server.

The easiest way to install IIS is to use the Manage Your Server tool and add the Application Server role. For the purposes of installing Software Update Services, you can accept the default settings; neither Microsoft ASP.NET nor Microsoft FrontPage extensions are required. SUS will install itself into the Default Web Site, if it is available. Otherwise, SUS will create a new Web site.

Planning 

Though SUS servers are not as critical as, say, domain controllers, you might choose to deploy them redundantly to protect against long-term outages or to provide the scalability to service thousands of client computers. The easiest way to configure redundant SUS servers is to configure two or more SUS servers identically. Then create a round-robin DNS record with the IP addresses of all SUS servers. If you choose to manually approve updates, you must approve updates on both computers.

The Web site SUS is installed within must use port 80, because the Automatic Updates client cannot be configured to use a different port. SUS should only be accessible from your local network. Because you can’t configure the SUS Web site to use any port other than the default of 80/tcp, you should avoid installing SUS on a publicly accessible Web server. If you must install SUS on a public Web server, create a separate Web site for SUS and configure the Web site to use a private IP address.

After installing IIS, you can download SUS from the Microsoft Web site at http://www.microsoft.com/downloads/. The installation is straightforward, and it provides options for specifying where both updates and Web content will be stored. When specifying the location for storing updates, keep in mind that updates will consume at least several hundreds of megabytes, and they might consume several gigabytes, depending on the options you choose when configuring SUS. Securing the updates themselves is not critical, because they are signed by Microsoft and the Automatic Updates client will refuse to install them if the file has been modified since it was originally signed.

After installation, all configuration is done by using a Web browser. SUS creates several different virtual directories within IIS’s default Web site. However, you will primarily access the SUSAdmin virtual directory, which contains the SUS administration pages and configuration tools.

To configure SUS:

  1. Start Internet Explorer and enter the URL http://computername/SUSAdmin/. Alternatively, you can click Start, point to Administrative Tools, and then click Microsoft Software Update Services.

  2. When the administrative page appears, click Set Options in the left pane.

  3. Specify the proxy server (if necessary), the server to synchronize with, whether to automatically approve updates, and where to store updates. At the bottom of the Set Options page, select only those languages you support on your network. Downloading updates for additional languages consumes unnecessary bandwidth and storage space.

  4. In the left pane, click Synchronize Server.

  5. Click the Synchronization Schedule button.

  6. Click Synchronize Using This Schedule. The default settings cause SUS to download new updates daily at 3:00 A.M. Specify the time the SUS server will download updates, and then click OK.

You should rely on scheduled synchronization to identify new updates; however, the first time you configure SUS you should perform a manual update. To do this, click the Synchronize Now button on the Synchronize Server page. As shown in Figure 6.7, Software Update Services will synchronize with the Windows Update server. After synchronization is complete, you will be prompted to approve updates.

click to expand
Figure 6.7: SUS synchronizing with the Windows Update server.

SUS does not provide a browser interface similar to that of Windows Updates, in which users can scan their computers and choose the updates they want to apply. Only the Automatic Updates client can access SUS.

If you experience a problem with SUS, verify that the Software Update Services Synchronization Service is configured to start automatically, and that it was able to start successfully. SUS adds events to the System event log when updates are synchronized and when problems occur. You can find these events by filtering for the source WUSyncService in the System event log. You should also check the IIS configuration, because SUS relies on IIS to communicate with the Automatic Updates client.

See Also 

For more information on Software Update Services, refer to Chapter 5, “Planning a Patch Management Infrastructure.”

Automatic Updates Client

The Automatic Updates client retrieves updates from Windows Update or a Software Update Server and then communicates with end users to notify them that updates are available, installed, or require the computer to be restarted.

To configure the Automatic Updates client to automatically check for updates from Windows Update and, optionally, to download and install the updates:

  1. Right-click My Computer, and then click Properties.

  2. Click the Automatic Updates tab.

  3. Select the Keep My Computer Up To Date check box.

  4. Select one of the following options:

    • Notify Me Before Downloading Any Updates And Notify Me Again Before Installing Them On My Computer

    • Download The Updates Automatically And Notify Me When They Are Ready To Be Installed

    • Automatically Download The Updates, And Install Them On The Schedule I Specify

  5. Click OK.

To configure the Automatic Updates client on domain members to automatically apply updates from an SUS server:

  1. Create a new Group Policy object (GPO) or edit an existing GPO to which you want to add this setting.

  2. Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  3. On the Windows Update template, double-click Configure Automatic Updates.

  4. Click Enabled.

  5. Select one of the following options:

    • 2-Notify For Download And Notify For Install. Use this option for users with limited bandwidth who must both control the updates installed on their computers and control when the updates are downloaded.

    • 3-Auto Download And Notify For Install. Use this option for users who need control over when updates are installed but do not need to control when updates are downloaded.

    • 4-Auto Download And Schedule The Install. Use this option to maximize security by minimizing the risk of exposing vulnerabilities that have been fixed by updates. This option automatically installs updates on the schedule you specify.

  6. If you select Auto Download And Schedule The Install, choose the day of week and time of day that the updates should be installed, as shown in Figure 6.8.

    click to expand
    Figure 6.8: Automatic Updates configured using a Group Policy object

  7. Click Next Setting.

    The Specify Intranet Microsoft Update Service Location Properties dialog box appears.

  8. If you want clients to retrieve updates directly from Windows Update, select Disabled. Otherwise, select Enabled, and specify the URL to the local SUS server.

  9. Click Next Setting.

    The Reschedule Automatic Updates Scheduled Installations Properties dialog box appears.

  10. Most environments that specify the Auto Download And Schedule The Install setting should click Enabled for this setting. The Reschedule Automatic Updates Scheduled Installations setting is used by the Automatic Updates client to determine when it should apply a scheduled update that was skipped because the computer was turned off or in standby mode. When you enable this option, you can specify the number of minutes after startup for the Automatic Updates client to apply an update, as shown in Figure 6.9. If you don’t enable this option, a computer that is turned off each night might never have updates installed.

    click to expand
    Figure 6.9: Scheduling updates that were skipped

  11. Click Next Setting.

    The last Automatic Updates client properties dialog box, No Auto-Restart For Schedule Automatic Updates Installations Properties, appears.

  12. To force a computer to restart automatically after applying an update, click Disabled. Users will be warned that the computer will restart in five minutes, and that they should save their work. To only notify users that they need to restart the computer, click Enabled.

  13. Click OK.

If your network does not rely on Active Directory, you can configure the Automatic Updates client by using registry values. There are a total of nine registry values that control the Automatic Updates client. Seven of these registry values are contained in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU registry key:

  • NoAutoUpdateSet this value to 0 to enable automatic updates, or to 1 to disable automatic updates.

  • AUOptionsSet this value to 2 to notify the user that updates are available for download and installation, 3 to automatically download the updates and then notify the user that the update is available for installation, or 4 to automatically download and schedule the installation.

  • ScheduledInstallTimeThe hour of the day to install a new update. Use 0 for midnight, and 23 for 11:00 P.M.

  • UseWUServerSet this to 1 to enable Automatic Updates to use the Windows Update server as specified in WUServer.

  • ScheduledInstallDayA value between 0 and 7. Use 1 for Sunday and 7 for Saturday. Set this value to 0 to schedule updates any day of the week.

  • RescheduleWaitTimeThe number of minutes the Automatic Updates client waits before installing a new update after a computer starts, if the computer was offline during the scheduled time.

  • NoAutoRebootWithLoggedOnUsersSet this value to 0 to cause the Automatic Updates client to restart the computer 5 minutes after applying an update. Set this value to 1 to cause the Automatic Updates client to prompt the user to restart the computer.

The final two registry values are contained in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate registry key:

  • WUServerThe URL for the SUS server that the Automatic Updates client will retrieve updates from, for example http://computer1/.

  • WUStatusServerThe URL for the IIS server that the Automatic Updates client will report usage information to, for example http://computer1/. This is generally set to the same computer as the SUS server.

After changing registry values, you must either restart the client computer or restart the Automatic Updates service.

If you experience problems with retrieving updates, verify that the Automatic Updates service is configured to start automatically, and that it has successfully started. In a domain environment, the Automatic Updates client usually receives its configuration settings from one or more Group Policy objects. Verify the configuration by using the Resultant Set Of Policy (RSoP) snap-in.

See Also 

For more information about RSoP, refer to Chapter 3, “Deploying and Troubleshooting Security Templates.”

The Automatic Updates client adds events to the System event log when updates are downloaded or installed. Additionally, the Automatic Updates client adds an event whenever it prompts a user—for example, when the computer must be restarted, or when an error occurs. You can find these events by filtering for the source Automatic Updates in the System event log.

See Also 

For more information on the Automatic Updates client, refer to Chapter 5, “Planning a Patch Management Infrastructure.”

Group Policy

Group Policy objects can be configured to automatically install Windows Installer packages on computers. Service packs include a Windows Installer package, making it simple to use a Group Policy object to deploy a service pack.

Service packs, more than any other type of update, require extensive testing and pilot deployments because of the extensive changes they make. Although SUS is an excellent way to distribute frequently released security updates to a large number of client computers, you cannot use a single SUS server to stage a pilot deployment to a small number of computers in your organization. Fortunately, you can use Group Policy objects to distribute service packs directly.

Off the Record 

As of the time of this writing, the current version of SUS does not provide any ability to control which clients receive updates. However, you could create separate SUS servers for pilot and production deployments, and approve updates on the production SUS server only after they have been proven on the pilot SUS server. You could then use Group Policy objects to point different clients at the production and pilot SUS servers.

There are some distinct advantages to using a Group Policy object rather than the Automatic Updates client to distribute service packs. Specifically, by using Group Policy objects, you can deploy a service pack only to computers in specific sites, domains, and organizational units. Additionally, you can use permissions and Windows Management Instrumentation (WMI) filtering to control which computers can apply a GPO on an even more granular level.

After you assign the service pack package, Windows Installer installs the service pack automatically when users start their computers. Users are not presented with a choice to install the service pack. Only a network administrator or someone who is logged on to a local computer as a member of the Administrators group on that computer can remove the assigned software.

To distribute a service pack by using a Group Policy object:

  1. Download the network install version of the service pack to a file server.

  2. Extract the service pack files using the /x parameter. For example, to extract Service Pack 4 for Windows 2000, execute the command W2ksp4_en /x. Extract the files to a shared folder that both client computers and domain controllers can access. After the extraction completes, click OK.

    Warning 

    Remember, new service packs have different command-line parameters and would use the /extract parameter instead of /x.

  3. Connect to the shared folder just as a client would. For example, if you extracted the files to the \\server\updates shared folder, map a network drive to \\server\updates. This will ensure that clients can locate the package after the GPO instructs the client to install it.

  4. Create a new GPO or edit an existing GPO that you will use to distribute the service pack.

  5. Using the Group Policy Object Editor snap-in, expand Computer Configuration, expand Software Settings, and then click Software Installation.

  6. Right-click Software Installation, click New, and then click Package.

  7. Navigate to the folder to which you extracted the service pack, and locate the Update.msi file. Though future service packs might place this file in a different location, recent service packs have stored it in the i386\update\ directory. Click the Update.msi file, and then click Open.

  8. In the Deploy Software dialog box, click Assigned, and then click OK.

After a package has been added to the Software Installation node of a GPO, you can choose to remove or deploy it for troubleshooting purposes. If a service pack installation fails to deploy successfully, you can redeploy it by right-clicking the package, clicking All Tasks, and then clicking Redeploy Application.

You can remove the package from the GPO by right-clicking the package, clicking All Tasks, and then clicking Remove. The Remove Software dialog box will appear. To uninstall the service pack, click Immediately Uninstall The Software From Users And Computers. To leave the service pack installed on computers that have already received it, click Allow Users To Continue To Use The Software, But Prevent New Installations.

See Also 

For more information on using Group Policy objects to distribute service packs, refer to Chapter 5, “Planning a Patch Management Infrastructure.”

Practice: Configuring Software Update Services and the Automatic Updates Client

In this practice, you will install and configure Software Update Services on Computer1. Then, you will configure all computers in the domain to retrieve updates from the SUS server.

Exercise 1: Configuring Software Update Services

In this exercise, you will add the Application Server role and then install and configure Software Update Services. Software Update Services requires IIS, so start by adding the Application Server role.

  1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.

  2. Click Start, and then click Manage Your Server.

  3. Click Add Or Remove A Role.

  4. Click Next, and then click Application Server. Click Next again.

  5. Click Next on the Application Server Options page. Click Next again.

  6. On the final page, click Finish.

    Now that IIS is installed, download and install SUS.

  7. Temporarily connect Computer1 to the Internet.

  8. Start Internet Explorer, and enter the URL http://www.microsoft.com/downloads/. Locate the latest version of Software Update Services. Download and open the setup file.

  9. If prompted to install and run the file, click Yes.

  10. When the Microsoft Software Update Services Setup Wizard appears, follow the prompts to install SUS.

  11. Start the SUS administration page by clicking Start, pointing to Administrative Tools, and then clicking Microsoft Software Update Services.

  12. Provide your Administrator credentials, and then click OK. If you are notified that the content is untrusted, add Computer1 to the list of trusted sites.

  13. When the administrative page appears, click Set Options in the left pane.

    The default settings are correct for the purposes of this exercise. However, you should examine the settings to familiarize yourself with the defaults. In particular, notice that only the English-language versions of updates will be updated. By selecting Synchronize From A Local Software Update Services Server, you can integrate this computer into a larger SUS infrastructure. Also notice that you can choose to automatically approve updates. Additionally, you can choose to reduce storage requirements by choosing to maintain the updates on the Windows Update server.

  14. In the left pane, click Synchronize Server.

  15. Click the Synchronization Schedule button.

  16. Click Synchronize Using This Schedule. The default settings cause SUS to download new updates daily at 3:00 A.M. Click OK.

  17. Click the Synchronize Now button.

    SUS will download the Microsoft Catalog and any English-language updates. After downloading completes, these updates must be approved before Automatic Updates clients will apply them. Downloading the updates will take several minutes. You can use this time to complete Exercise 2 before approving the updates.

Exercise 2: Configuring the Automatic Updates Client

In this exercise, you will configure the Automatic Updates client on Computer1 to retrieve updates from the newly installed SUS server.

  1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.

  2. Start the Active Directory Users And Computers console.

  3. Right-click Cohowinery.com, and then click Properties.

  4. Click the Group Policy tab.

  5. Click Default Domain Policy, and then click Edit.

    The Group Policy Object Editor appears.

  6. Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  7. On the Windows Update template, double-click Configure Automatic Updates.

  8. Click Enabled.

  9. Click the Configure Automatic Updating list, and then click 2-Notify For Download And Notify For Install.

  10. Click Next Setting.

  11. Click Enabled.

  12. In both the Set The Intranet Update Service For Detecting Updates box and the Set The Intranet Statistics Server box, type http://computer1.

  13. Click OK.

  14. Close the Group Policy Object Editor console. Click OK in the Cohowinery.com Properties dialog box, and then close the Active Directory Users And Computers console.

Exercise 3: Approving SUS Updates

In this exercise, you will approve updates to be installed by the Automatic Updates client.

  1. Open the SUS administration page by clicking Start, pointing to Administrative Tools, and then clicking Microsoft Software Update Services.

  2. Provide your Administrator credentials, and then click OK.

  3. In the left pane, click Synchronize Server.

    If updates are still being synchronized, wait until the download completes.

  4. If a dialog box appears indicating that the updates were synchronized, click OK. Otherwise, in the left pane, click Approve Updates.

  5. Click the Sort By field, and then click Date.

  6. From the Available Updates list, select each of the 823559: Security Update For Microsoft Windows check boxes.

    Tip 

    If you need to approve a large quantity of updates, select the first check box, then press Tab twice, press Space, press Tab twice, press Space, and repeat.

  7. Click the Approve button. Click Yes, and then click Accept. When prompted, click OK.

  8. Restart Computer1 to ensure that the latest Automatic Updates policies are applied.

  9. After Computer1 has started again, log on to the cohowinery.com domain on Computer1 using the Administrator account.

  10. Wait several minutes for the Update Notification to appear.

    At this point, you can proceed through the update installation process to expose yourself to the experience that end users have when new updates are detected.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

  1. Which command-line parameter would configure an update so that it won’t store copies of files that it replaces?

    1. /n

    2. /passive

    3. /o

    4. /extract

  2. Which of the following tools can be used to identify the Automatic Updates client’s configuration, in addition to the GPO that defined that configuration? (Choose all that apply.)

    1. Resultant Set Of Policy

    2. Help And Support Center

    3. Gpresult

    4. Gpupdate

    5. Active Directory Users And Computers

    6. Group Policy Object Editor

  3. Which registry key would you edit to configure the local computer’s Automatic Updates client settings?

    1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

    2. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

    3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

    4. HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate

  4. Which of the following might provide you with useful information about a problem you are experiencing with downloading updates from an SUS server?

    1. The Security event log on the SUS server

    2. The System event log on the SUS server

    3. The Application event log on the SUS server

    4. The Security event log on the client computer

    5. The System event log on the client computer

    6. The Application event log on the client computer

    7. The IIS usage log

Lesson Summary

  • Microsoft updates support a standard set of command-line parameters to simplify the deployment of updates by using scripts. Use the /quiet (formerly /q) parameter to install an update silently. When chaining updates, use the /norestart (formerly /z) parameter to prevent the computer from automatically restarting.

  • The Automatic Updates client can be configured by using GPOs linked to Active Directory, to the local GPO, or to the registry.

  • SUS requires that IIS be installed on the local computer, and that the Web site be configured to use the default port 80.

  • Both SUS and the Automatic Updates client store event information in the System event log.

  • Service packs include a Windows Installer package that can be used to deploy the service pack by using a GPO. This provides a simple way to install the service pack on a limited number of computers during a pilot deployment.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net