Deploying Windows Updates? 122
WinBreak asks: "Well, I guess I'd be an 'IT Administrator' - but I work for a public library. The job consists of baby sitting 20-odd computers. The problem is, as a public library, we don't have much bandwidth - a simple 768K DSL line shared among everyone. It's good enough, for our normal traffic, and when people want to come in and do research (as long as there aren't too many kids on YouTube!). The problem comes when we need to do reformats and installs on machines. Most of our CD's for these machines are XP with Service Pack 1 - though we have a couple with Service Pack 2. For the SP1 CD's, we immediately deploy the SP2 Redistributable. But that still leaves OVER 100MB worth of downloads from Windows Update to go get. Our budget isn't great in the IT department, so spending money is not a great option - but I could sling together a grant proposal if need be. So how do others manage deploying a new install of Windows? Are we really expected to still download 100+MB per reinstall? Is Service Pack 3 on the horizon?"
"I've heard of programs that download updates to a server computer and distribute them through the network to clients, but that only worked for files released on Microsoft's Knowledge Base, if I recall correctly - not for all Windows Updates."
Make one box a server. (Score:5, Informative)
Just download 'em once. The other machines will go there - instead of windowsupdate.microsoft.com.
You can even schedule yur own times for retreiving and distributing patches, centrally. It might force you to build a domain, if you don't already have one.
Re:Make one box a server. (Score:5, Informative)
Re: (Score:2)
Re:Make one box a server. (Score:1)
Re: (Score:2)
Re: (Score:2)
Re:Make one box a server. (Score:5, Informative)
Requirements are a Windows NT 5.0+ server hosting IIS, and some sort of SQL database. The documentation will reccomend MSDE or MS SQL server. I personally reccomend MSDE.
Try to remember to patch MSDE before you install WSUS.
Loading all of this on an internet facing server (outside the firewall) is NOT reccomended (and may violate the license depending on how it's configured).
Regardless, one should use the Microsoft Baseline Security Analyzer for any IIS server.
That's the install routine off the top of my head. It actually helps to read the documentation for this particular MS Product. There are tons of helpful tips, such as, disabling languages you don't use (to reduce bandwidth and storage space consumed).
Re:Make one box a server. (Score:2)
I use WSUS at all of my installations, Small Business Server 2003 and Windows Server 2003. If you do not have MSDE or SQL, WSUS installs the MSDE for you.
Installation is painless and flawless, though be prepared to spend a weekend letting the machine download updates. Depending upon your installation, you could use 10GB or more storage space. In an environment with Server 2003, SBS2003, Exchange 2003, Windows XP, Office XP and 2003, and Windows Defender, I easily used
Re:Make one box a server. (Score:2, Interesting)
And yeah, everyone's been right on the domain bit; it's REALLY helpful to have
Re:Make one box a server. (Score:2, Informative)
Yeah, WSUS's patch store can take up a HUGE amount of space, but there are two things you can do about it...
The first is that you can narrow the kinds of patches you're downloading. If you're not running Exchange 2000 or Office XP, well then there's no reason to download those patch, now is there? What's more is that you can restrict the kinds of patches it'll download; whereas SUS only handled critical updates and security updates, WSUS runs the whole gamu
Re:Make one box a server. (Score:2)
Re:Make one box a server. (Score:2)
I thought it would be difficult for them to delegate checking of licence keys to WSUS boxes as it must be a pretty big database over at redmond!
Re: (Score:1)
Re:Make one box a server. (Score:2)
Re:Make one box a web cache server. (Score:1)
A different approach (Score:2)
http://www.vmware.com/community/thread.jspa?messag eID=359128 [vmware.com]
--1.5GB growable disk, preconfigured to store objects up to 20MB in size, and Free software to boot. Only uses ~100MB RAM in the guest. Point all browsers at the proxy (10.0.244.4:3128), do a Win Update on _one_ machine, and the other machines will DL the updates from the proxy.
--Vmware Player is free, and can be downloaded here:
http://www.vm [vmware.com]
download once (Score:2)
Re:download once (Score:1)
Re:download once (Score:3, Informative)
http://autopatcher.com/ [autopatcher.com]
Re:download once (Score:5, Insightful)
Don't get me wrong, autopatcher is a great idea and as far as I know there's nothing wrong with it, but seeing as their page is still under construction and I've never heard of them before, I'll abstain from using them except in a testing environment.
Re:download once (Score:3, Informative)
They've been around for a couple of years now ... its - as they say - "The new site is under construction" Neowin's been around since 2000.
Look at the page views in the forums http://www.neowin.net/forum/index.php?showforum=8 9 [neowin.net]
Yesterday's "AutoPatcher XP June 2006" announcement http://www.neowin.net/forum/index.php?s=cb19fcf468 bcd977d13b309c7a176c4d&showtopic=471109 [neowin.net] already has over 150,000 reads.
Or do a search here on slashdot for comments about autopatcher: http://slashdot.org/search.pl?tid= [slashdot.org]
How about... (Score:2)
Re:How about... (Score:1)
SP3 (Score:5, Funny)
Yeah it's called "Vista".
Re:SP3 (Score:2, Informative)
XP SP3 won't come out until 07H2: http://news.com.com/Microsoft+XP+SP3+wont+arrive+
They don't want SP3 to distract people from Vista, so they scheduled it for WAY after Vista launch.
In my opinion, delaying SP3 is VERY abusive. (Score:5, Insightful)
Microsoft has no respect for our time. (Score:2)
Microsoft has no respect for our time.
Imaging Software (Score:2, Interesting)
There's also software out there that can lock down XP, keeping any changes from becoming permanent...I used a program called DeepFreeze to minimize maintenanc on an 12 computer lab I ran.
Reinstalling Windows from scratch is a
DeepFreeze or VMware Player? (Score:2)
How much overhead does DeepFreeze imply? What are the opinions of those you who have used both solutions?
Note that the new version of Xen is also interesting. They claim very low overhead, though it is not cl
Re:DeepFreeze or VMware Player? (Score:1)
I haven't used it since version 4, but the overhead for DeepFreeze was not at all noticeable. I know there was some small amount of overhead since there were at least two processes associated with the program, however a human couldn't tell any difference between a machine with DeepFreeze versus a machine without it. And these weren't souped up machines...they ran Windows 2000 with an 800mgz Athlon and 256MB of RAM. There's no way
Re:Imaging Software (Score:2, Informative)
Re:Imaging Software (Score:1)
Personally, I'm a linux guy. But when I've got to image windows, I use their sysprep [wikipedia.org] tools from the resource kit cd's, and then use ntfsclone from the ntfsprogs [linux-ntfs.org] package to do the actual backup and restore.
Conceptually, the whole thing is easy. Sysprep removes the windows registry identification, device map, and just redetects them upon first boot. However, theres a few steps you'll need to do after restoring from sysprep, but you can automate them. Things like having a random hostname generated for
Re:Imaging Software (Score:2)
Slipstream the hotfixes. (Score:2, Informative)
Re:Slipstream the hotfixes. (Score:2)
The Windows XP installer kept bombing with either protection errors or divide by zero errors (I can't remember which) until I used another computer to create a slipstreamed copy of XP with SP2.
Re:Slipstream the hotfixes. (Score:1)
Originally introduced with Microsoft's Windows 2000 operating system, the ability to integrate service packs and hotfixes into the initial installation of the operating system became known as "slipstreaming". The process of slipstreaming a service pack or hotfix is nearly identical for Windows 2000, Windows XP, and Windows 2003. In fact, wh
Re:Slipstream the hotfixes. (Score:2)
Multiple concepts to be considered. (Score:2)
#2. Keeping the clean install updated.
#3. Keeping unauthorized software off of the clean, updated install(s).
If you don't have all three, you'll be running through the processes again and again and again.
#1. This is the easy part. To save time, take an image of the machine(s) after you've finished.
#2. You can download any patch from Microsoft for "network deployment" so your bandwidth won't really matter. Just start the download process when you're closing up
Is this really a problem? (Score:5, Informative)
Ghost the machines, and keep your images updated every couple of months.
Make a slipstreamed CD that includes all the current updates. This is a dead-simple way to do so. [ryanvm.net].
If your network were bigger, you could use WSUS [microsoft.com] to keep a local repository of all the updates, so you're just downloading them once, and the WSUS server hands them out to all your local computers.
Re:Is this really a problem? (Score:3, Informative)
Re:Is this really a problem? (Score:2)
nLite (Score:4, Informative)
They also offer a bunch of packages (called "Addons" [nliteos.com]) you can embed into this disc, as well: Java, Firefox, AVG Antivirus, WinRAR, etc.
Every month or two I will make a new disc for installs [for customers/friends]. The unattended mode is very handy.
Also see this guide for more detailed instructions (Score:3, Informative)
This has worked very well for me, excepting that I can't get the latest version of F-Prot antivirus to install automatically. I suspect F-Prot has deliberately broken this feature.
Re:Also see this guide for more detailed instructi (Score:1)
Re:Also see this guide for more detailed instructi (Score:2)
Have you tried removing MSN? It is a security risk its self.
Save the patches on your server (Score:4, Insightful)
Re:Save the patches on your server (Score:2)
Image disk and WSUS (Score:4, Informative)
Next you'll need a WSUS - http://www.microsoft.com/windowsserversystem/upda
With these two steps, you'll free up bandwidth and have more time to hit the stacks!
Those links may help (Score:2)
Slipstream security updates as well [techbuilder.org]
Or get updates [microsoft.com] as ISO images and burn your own CDs
SUS is what you want (Score:3, Informative)
Assuming you can get the approval for the server + software bits, you'll achieve what it is you're trying to do - not soak your 'Net connection and still keep a reasonable level of patchedness for your lab machines.
Redhawk
PS - If you're not on a domain, then SUS likely won't fly for you, as it ties into Active Directory and all those goodies.
Re:SUS is what you want (Score:4, Informative)
It can work even if you don't have a domain, you just need to make a registry change in the client computers rather than a GPO.
It's a pity you can't use... (Score:2)
Such use would also make the dynamic customisation of updates much simpler and faster (and more possible at all). People who are much less control-dominated thab MS faced and solved these kinds of issues well and long ago.
Re:It's a pity you can't use... (Score:2)
I'd also like to see reporting telling me what installed where an
Autopatcher (Score:3, Informative)
Re:Autopatcher (Score:1)
RyanVM's Windows XP Post-SP2 Update Pack (Score:5, Informative)
Last updated July 14. About 45 MB with optional add-ons like WMP 10. You'll see a full list of what's included on the front page.
Script the update process. (Score:1)
AutoIt is excellent. (Score:2)
For keyboard macros, use AutoHotkey [autohotkey.com], a fork from an earlier version of AutoIt.
Both FREE.
Re:AutoIt is excellent. (Score:1)
Thanks for the tip.
BTW: I didn't mention one feature of AutoIT we have been enjoying of late. With the geewiz factor, we have been impressing co-workers and bosses. The ability to change the speed at which things happens allows us to show them a slowly automated version of some complex task they were accustommed to doing. T
What software do they use for researching? (Score:2)
Re:What software do they use for researching? (Score:2)
Brilliant. Now all he needs is a way to simplify and automate the process of downloading and installing OS patches to Windows, which is what he actually asked about (not "which OS and browser should I use"). I would recommend WSUS (as most people who actually addressed his question did). Mainly becuase it's free if you already have a Wi
Re:What software do they use for researching? (Score:1, Troll)
He wouldn't need a method to install patches/applications. His core applications would "just work" and he wouldn't have to worry about patching/upgrading every day. Using a Linux OS his core system would be fundamentally secure. He could apply updates if desired, but they wouldn't be mandatory to maintain a secu
Re:What software do they use for researching? (Score:2)
I see that you post has been appropriately modded as a Troll, but I think I'll take the bait anyway. Either you are unfamiliar with Linux, or you are blinded by religious fervor, becaus
In my lab (Score:2, Insightful)
-nick
Microsoft Shared Computer Toolkit (Score:4, Informative)
http://www.microsoft.com/windowsxp/sharedaccess/d
Like DeepFreeze (mentioned earlier in thread) it blocks any changes made to your systems from committing to disk (they get rolled back at logout or the next reboot) unless the administrator specifically allows them. Also: Free. And designed for libraries and schools specifically.
All your answers are here... (Score:3, Interesting)
Linux + VMWare (Score:1)
Re:Linux + VMWare (Score:2)
I just got Vista installed under qemu and running in a window on my Linux desktop.
Don't know if it a solution but it is interesting.
Funny you ask this today. (Score:3, Insightful)
There are plenty of references [msn.com] about slipstreaming.
Why reformat and reinstall at all? (Score:2)
My college computer labs use DeepFreeze to restore the HDs to a preset condition on every boot, wiping out installed software, etc. You should consider looking into it, it works fine for them. Only way around it is to not boot from the HD, but from a LiveCD or something (and this can hopefully be stopped through BIOS settings... one of my friends worked around it with a CD and partitioned and dual booted Slackware as an experiment, heh heh heh).
If you choose to research this, also be sure to research cr
Re:Why reformat and reinstall at all? (Score:2)
I've got a great solution (Score:2)
Re:I've got a great solution (Score:2)
Anyone know how to get the sound working in VMware and Windows 98 (don`t tell me google, as I tried it), the device found has no driver that fits... and the SoundBlaster 16 driver does not work
no Wine is no use, as these are learning CDroms my wife needs for medicine and they require a real Windows 98.
Thanks SlashSupport!
Don't let Microsoft abuse you, if you can avoid it (Score:2, Informative)
Genuine Advantage is Microsoft spyware [windowssecrets.com]
Dump Windows Update, use alternatives [windowssecrets.com]
On Topic: (Score:2)
The first link in the parent comment is not "Offtopic". It's an alternative way to update your Windows computers, which is exactly the subject of the discussion.
Use Linux! (Score:1)
It manages to cache almost all windows updates so you get them fast and save your bandwidth.
Custom script.. (Score:2)
If you can't get WSUS to work (which is the best option around for free..), try this little script:
http://i3.tucuxi.org/articles/2005/hotfixes-wsh [tucuxi.org]
It's something I hacked up when I couldn't get SUS (predecessor to WSUS) to work, and seems to do the job.. only thing is, users need to have local admin if this is to run as a logon script.
what to do what to do... (Score:1)
Several Solutions (Score:2, Informative)
Autopatcher (Score:1)
WSUS is good but Auto Patcher may be better ... (Score:2)
Personally I've been using a tool called AutoPatcher http://www.autopatcher.com/ [autopatcher.com] which includes all the updates and a number of other standard companents, like flash, java etc.
If you have seen it yet then check it out. It soulds like it will be exactly what you are looking for.
Shavlik! (Score:1)
Shavlik wrote the MS Baseline Security Analyser, the product is solid. www.shavlik.com
No, I don't work for them...
security updates available from MS (Score:1)
simple, safe (as much as a microsoft service could be) and pretty much foolproof
http://support.microsoft.com/kb/913086 [microsoft.com]
Server? Too expensive. (Score:2)
For incremental updates, staggering automatic downloads a 2 through 6 am should work.
For service packs, download to cd. He already does that.
The real problem is the reinstalling, and frankly, you shouldn't need to.......
Locked down permission, draconian install policies, or switch to Linux. You should not need to reinstall unless you experience hard failure, and in that event reinstall, turn on automatic updates, and let the thing start sucking on your dsl at 6 pm on
mm, explore the windows update site more (Score:2)
Search for SP2 on multiple computers, or something along those lines. And when SP3 comes out, do the same thing.
I remember I had to do that for a friend whose laptop was in german, and the campus wouldn't let her get on the web without SP2 installed... I downloaded it, burned it, and installed it from the CD without so much as scoffing from either MS or Windows.
I do suppose you have CD-Rs lying around?
A little bit of everything (Score:2, Interesting)
Re:If all most of them are doing is surfing the ne (Score:2)
Library computers are not necessarly browser kiosks.
Some people use the library computers to do work, which means users expect to read/write MS Word documents. Some of these users don't know how to use anything other than Microsoft Word and would completely panic when forced to use the "forign" OpenOffice.org (unless it is skinned to look no different), and can also pa
Re:If all most of them are doing is surfing the ne (Score:2, Interesting)
They're just not that different. If the user is incapacitated by such a small difference in the layout of menus or toolbars, then he's got more problems than any sysadmin is qualified to deal with.
The grandparent poster is right; there's nothing that le
Re:If all most of them are doing is surfing the ne (Score:2)
Users are incapacitated by The Bleeding Obvious [rinkworks.com]. Given the amount of people that are likely to be confused by things that are obvious, you can be sure that there will be more people confused by something that does not have the same look and feel.
Re:If all most of them are doing is surfing the ne (Score:2)
Well, to be a bit brutal about it, if he is slowed down by a few nanoseconds, who cares? If Apple can get away with calling their floppy drives anything other than "A:/" without being branded as user-unfr
Re:If all most of them are doing is surfing the ne (Score:2)
Most of the library computers I've heard of are locked down so people can't just "bring their own data" so as to prevent problems with malware.
BTW: I guess you missed the reference to "pubic access" aka surfing for pr0n on the net :-)
Re:If all most of them are doing is surfing the ne (Score:2)
This can be particularly true in a small town. Word and Publisher see a lot of use here. It doesn't hurt that the easily navigated MS Office site delivers one-stop shopping for tutorials, templates and clip art.
Re:If all most of them are doing is surfing the ne (Score:3, Insightful)
Let me put your proposal in other terms:
Me: "My car is running rough."
You: "Buy another car!"
How about we make useful proposals to this guy before swapping out
all his technology.
Re:If all most of them are doing is surfing the ne (Score:3, Interesting)
Hah! Another bad car analogy.
If your current car has an engine that doesn't run properly, requires a lot of maintenance, and periodic expenditures for a new, buggier engine every few years to that same manufacturer, and someone else is offering you a free new engine, with free upgrades, and the chance to try it, again at no risk, you're going to try it.
In this case, ther are plenty of live DVD/CDs that give people a chance to kick the tires, so instead of having to throw out the whole "car", you can ju
Re: (Score:2)
Re:Followed by an equally bad one (Score:2)
With the caveat that you have to install the engine yourself and there is absolutely no support - unless of course you want to count support as asking your buddy at work who likes to work on cars to help you, and waiting a few days before he has the time.
Most people who don't get Windows pre-installed have to install it themselves. Also, there is absolutely no support from most resellers after 90 days, and what crap support you get is limited to "oh, you have too many viruses - we'll have to charge you
Re: (Score:1)
Re:Followed by an equally bad one (Score:3, Insightful)
Well yeah, but what eprcentage of people don't get Windows pre-installed? 1%? I don't see your point.
The buying market has matured; everyone I know buys from small white-box builders; they don't "get Windows for free".
The problem then was that the applications sucked compared to their Windows equivalents
Re:If all most of them are doing is surfing the ne (Score:2)
There was no damned reason to go from Win2k to WinXP, but many did.
Most people didn't go from Win2k to WinXP; they either went from Win9x, or its their first computer.
Heck, I know some people who are still running Win98 - they've recently gotten a new box (it has XP on it) and they want me to install linux on it. Why? Because its just a
Re:Windows Update? who uses THAT anymore?? (Score:2, Insightful)
Start masturbating, I'm going to feed your troll:
If you don't have legitimate copies, Microsoft isn't your vendor. You get to sleep in the bed you made.