Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Deploying Windows Updates? 122

WinBreak asks: "Well, I guess I'd be an 'IT Administrator' - but I work for a public library. The job consists of baby sitting 20-odd computers. The problem is, as a public library, we don't have much bandwidth - a simple 768K DSL line shared among everyone. It's good enough, for our normal traffic, and when people want to come in and do research (as long as there aren't too many kids on YouTube!). The problem comes when we need to do reformats and installs on machines. Most of our CD's for these machines are XP with Service Pack 1 - though we have a couple with Service Pack 2. For the SP1 CD's, we immediately deploy the SP2 Redistributable. But that still leaves OVER 100MB worth of downloads from Windows Update to go get. Our budget isn't great in the IT department, so spending money is not a great option - but I could sling together a grant proposal if need be. So how do others manage deploying a new install of Windows? Are we really expected to still download 100+MB per reinstall? Is Service Pack 3 on the horizon?"
"I've heard of programs that download updates to a server computer and distribute them through the network to clients, but that only worked for files released on Microsoft's Knowledge Base, if I recall correctly - not for all Windows Updates."
This discussion has been archived. No new comments can be posted.

Deploying Windows Updates?

Comments Filter:
  • by Philip K Dickhead ( 906971 ) * <> on Friday July 14, 2006 @09:25PM (#15722877) Journal
    Then install the FREE Windows Software Update Services (WSUS) on it. This becomes your single download point for the patches, and manages a local repository.

    Just download 'em once. The other machines will go there - instead of

    You can even schedule yur own times for retreiving and distributing patches, centrally. It might force you to build a domain, if you don't already have one.
    • by PhilBrut ( 87389 ) on Friday July 14, 2006 @09:43PM (#15722931) Homepage
      WSUS doesn't require a domain, but a domain will make it somewhat easier. Basically you need to tell the integrated AU client to talk the WSUS rather than Windows Update, and it comes with an ActiveDirectory GPO template with which to configure the machines. Without a domain you will need to import the registry changes manually. Everything you need to know is in the WSUS documentation. Oh, and WSUS isn't supported under Windows 2000 Pro or Windows XP Pro - that doesn't mean it won't work, but the recommended server platforms are Windows 2000 Server/Advanded Server and Windows Server 2003. Chances are you have at least one Windows server anyways. BTW you should seriously consider something like g4u or unattended ( for maintaining the machines.
      • There should be no registry changes involved. The Group policy settings can be set on the client machines by opening up mmc and addings the "local group policy" snap-in. From there, you can add the WSUS settings to each machine.

        As for XP support, I'm pretty sure WSUS will not install on *any* of the desktop OS's.
        • The registry is how the AU ciient knows how to talk to WSUS, the GP templates are the fancy GUI way of doing it.
          • Yes, I know how GPO templates work, but the submitter doesn't exectly sound like a seasoned IT pro. I would think the GUI way of doing it would be welcomed for some one who is probably not accustomed to using regedit and/or the reg command.
          • To clarify, I should have said "there should be no need to edit the registry manually", rather than "there should be no registry changes involved".
    • by DeltaSigma ( 583342 ) on Friday July 14, 2006 @09:46PM (#15722946) Journal
      Indeed, WSUS is the way to go without spending money. It's supported by Microsoft. It sports patches for Windows, Internet Explorer, Windows Media Player, Microsoft Office, and even definition updates for the (still beta) Windows Defender. It's a lot like hosting your own really. You're given an overview of what patches a computer needs, and what patches WSUS has installed. You can choose to automatically approve certain types of updates. It gives you a lot.

      Requirements are a Windows NT 5.0+ server hosting IIS, and some sort of SQL database. The documentation will reccomend MSDE or MS SQL server. I personally reccomend MSDE.

      Try to remember to patch MSDE before you install WSUS.

      Loading all of this on an internet facing server (outside the firewall) is NOT reccomended (and may violate the license depending on how it's configured).

      Regardless, one should use the Microsoft Baseline Security Analyzer for any IIS server.

      That's the install routine off the top of my head. It actually helps to read the documentation for this particular MS Product. There are tons of helpful tips, such as, disabling languages you don't use (to reduce bandwidth and storage space consumed).
      • hehehe I will throw in my "Me, Too!"

        I use WSUS at all of my installations, Small Business Server 2003 and Windows Server 2003. If you do not have MSDE or SQL, WSUS installs the MSDE for you.

        Installation is painless and flawless, though be prepared to spend a weekend letting the machine download updates. Depending upon your installation, you could use 10GB or more storage space. In an environment with Server 2003, SBS2003, Exchange 2003, Windows XP, Office XP and 2003, and Windows Defender, I easily used
        • I've had WSUS import my SUS stuff successfully not once, but twice. The trick is to wait until AFTER you've "synch'd" it; that is, have it contact MS so that it can grab all the patch metadata, then you import the approvals and executables. WSUS is different enough from SUS that the data SUS has on patches isn't enough, so it needs to contact a WSUS server in order to know about the patches... THEN it can accept the SUS data.

          And yeah, everyone's been right on the domain bit; it's REALLY helpful to have
          • Oh, and I should have thrown this in there...

            Yeah, WSUS's patch store can take up a HUGE amount of space, but there are two things you can do about it...

            The first is that you can narrow the kinds of patches you're downloading. If you're not running Exchange 2000 or Office XP, well then there's no reason to download those patch, now is there? What's more is that you can restrict the kinds of patches it'll download; whereas SUS only handled critical updates and security updates, WSUS runs the whole gamu
          • ...""wuauclt /detectnow:...

            Thank you. I never caught that when we updated to WSUS, and still thought you had to use the registry hack to get clients to check for updates.
      • Baseline security analyzer is not needed or support on IIS 6.0 on 2003.
    • To save bandwidth all round, install a caching proxy like squid. As well as speeding up access to popular websites, if one configures it to save objects up to 200MB in size it will remember all the OS patches.
      • --Yep. For small-medium networks, use Squid. Allow me to recommend my Squid VM Appliance, located here: eID=359128 []

        --1.5GB growable disk, preconfigured to store objects up to 20MB in size, and Free software to boot. Only uses ~100MB RAM in the guest. Point all browsers at the proxy (, do a Win Update on _one_ machine, and the other machines will DL the updates from the proxy.

        --Vmware Player is free, and can be downloaded here:

        http://www.vm []
  • You could just download the stad-alone sp2 installer and put it on a cd and use that every time.
  • You make a HD image and use ghost or similar to deploy it?
    • Norton Ghost is the easiest and fastest way to support a small number of computers. You could then protect them against lusers by using DeepFreeze (
  • SP3 (Score:5, Funny)

    by Curtman ( 556920 ) on Friday July 14, 2006 @09:27PM (#15722886)
    Is Service Pack 3 on the horizon?

    Yeah it's called "Vista".
  • Imaging Software (Score:2, Interesting)

    by smvp6459 ( 896580 )
    Have you ever considered using imaging software to deploy one image to all the machines (if they're identical) or create individual images for each machine (if they're different)? Norton/Symantec Ghost, Acronis True Image, or g4u (Ghost for Unix) if you're looking for an OSS solution.

    There's also software out there that can lock down XP, keeping any changes from becoming permanent...I used a program called DeepFreeze to minimize maintenanc on an 12 computer lab I ran.

    Reinstalling Windows from scratch is a
    • The method I have been using is a barebones Linux host running VMware Player with a single Windows/XP VM (with restore to a snapshot after each user session). Of course, this does incur some overhead, but it is convenient using a standard Windows configuration on all kinds of different hardware.

      How much overhead does DeepFreeze imply? What are the opinions of those you who have used both solutions?

      Note that the new version of Xen is also interesting. They claim very low overhead, though it is not cl

      • The website for anyone who is interested: []

        I haven't used it since version 4, but the overhead for DeepFreeze was not at all noticeable. I know there was some small amount of overhead since there were at least two processes associated with the program, however a human couldn't tell any difference between a machine with DeepFreeze versus a machine without it. And these weren't souped up machines...they ran Windows 2000 with an 800mgz Athlon and 256MB of RAM. There's no way
    • Re:Imaging Software (Score:2, Informative)

      by tomasvilda ( 818284 )
      You can even create one image using Acronis True Image and then restore to different machines using Acronis True Image with Universal Restore plugin [], that reconfigures original image to match machine you are restoring.

    • Personally, I'm a linux guy. But when I've got to image windows, I use their sysprep [] tools from the resource kit cd's, and then use ntfsclone from the ntfsprogs [] package to do the actual backup and restore.

      Conceptually, the whole thing is easy. Sysprep removes the windows registry identification, device map, and just redetects them upon first boot. However, theres a few steps you'll need to do after restoring from sysprep, but you can automate them. Things like having a random hostname generated for
      • One thing I found you can do is include an * at the end of the workstation name for that part of the sysprep.inf , this will stop the automated section so you can plunk in the name as it is considered an invalid character. Everything else will still apply as expected. You can't do it through the gui setup tool, you have to open the file and manually input it.
  • Slipstream both the hotfixes and the service pack 2 onto the cd. It's possible. If not, get at least the sp2, it'll save you time when patching (sp2 takes awhile to install, especially on older machines)
  • #1. Getting a clean install onto the machine(s).

    #2. Keeping the clean install updated.

    #3. Keeping unauthorized software off of the clean, updated install(s).

    If you don't have all three, you'll be running through the processes again and again and again.

    #1. This is the easy part. To save time, take an image of the machine(s) after you've finished.

    #2. You can download any patch from Microsoft for "network deployment" so your bandwidth won't really matter. Just start the download process when you're closing up
  • by David E. Smith ( 4570 ) * on Friday July 14, 2006 @09:31PM (#15722900)
    There are a multitude of ways around this.

    Ghost the machines, and keep your images updated every couple of months.

    Make a slipstreamed CD that includes all the current updates. This is a dead-simple way to do so. [].

    If your network were bigger, you could use WSUS [] to keep a local repository of all the updates, so you're just downloading them once, and the WSUS server hands them out to all your local computers.
  • nLite (Score:4, Informative)

    by corychristison ( 951993 ) on Friday July 14, 2006 @09:33PM (#15722907)
    Check out nLite []. It's an easy interface to create slipstreamed discs.

    They also offer a bunch of packages (called "Addons" []) you can embed into this disc, as well: Java, Firefox, AVG Antivirus, WinRAR, etc.

    Every month or two I will make a new disc for installs [for customers/friends]. The unattended mode is very handy. ;-)
  • by alanjstr ( 131045 ) on Friday July 14, 2006 @09:34PM (#15722909) Homepage
    Why do you keep downloading them? Why not keep them in a central location? Put them on a server, or burn them to disc.
  • Image disk and WSUS (Score:4, Informative)

    by hrbrmstr ( 324215 ) * on Friday July 14, 2006 @09:35PM (#15722912) Homepage Journal
    Well, for starters, you should be making an image installation disk for your fresh installs that incorporates (or, in MS terms - "slipstreams") what you need into it. This is especially handy if you don't have the same hardware. Check out nLite - [] - for more details on how easy it can be to do this. This saves hours of time. Days, if you have tons of boxes to refresh.

    Next you'll need a WSUS - eservices/default.mspx [] - box somewhere on your network which will take care of those monthly downloads for you and only do the heavy download lifting on one machine. You'll need to configure all your other boxes via group policy or registry hacks to point to this server instead of the mothership @ Microsoft so they can get the updates from there.

    With these two steps, you'll free up bandwidth and have more time to hit the stacks!
  • Slipstream SP2 []
    Slipstream security updates as well []
    Or get updates [] as ISO images and burn your own CDs
  • SUS is what you want (Score:3, Informative)

    by Redhawk ( 28794 ) on Friday July 14, 2006 @09:40PM (#15722923)
    SUS is tailor-made for the situation you're talking about. Assuming you've got a domain in your library, put a proposal together to get another box, throw a flavor of Server 2K3 on it, and get SUS. SUS will synch to the Windows Update site, so anything available there will be available to you internally. Then you approve the patches you want to push, and Bob's your uncle.

    Assuming you can get the approval for the server + software bits, you'll achieve what it is you're trying to do - not soak your 'Net connection and still keep a reasonable level of patchedness for your lab machines.


    PS - If you're not on a domain, then SUS likely won't fly for you, as it ties into Active Directory and all those goodies.
    • by snuf23 ( 182335 ) on Friday July 14, 2006 @11:00PM (#15723155)
      SUS got turned into WSUS (Windows Server Update Services). WSUS is much better than SUS was and now supports Office and Exchange updates as well as Windows.
      It can work even if you don't have a domain, you just need to make a registry change in the client computers rather than a GPO.
      • ...either URPMI [] or APT [] for updates, both of which are trivial and powerful to use compared with Microsoft's chaotic collactions, and have been for many years.

        Such use would also make the dynamic customisation of updates much simpler and faster (and more possible at all). People who are much less control-dominated thab MS faced and solved these kinds of issues well and long ago.
        • I've used RPM (which I hate - don't know if Mandriva has improved it) and APT (which I like) but only in single server instances. Is there a way to centrally control APT or RPM from a gui driven interface across a few hundred or so workstations? Also can you group those workstations into different sets and apply updates only to specific sets? I always prefer to roll updates to test stations/servers before commiting then on production machines.
          I'd also like to see reporting telling me what installed where an
  • Autopatcher (Score:3, Informative)

    by crvtec ( 921881 ) on Friday July 14, 2006 @09:40PM (#15722926) Homepage
    You could also try AutoPatcher for Post SP2 updates. []
    • Autopatcher is definetly THE solution, specially when you deal with different machines (and Ghost images aren't useful). 15/20 minutes and you're done. I use Autopatcher regularly when a new pc is going out of my shop. And no WGA required!
  • by westlake ( 615356 ) on Friday July 14, 2006 @09:44PM (#15722933)
    RyanVM's Windows XP Post-SP2 Update Pack []

    Last updated July 14. About 45 MB with optional add-ons like WMP 10. You'll see a full list of what's included on the front page.

  • We use AutoIT extensively ( It was originally developed to help with this sort of task, but now it is an extensive Windows, open-source scripting language. I prefer using it from Python via COM interface. We've been able to quickly solve emergent, repetitive IT tasks with this tool.
    • AutoIt is excellent. Make sure you get the excellent IDE [], also.

      For keyboard macros, use AutoHotkey [], a fork from an earlier version of AutoIt.

      Both FREE.
      • Uh oh. Something new to play with. I had not heard of AutoHotkey. Since it is a fork of AutoKey, you can bet I'm going to spend some time with it as it will likely be worth the time.

        Thanks for the tip.

        BTW: I didn't mention one feature of AutoIT we have been enjoying of late. With the geewiz factor, we have been impressing co-workers and bosses. The ability to change the speed at which things happens allows us to show them a slowly automated version of some complex task they were accustommed to doing. T
  • If it's just a browser for accessing the web, I'd install linux (running Firefox) on those computers. You can access any research material online in this configuration.

    • If it's just a browser for accessing the web, I'd install linux (running Firefox) on those computers. You can access any research material online in this configuration.

      Brilliant. Now all he needs is a way to simplify and automate the process of downloading and installing OS patches to Windows, which is what he actually asked about (not "which OS and browser should I use"). I would recommend WSUS (as most people who actually addressed his question did). Mainly becuase it's free if you already have a Wi
      • Sure he could switch to Linux... And even with Linux, you still have to have a method to distribute and install patches to the OS and applications, so you haven't actually solved the root problem.

        He wouldn't need a method to install patches/applications. His core applications would "just work" and he wouldn't have to worry about patching/upgrading every day. Using a Linux OS his core system would be fundamentally secure. He could apply updates if desired, but they wouldn't be mandatory to maintain a secu
        • He wouldn't need a method to install patches/applications. His core applications would "just work" and he wouldn't have to worry about patching/upgrading every day. Using a Linux OS his core system would be fundamentally secure. He could apply updates if desired, but they wouldn't be mandatory to maintain a secure system.

          I see that you post has been appropriately modded as a Troll, but I think I'll take the bait anyway. Either you are unfamiliar with Linux, or you are blinded by religious fervor, becaus
  • In my lab (Score:2, Insightful)

    by nickheart ( 557603 )
    i use norton ghost. This is the best thing ever. you simply install windows, activate, install all updates/ drivers, create a pristine ghost image, and let the bugs (in your case public users) loose on it! It's not an expensive investment for your employer, or even you so that you can have some sanity back. That's my suggestion.
  • by zollman ( 697 ) on Friday July 14, 2006 @10:30PM (#15723073) Homepage
    It won't help you with your updates problem, but to cut down on the number of reinstalls, take a look at the Microsoft Shared Computer Toolkit: fault.mspx []

    Like DeepFreeze (mentioned earlier in thread) it blocks any changes made to your systems from committing to disk (they get rolled back at logout or the next reboot) unless the administrator specifically allows them. Also: Free. And designed for libraries and schools specifically.
  • by symbolset ( 646467 ) on Friday July 14, 2006 @10:39PM (#15723102) Journal
    This used to frustrate me too. I wrote a longish jounal article with enough detail to do what you want. It's here: []
  • What about running the boxes as Linux native and providing Windows support via some virtualization software (i.e. VMWare). It's not like these people are gaming, so performance shouldn't be too much of an issue. As long as windows is confined to its little sandbox, the only reinstall needed is a simple rollback to the original Windows image.
    • If you want to go that route take a look at qemu and kqemu.
      I just got Vista installed under qemu and running in a window on my Linux desktop.
      Don't know if it a solution but it is interesting.
  • by Utopia ( 149375 ) on Friday July 14, 2006 @11:01PM (#15723160)
    I was slipstreaming post XP SP2 to the Windows SP2 installation.

    There are plenty of references [] about slipstreaming.

  • My college computer labs use DeepFreeze to restore the HDs to a preset condition on every boot, wiping out installed software, etc. You should consider looking into it, it works fine for them. Only way around it is to not boot from the HD, but from a LiveCD or something (and this can hopefully be stopped through BIOS settings... one of my friends worked around it with a CD and partitioned and dual booted Slackware as an experiment, heh heh heh).

    If you choose to research this, also be sure to research cr

    • DeepFreeze is quite effective, and I have seen in used in several university computer labs with great success. The only way I found to "crack" it was to guess the password the IT department had set. It allows you to change anything on the computer, but when you reboot it's all clean.
  • It's called Ubuntu. It's real easy, and internally, I share my package directory through NFS. apt-get update && apt-get upgrade and all packages are already there.
    • funny, I was thinking of writing the same comment, but repace Ubuntu with openSuSE... and smart update && smart upgrade.

      Anyone know how to get the sound working in VMware and Windows 98 (don`t tell me google, as I tried it), the device found has no driver that fits... and the SoundBlaster 16 driver does not work :-(

      no Wine is no use, as these are learning CDroms my wife needs for medicine and they require a real Windows 98.

      Thanks SlashSupport!
    • On Slashdot, only people not interested in commenting on the discussion can rate comments. So, many times readers visit stories in which they have no interest so that they can moderate.

      The first link in the parent comment is not "Offtopic". It's an alternative way to update your Windows computers, which is exactly the subject of the discussion.
  • We use Clark Connect [] to proxy the internet at our small shop.
    It manages to cache almost all windows updates so you get them fast and save your bandwidth.
  • If you can't get WSUS to work (which is the best option around for free..), try this little script: []

    It's something I hacked up when I couldn't get SUS (predecessor to WSUS) to work, and seems to do the job.. only thing is, users need to have local admin if this is to run as a logon script.

  • Get a copy of Ghost for when you need to install/reinsall an OS. Just setup a machine with all the updates and software you want all the machines to have, then you can install a replica of that machine onto any of the other machines via the network in one fell swoop. The machines just need to have a BIOS that allows them to boot from the network in order for you to be able to do this without using any disks whatsoever. Most machines seem to have that capability nowadays. It takes almost none of your tim
  • Several Solutions (Score:2, Informative)

    by Pathway ( 2111 )
    1) Install a proxy server. You probably have a router of some kind. Perhaps it's a linux box. What you could use to save your bandwidth is use some of your server's HD space to download the common items (like patches from Windows Updates). Since the proxy _can_ be transparrent, there is nothing to configure on the other computers. There are many ways to do this. My suggestion: Squid. In particular, I have used the implementation in ClarkConnect. It's easy to setup, and there is a free version. If you want t
  • There are many solutions to this problem, one of them being AutoPatcher []. They provide many more updates (including hotfixes) than the standard windows update does as well.
  • Windows Update Service is cool but if you've only got 20 computers and don'e have a server setup already it may be a bit of an overkill.

    Personally I've been using a tool called AutoPatcher [] which includes all the updates and a number of other standard companents, like flash, java etc.

    If you have seen it yet then check it out. It soulds like it will be exactly what you are looking for.
  • Get Shavlik HFNetChkPro. Its free for a year for 50 machines. Scans for all of the MS products, plus Adobe, Winzip, and others...

    Shavlik wrote the MS Baseline Security Analyser, the product is solid.

    No, I don't work for them...
  • Microsoft offers his security updates by iso files in their website... so once a month, you downoad the file, burn it on cd as a saved project... and you use it on all your computers...

    simple, safe (as much as a microsoft service could be) and pretty much foolproof []
  • He's talking about 20 light use machines.

    For incremental updates, staggering automatic downloads a 2 through 6 am should work.

    For service packs, download to cd. He already does that.
    The real problem is the reinstalling, and frankly, you shouldn't need to.......

    Locked down permission, draconian install policies, or switch to Linux. You should not need to reinstall unless you experience hard failure, and in that event reinstall, turn on automatic updates, and let the thing start sucking on your dsl at 6 pm on
  • There is a way to download the .exe for SP2, and then burn that to a disk.
    Search for SP2 on multiple computers, or something along those lines. And when SP3 comes out, do the same thing.
    I remember I had to do that for a friend whose laptop was in german, and the campus wouldn't let her get on the web without SP2 installed... I downloaded it, burned it, and installed it from the CD without so much as scoffing from either MS or Windows.
    I do suppose you have CD-Rs lying around?
  • First off, I'd like to actually THANK everyone who replied. All of the information was very helpful. I'll be looking into WSUS to fulfill my needs. We currently have an in house server running good ol' Windows NT (no internet connection to it, so we're not worried about security exploits or anything). I thought about using that computer to try WSUS, but then I remembered an unused Windows 2000 Server lisence we have laying around since pulling a machine out of the loop! And with some money in the budge

Honesty pays, but it doesn't seem to pay enough to suit some people. -- F.M. Hubbard