Deploying Windows Updates?

WinBreak asks: "Well, I guess I'd be an 'IT Administrator' - but I work for a public library. The job consists of baby sitting 20-odd computers. The problem is, as a public library, we don't have much bandwidth - a simple 768K DSL line shared among everyone. It's good enough, for our normal traffic, and when people want to come in and do research (as long as there aren't too many kids on YouTube!). The problem comes when we need to do reformats and installs on machines. Most of our CD's for these machines are XP with Service Pack 1 - though we have a couple with Service Pack 2. For the SP1 CD's, we immediately deploy the SP2 Redistributable. But that still leaves OVER 100MB worth of downloads from Windows Update to go get. Our budget isn't great in the IT department, so spending money is not a great option - but I could sling together a grant proposal if need be. So how do others manage deploying a new install of Windows? Are we really expected to still download 100+MB per reinstall? Is Service Pack 3 on the horizon?" "I've heard of programs that download updates to a server computer and distribute them through the network to clients, but that only worked for files released on Microsoft's Knowledge Base, if I recall correctly - not for all Windows Updates."

Make one box a server.

[Philip+K+Dickhead]

Then install the FREE Windows Software Update Services (WSUS) on it. This becomes your single download point for the patches, and manages a local repository.

Just download 'em once. The other machines will go there - instead of windowsupdate.microsoft.com.

You can even schedule yur own times for retreiving and distributing patches, centrally. It might force you to build a domain, if you don't already have one.

Re:Make one box a server.

[PhilBrut]

WSUS doesn't require a domain, but a domain will make it somewhat easier. Basically you need to tell the integrated AU client to talk the WSUS rather than Windows Update, and it comes with an ActiveDirectory GPO template with which to configure the machines. Without a domain you will need to import the registry changes manually. Everything you need to know is in the WSUS documentation. Oh, and WSUS isn't supported under Windows 2000 Pro or Windows XP Pro - that doesn't mean it won't work, but the recommended server platforms are Windows 2000 Server/Advanded Server and Windows Server 2003. Chances are you have at least one Windows server anyways. BTW you should seriously consider something like g4u or unattended (http://unattended.sf.net) for maintaining the machines.

Re:Make one box a server.

[DeltaSigma]

Indeed, WSUS is the way to go without spending money. It's supported by Microsoft. It sports patches for Windows, Internet Explorer, Windows Media Player, Microsoft Office, and even definition updates for the (still beta) Windows Defender. It's a lot like hosting your own windowsupdate.microsoft.com really. You're given an overview of what patches a computer needs, and what patches WSUS has installed. You can choose to automatically approve certain types of updates. It gives you a lot.

Requirements are a Windows NT 5.0+ server hosting IIS, and some sort of SQL database. The documentation will reccomend MSDE or MS SQL server. I personally reccomend MSDE.

Try to remember to patch MSDE before you install WSUS.

Loading all of this on an internet facing server (outside the firewall) is NOT reccomended (and may violate the license depending on how it's configured).

Regardless, one should use the Microsoft Baseline Security Analyzer for any IIS server.

That's the install routine off the top of my head. It actually helps to read the documentation for this particular MS Product. There are tons of helpful tips, such as, disabling languages you don't use (to reduce bandwidth and storage space consumed).

SP3

[Curtman]

Is Service Pack 3 on the horizon?

Yeah it's called "Vista".

Is this really a problem?

[David+E.+Smith]

There are a multitude of ways around this.

Ghost the machines, and keep your images updated every couple of months.

Make a slipstreamed CD that includes all the current updates. This is a dead-simple way to do so..

If your network were bigger, you could use WSUS to keep a local repository of all the updates, so you're just downloading them once, and the WSUS server hands them out to all your local computers.

nLite

[corychristison]

Check out nLite. It's an easy interface to create slipstreamed discs.

They also offer a bunch of packages (called "Addons") you can embed into this disc, as well: Java, Firefox, AVG Antivirus, WinRAR, etc.

Every month or two I will make a new disc for installs [for customers/friends]. The unattended mode is very handy. ;-)

Save the patches on your server

[alanjstr]

Why do you keep downloading them? Why not keep them in a central location? Put them on a server, or burn them to disc.

Image disk and WSUS

[hrbrmstr]

Well, for starters, you should be making an image installation disk for your fresh installs that incorporates (or, in MS terms - "slipstreams") what you need into it. This is especially handy if you don't have the same hardware. Check out nLite - http://www.nliteos.com/nlite.html - for more details on how easy it can be to do this. This saves hours of time. Days, if you have tons of boxes to refresh.

Next you'll need a WSUS - http://www.microsoft.com/windowsserversystem/updat eservices/default.mspx - box somewhere on your network which will take care of those monthly downloads for you and only do the heavy download lifting on one machine. You'll need to configure all your other boxes via group policy or registry hacks to point to this server instead of the mothership @ Microsoft so they can get the updates from there.

With these two steps, you'll free up bandwidth and have more time to hit the stacks!

Autopatcher

[crvtec]

You could also try AutoPatcher for Post SP2 updates. http://www.autopatcher.com/

RyanVM's Windows XP Post-SP2 Update Pack

[westlake]

RyanVM's Windows XP Post-SP2 Update Pack

Last updated July 14. About 45 MB with optional add-ons like WMP 10. You'll see a full list of what's included on the front page.

Microsoft Shared Computer Toolkit

[zollman]

It won't help you with your updates problem, but to cut down on the number of reinstalls, take a look at the Microsoft Shared Computer Toolkit:

http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx

Like DeepFreeze (mentioned earlier in thread) it blocks any changes made to your systems from committing to disk (they get rolled back at logout or the next reboot) unless the administrator specifically allows them. Also: Free. And designed for libraries and schools specifically.

Re:download once

[secolactico]

So, instead of MS' spyware, I have to trust some third party's executable software?

Don't get me wrong, autopatcher is a great idea and as far as I know there's nothing wrong with it, but seeing as their page is still under construction and I've never heard of them before, I'll abstain from using them except in a testing environment.

Re:SUS is what you want

[snuf23]

SUS got turned into WSUS (Windows Server Update Services). WSUS is much better than SUS was and now supports Office and Exchange updates as well as Windows.
It can work even if you don't have a domain, you just need to make a registry change in the client computers rather than a GPO.

In my opinion, delaying SP3 is VERY abusive.

[Futurepower(R)]

In my opinion, delaying SP3 is VERY abusive.