Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deploying Windows Updates?

Posted by ryuzaki0 on from the centralized-distribution dept.

WinBreak asks: "Well, I guess I'd be an 'IT Administrator' - but I work for a public library. The job consists of baby sitting 20-odd computers. The problem is, as a public library, we don't have much bandwidth - a simple 768K DSL line shared among everyone. It's good enough, for our normal traffic, and when people want to come in and do research (as long as there aren't too many kids on YouTube!). The problem comes when we need to do reformats and installs on machines. Most of our CD's for these machines are XP with Service Pack 1 - though we have a couple with Service Pack 2. For the SP1 CD's, we immediately deploy the SP2 Redistributable. But that still leaves OVER 100MB worth of downloads from Windows Update to go get. Our budget isn't great in the IT department, so spending money is not a great option - but I could sling together a grant proposal if need be. So how do others manage deploying a new install of Windows? Are we really expected to still download 100+MB per reinstall? Is Service Pack 3 on the horizon?" "I've heard of programs that download updates to a server computer and distribute them through the network to clients, but that only worked for files released on Microsoft's Knowledge Base, if I recall correctly - not for all Windows Updates."

21 of 122 comments (clear)

  1. Make one box a server. by Philip+K+Dickhead · · Score: 4, Informative

    Then install the FREE Windows Software Update Services (WSUS) on it. This becomes your single download point for the patches, and manages a local repository.

    Just download 'em once. The other machines will go there - instead of windowsupdate.microsoft.com.

    You can even schedule yur own times for retreiving and distributing patches, centrally. It might force you to build a domain, if you don't already have one.

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
    1. Re:Make one box a server. by PhilBrut · · Score: 5, Informative

      WSUS doesn't require a domain, but a domain will make it somewhat easier. Basically you need to tell the integrated AU client to talk the WSUS rather than Windows Update, and it comes with an ActiveDirectory GPO template with which to configure the machines. Without a domain you will need to import the registry changes manually. Everything you need to know is in the WSUS documentation. Oh, and WSUS isn't supported under Windows 2000 Pro or Windows XP Pro - that doesn't mean it won't work, but the recommended server platforms are Windows 2000 Server/Advanded Server and Windows Server 2003. Chances are you have at least one Windows server anyways. BTW you should seriously consider something like g4u or unattended (http://unattended.sf.net) for maintaining the machines.

    2. Re:Make one box a server. by DeltaSigma · · Score: 4, Informative

      Indeed, WSUS is the way to go without spending money. It's supported by Microsoft. It sports patches for Windows, Internet Explorer, Windows Media Player, Microsoft Office, and even definition updates for the (still beta) Windows Defender. It's a lot like hosting your own windowsupdate.microsoft.com really. You're given an overview of what patches a computer needs, and what patches WSUS has installed. You can choose to automatically approve certain types of updates. It gives you a lot.

      Requirements are a Windows NT 5.0+ server hosting IIS, and some sort of SQL database. The documentation will reccomend MSDE or MS SQL server. I personally reccomend MSDE.

      Try to remember to patch MSDE before you install WSUS.

      Loading all of this on an internet facing server (outside the firewall) is NOT reccomended (and may violate the license depending on how it's configured).

      Regardless, one should use the Microsoft Baseline Security Analyzer for any IIS server.

      That's the install routine off the top of my head. It actually helps to read the documentation for this particular MS Product. There are tons of helpful tips, such as, disabling languages you don't use (to reduce bandwidth and storage space consumed).

    3. Re:Make one box a server. by SCPRedMage · · Score: 2, Informative

      Oh, and I should have thrown this in there...

      Yeah, WSUS's patch store can take up a HUGE amount of space, but there are two things you can do about it...

      The first is that you can narrow the kinds of patches you're downloading. If you're not running Exchange 2000 or Office XP, well then there's no reason to download those patch, now is there? What's more is that you can restrict the kinds of patches it'll download; whereas SUS only handled critical updates and security updates, WSUS runs the whole gamut; you can easily tell it to only get the stuff that'll keep your systems safe.

      The second is that you can tell the WSUS server not to download patches until a client actually needs them. This way you don't end up with a huge library of patches no one ever needs; saves LOTS of space, trust me.

      --
      My sig can beat up your sig.
  2. Slipstream the hotfixes. by BobSixtyFour · · Score: 2, Informative

    Slipstream both the hotfixes and the service pack 2 onto the cd. It's possible. If not, get at least the sp2, it'll save you time when patching (sp2 takes awhile to install, especially on older machines)

  3. Is this really a problem? by David+E.+Smith · · Score: 4, Informative

    There are a multitude of ways around this.

    Ghost the machines, and keep your images updated every couple of months.

    Make a slipstreamed CD that includes all the current updates. This is a dead-simple way to do so..

    If your network were bigger, you could use WSUS to keep a local repository of all the updates, so you're just downloading them once, and the WSUS server hands them out to all your local computers.

    1. Re:Is this really a problem? by baadger · · Score: 2, Informative

      Theres no reason to go download third party patch sets when you can get all the hotfixes you need in one go from Microsoft. They update the images monthly.

  4. nLite by corychristison · · Score: 4, Informative

    Check out nLite. It's an easy interface to create slipstreamed discs.

    They also offer a bunch of packages (called "Addons") you can embed into this disc, as well: Java, Firefox, AVG Antivirus, WinRAR, etc.

    Every month or two I will make a new disc for installs [for customers/friends]. The unattended mode is very handy. ;-)

  5. Image disk and WSUS by hrbrmstr · · Score: 3, Informative

    Well, for starters, you should be making an image installation disk for your fresh installs that incorporates (or, in MS terms - "slipstreams") what you need into it. This is especially handy if you don't have the same hardware. Check out nLite - http://www.nliteos.com/nlite.html - for more details on how easy it can be to do this. This saves hours of time. Days, if you have tons of boxes to refresh.

    Next you'll need a WSUS - http://www.microsoft.com/windowsserversystem/updat eservices/default.mspx - box somewhere on your network which will take care of those monthly downloads for you and only do the heavy download lifting on one machine. You'll need to configure all your other boxes via group policy or registry hacks to point to this server instead of the mothership @ Microsoft so they can get the updates from there.

    With these two steps, you'll free up bandwidth and have more time to hit the stacks!

    --
    Mind the gap...
  6. SUS is what you want by Redhawk · · Score: 2, Informative

    SUS is tailor-made for the situation you're talking about. Assuming you've got a domain in your library, put a proposal together to get another box, throw a flavor of Server 2K3 on it, and get SUS. SUS will synch to the Windows Update site, so anything available there will be available to you internally. Then you approve the patches you want to push, and Bob's your uncle.

    Assuming you can get the approval for the server + software bits, you'll achieve what it is you're trying to do - not soak your 'Net connection and still keep a reasonable level of patchedness for your lab machines.

    Redhawk

    PS - If you're not on a domain, then SUS likely won't fly for you, as it ties into Active Directory and all those goodies.

    1. Re:SUS is what you want by snuf23 · · Score: 3, Informative

      SUS got turned into WSUS (Windows Server Update Services). WSUS is much better than SUS was and now supports Office and Exchange updates as well as Windows.
      It can work even if you don't have a domain, you just need to make a registry change in the client computers rather than a GPO.

      --
      Sometimes my arms bend back.
  7. Autopatcher by crvtec · · Score: 3, Informative

    You could also try AutoPatcher for Post SP2 updates. http://www.autopatcher.com/

  8. RyanVM's Windows XP Post-SP2 Update Pack by westlake · · Score: 4, Informative
    RyanVM's Windows XP Post-SP2 Update Pack

    Last updated July 14. About 45 MB with optional add-ons like WMP 10. You'll see a full list of what's included on the front page.

  9. Re:download once by tomhudson · · Score: 2, Informative
    So do like everyone else does - use AuoPatcher, and avoid Microsoft's WGA spyware.

    http://autopatcher.com/

  10. Microsoft Shared Computer Toolkit by zollman · · Score: 3, Informative

    It won't help you with your updates problem, but to cut down on the number of reinstalls, take a look at the Microsoft Shared Computer Toolkit:

    http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx

    Like DeepFreeze (mentioned earlier in thread) it blocks any changes made to your systems from committing to disk (they get rolled back at logout or the next reboot) unless the administrator specifically allows them. Also: Free. And designed for libraries and schools specifically.

  11. Re:SP3 by dhalsim2 · · Score: 2, Informative
    Is Service Pack 3 on the horizon?

    XP SP3 won't come out until 07H2: http://news.com.com/Microsoft+XP+SP3+wont+arrive+u ntil+07/2100-1016_3-6027741.html

    They don't want SP3 to distract people from Vista, so they scheduled it for WAY after Vista launch.
  12. Re:download once by tomhudson · · Score: 2, Informative

    They've been around for a couple of years now ... its - as they say - "The new site is under construction" Neowin's been around since 2000.

    Look at the page views in the forums http://www.neowin.net/forum/index.php?showforum=89

    Yesterday's "AutoPatcher XP June 2006" announcement http://www.neowin.net/forum/index.php?s=cb19fcf468 bcd977d13b309c7a176c4d&showtopic=471109 already has over 150,000 reads.

    Or do a search here on slashdot for comments about autopatcher: http://slashdot.org/search.pl?tid=&query=autopatch er&author=&sort=1&op=comments and read what others have to aay. Lots of people here are already using it.

  13. Also see this guide for more detailed instructions by students · · Score: 2, Informative

    Unattended Windows

    This has worked very well for me, excepting that I can't get the latest version of F-Prot antivirus to install automatically. I suspect F-Prot has deliberately broken this feature.

    --
    Simon's Rock College
  14. Don't let Microsoft abuse you, if you can avoid it by Futurepower(R) · · Score: 1, Informative

    Free Windows Update alternative is released

    Genuine Advantage is Microsoft spyware

    Dump Windows Update, use alternatives

  15. Several Solutions by Pathway · · Score: 2, Informative

    1) Install a proxy server. You probably have a router of some kind. Perhaps it's a linux box. What you could use to save your bandwidth is use some of your server's HD space to download the common items (like patches from Windows Updates). Since the proxy _can_ be transparrent, there is nothing to configure on the other computers. There are many ways to do this. My suggestion: Squid. In particular, I have used the implementation in ClarkConnect. It's easy to setup, and there is a free version. If you want the pay version, it's extremely inexpensive. http://www.clarkconnect.com/

    2) Use nLite. nLite is a utility that makes custom Windows install CDs/DVDs. With the program, you can make an updated CD that installs SP2, all the updates, and even drivers. It even has the option to make the install "unattended", requireing no input by you. This might not be an option since you apparently don't have the Volume License version of of XP. None the less, highly recommended for those who have to re-install often. http://www.nliteos.com/

    3) Consider some way to harden the researcher's experiance. Don't want to install Linux on your search stations? Use VMWare Player and the Browser Appliance! By doing this, you effectivly remove any possiblity of Viruses, Spyware or otherwise unwanted downloads. And the best part is... if you don't like/can't use the browser appliance to do what you need... go back to windows. http://www.vmware.com/products/player/

    Hope these suggestions help.

    --Pathway

  16. Re:Imaging Software by tomasvilda · · Score: 2, Informative

    You can even create one image using Acronis True Image and then restore to different machines using Acronis True Image with Universal Restore plugin, that reconfigures original image to match machine you are restoring.