Slashdot Mirror
Deploying Windows Updates?
WinBreak asks: "Well, I guess I'd be an 'IT Administrator' - but I work for a public library. The job consists of baby sitting 20-odd computers. The problem is, as a public library, we don't have much bandwidth - a simple 768K DSL line shared among everyone. It's good enough, for our normal traffic, and when people want to come in and do research (as long as there aren't too many kids on YouTube!). The problem comes when we need to do reformats and installs on machines. Most of our CD's for these machines are XP with Service Pack 1 - though we have a couple with Service Pack 2. For the SP1 CD's, we immediately deploy the SP2 Redistributable. But that still leaves OVER 100MB worth of downloads from Windows Update to go get. Our budget isn't great in the IT department, so spending money is not a great option - but I could sling together a grant proposal if need be. So how do others manage deploying a new install of Windows? Are we really expected to still download 100+MB per reinstall? Is Service Pack 3 on the horizon?"
"I've heard of programs that download updates to a server computer and distribute them through the network to clients, but that only worked for files released on Microsoft's Knowledge Base, if I recall correctly - not for all Windows Updates."
Then install the FREE Windows Software Update Services (WSUS) on it. This becomes your single download point for the patches, and manages a local repository.
Just download 'em once. The other machines will go there - instead of windowsupdate.microsoft.com.
You can even schedule yur own times for retreiving and distributing patches, centrally. It might force you to build a domain, if you don't already have one.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Yeah it's called "Vista".
Have you ever considered using imaging software to deploy one image to all the machines (if they're identical) or create individual images for each machine (if they're different)? Norton/Symantec Ghost, Acronis True Image, or g4u (Ghost for Unix) if you're looking for an OSS solution.
There's also software out there that can lock down XP, keeping any changes from becoming permanent...I used a program called DeepFreeze to minimize maintenanc on an 12 computer lab I ran.
Reinstalling Windows from scratch is a little inefficient compared to imaging or locking down the machines.
Slipstream both the hotfixes and the service pack 2 onto the cd. It's possible. If not, get at least the sp2, it'll save you time when patching (sp2 takes awhile to install, especially on older machines)
There are a multitude of ways around this.
Ghost the machines, and keep your images updated every couple of months.
Make a slipstreamed CD that includes all the current updates. This is a dead-simple way to do so..
If your network were bigger, you could use WSUS to keep a local repository of all the updates, so you're just downloading them once, and the WSUS server hands them out to all your local computers.
Check out nLite. It's an easy interface to create slipstreamed discs.
;-)
They also offer a bunch of packages (called "Addons") you can embed into this disc, as well: Java, Firefox, AVG Antivirus, WinRAR, etc.
Every month or two I will make a new disc for installs [for customers/friends]. The unattended mode is very handy.
Why do you keep downloading them? Why not keep them in a central location? Put them on a server, or burn them to disc.
Well, for starters, you should be making an image installation disk for your fresh installs that incorporates (or, in MS terms - "slipstreams") what you need into it. This is especially handy if you don't have the same hardware. Check out nLite - http://www.nliteos.com/nlite.html - for more details on how easy it can be to do this. This saves hours of time. Days, if you have tons of boxes to refresh.
t eservices/default.mspx - box somewhere on your network which will take care of those monthly downloads for you and only do the heavy download lifting on one machine. You'll need to configure all your other boxes via group policy or registry hacks to point to this server instead of the mothership @ Microsoft so they can get the updates from there.
Next you'll need a WSUS - http://www.microsoft.com/windowsserversystem/upda
With these two steps, you'll free up bandwidth and have more time to hit the stacks!
Mind the gap...
SUS is tailor-made for the situation you're talking about. Assuming you've got a domain in your library, put a proposal together to get another box, throw a flavor of Server 2K3 on it, and get SUS. SUS will synch to the Windows Update site, so anything available there will be available to you internally. Then you approve the patches you want to push, and Bob's your uncle.
Assuming you can get the approval for the server + software bits, you'll achieve what it is you're trying to do - not soak your 'Net connection and still keep a reasonable level of patchedness for your lab machines.
Redhawk
PS - If you're not on a domain, then SUS likely won't fly for you, as it ties into Active Directory and all those goodies.
You could also try AutoPatcher for Post SP2 updates. http://www.autopatcher.com/
Last updated July 14. About 45 MB with optional add-ons like WMP 10. You'll see a full list of what's included on the front page.
They're just not that different. If the user is incapacitated by such a small difference in the layout of menus or toolbars, then he's got more problems than any sysadmin is qualified to deal with.
The grandparent poster is right; there's nothing that legitimate library users do that can't be adequately handled by any reasonably current Linux distro. The myth that Linux can't interact with Windows was blown out of the water years ago, and continuing to repeat it simply generates more heat than light.
http://autopatcher.com/
i use norton ghost. This is the best thing ever. you simply install windows, activate, install all updates/ drivers, create a pristine ghost image, and let the bugs (in your case public users) loose on it! It's not an expensive investment for your employer, or even you so that you can have some sanity back. That's my suggestion.
-nick
It won't help you with your updates problem, but to cut down on the number of reinstalls, take a look at the Microsoft Shared Computer Toolkit:
e fault.mspx
http://www.microsoft.com/windowsxp/sharedaccess/d
Like DeepFreeze (mentioned earlier in thread) it blocks any changes made to your systems from committing to disk (they get rolled back at logout or the next reboot) unless the administrator specifically allows them. Also: Free. And designed for libraries and schools specifically.
So, instead of MS' spyware, I have to trust some third party's executable software?
Don't get me wrong, autopatcher is a great idea and as far as I know there's nothing wrong with it, but seeing as their page is still under construction and I've never heard of them before, I'll abstain from using them except in a testing environment.
No sig
This used to frustrate me too. I wrote a longish jounal article with enough detail to do what you want. It's here: http://ask.slashdot.org/~symbolset/journal/134087
Help stamp out iliturcy.
I was slipstreaming post XP SP2 to the Windows SP2 installation.
There are plenty of references about slipstreaming.
Yeah... good one.
Let me put your proposal in other terms:
Me: "My car is running rough."
You: "Buy another car!"
How about we make useful proposals to this guy before swapping out
all his technology.
They've been around for a couple of years now ... its - as they say - "The new site is under construction" Neowin's been around since 2000.
Look at the page views in the forums http://www.neowin.net/forum/index.php?showforum=89
Yesterday's "AutoPatcher XP June 2006" announcement http://www.neowin.net/forum/index.php?s=cb19fcf468 bcd977d13b309c7a176c4d&showtopic=471109 already has over 150,000 reads.
Or do a search here on slashdot for comments about autopatcher: http://slashdot.org/search.pl?tid=&query=autopatch er&author=&sort=1&op=comments and read what others have to aay.
Lots of people here are already using it.
It's sad when I trust a completely random website more than my OS vendor.
Start masturbating, I'm going to feed your troll:
If you don't have legitimate copies, Microsoft isn't your vendor. You get to sleep in the bed you made.
Slashdot - where whining about luck is the new way to make the world you want.
Hah! Another bad car analogy.
If your current car has an engine that doesn't run properly, requires a lot of maintenance, and periodic expenditures for a new, buggier engine every few years to that same manufacturer, and someone else is offering you a free new engine, with free upgrades, and the chance to try it, again at no risk, you're going to try it.
In this case, ther are plenty of live DVD/CDs that give people a chance to kick the tires, so instead of having to throw out the whole "car", you can just replace the engine, free of charge. Because that's what most libraries are looking at over the next 3 years - upgrading both hardware and software (they won't be able to buy XP even if they want it, and Vista won't run on their current hardware), or switching to linux/bsd/whatever.
XP is the end of the line for Microsoft. Vista is alreasy shaping up to be both a support nightmare (too many versions, too many rewrites, too much hardware required for a decent "user experience", too many features cut, too many intentional holes in the "new security model", too much maintenance, too much money when compared to the competition). Remember, linux live DVDs are already good enugh for libraries and schools and anyone else who wants to surf the web, and they're only going to get better.
In my opinion, delaying SP3 is VERY abusive.
Unattended Windows
This has worked very well for me, excepting that I can't get the latest version of F-Prot antivirus to install automatically. I suspect F-Prot has deliberately broken this feature.
Simon's Rock College
1) Install a proxy server. You probably have a router of some kind. Perhaps it's a linux box. What you could use to save your bandwidth is use some of your server's HD space to download the common items (like patches from Windows Updates). Since the proxy _can_ be transparrent, there is nothing to configure on the other computers. There are many ways to do this. My suggestion: Squid. In particular, I have used the implementation in ClarkConnect. It's easy to setup, and there is a free version. If you want the pay version, it's extremely inexpensive. http://www.clarkconnect.com/
2) Use nLite. nLite is a utility that makes custom Windows install CDs/DVDs. With the program, you can make an updated CD that installs SP2, all the updates, and even drivers. It even has the option to make the install "unattended", requireing no input by you. This might not be an option since you apparently don't have the Volume License version of of XP. None the less, highly recommended for those who have to re-install often. http://www.nliteos.com/
3) Consider some way to harden the researcher's experiance. Don't want to install Linux on your search stations? Use VMWare Player and the Browser Appliance! By doing this, you effectivly remove any possiblity of Viruses, Spyware or otherwise unwanted downloads. And the best part is... if you don't like/can't use the browser appliance to do what you need... go back to windows. http://www.vmware.com/products/player/
Hope these suggestions help.
--Pathway
Well yeah, but what eprcentage of people don't get Windows pre-installed? 1%? I don't see your point.
The buying market has matured; everyone I know buys from small white-box builders; they don't "get Windows for free".
The problem then was that the applications sucked compared to their Windows equivalents
there was the issue of games.
Most people don't use their machine primarily for games. For them, even after Microsoft stops selling XP in 2 years, they won't care. The few times they'll want to play a game they'll continue to use their old, outdated, "obsolete" copy.
you are making the big (and common) mistake of assuming that people have security at the top of their list when evaluating an OS or application
Other's don't even know what a browser is, let alone an operating sytsem.
They're a small minority nowadays.
Back when a computer cost $4,000.00, DOS was $50.00, a very small "added cost" - 1.25%. Fast forward to when a decent computer was $2000, Windows was $75.00, 3.75% - again, a very small "added cost", but creeping up. When Windows 95 came out, a decent computer was still a couple of grand, but now the OS had crept up to $100 - 5%. Still not enough "added pain" to make a real difference. 5 years ago, a decent computer was $1500, and XP Pro was an additional $150 - now 10% of the cost.
Today, you can slap together a computer that would eat the lunch of anything made 5 years ago for $500.00. XP is an additional 30%. Trow in the cost of a copy of Office, and you can buy a second computer instead. Go retail pricing and its even worse.
Microsoft has only 2 real profit centers - Windows and Office. Both products are long in the tooth, and it doesn't look like the next version of either is going to be offering any "must have" features. By the time Microsoft tries to force everyone to, by no longer offering XP (January, 2009), linux will be a lot further along than it is now. That's why Vista isthe beginning of the end as far as Windows is concerned. The competition continues to constantly improve, while Microsoft won't be offering much, if anything, new.
They know this. Hence their recent forays into WGA - to be able to remotely deactivate Windows when its no longer supported. Since they won't be supporting it in 2 years, they'll no longer be giving out activation codes if you have to re-install because of a hardware failure, a virus, or other reason. Of course, there are already ways of getting the latest updates without having to install WGA, and of permanently shutting off registration on naked installs; people who have to legitimately re-install are going to use them, and then say "F.U." to ever buying from Microsoft again.
We've already seen this happen once - the people who bought Millenium, then asked for a downgrade to Windows 98 because ME was crap, and were refused. How many of these people, who never pirated anything before, are running a pirated copy of XP nowadays because they feel Microsoft shafted them?
Its going to be the same with the end of XP. Microsofts' activation scheme is going to force them to "turn to the dark side" ... and we all know that "once you go black, you never go back".
I agree, most people look at things like this:
Ease of use means that they aren't going to upgrade to something that means they have to relearn everything - and XP to Vista is not going to score points in that department. Since they're going to have to re
First off, I'd like to actually THANK everyone who replied. All of the information was very helpful. I'll be looking into WSUS to fulfill my needs. We currently have an in house server running good ol' Windows NT (no internet connection to it, so we're not worried about security exploits or anything). I thought about using that computer to try WSUS, but then I remembered an unused Windows 2000 Server lisence we have laying around since pulling a machine out of the loop! And with some money in the budget, I can put together a new machine that will serve this job perfect. 2nd, a reason I couldn't just do scheduled or 'automatic updates' with these computers is because I use a program called "Deep Freeze" from Faronics (see: http://faronics.com/index.asp). It basically keeps the computers in a specific state until you tell te software to "thaw" and then reboot. Then, you have to "freeze" the partition and reboot again once changes are finished. Automating some tasks can be a pain - but the benefits of this software in our work environment far outweigh any annoyances. Autopatcher sounds like it'll be nice for home use... sort of a single download and deploy method, rather than having to wait for Windows Update to do its long winded tasks. Thanks for the info, everyone, it's been great, and I'm sure you've all given ideas to many others in my same situation! Garrett C. a.k.a. NuAngel of WinBreak.