CHAPTER 7 (I)

CHAPTER 7

Updates

Although Windows 7 is designed to minimize security risks out of the box, attackers are constantly developing new security vulnerabilities. To adapt to changing security risks, improve the reliability of Windows, and add support for new hardware, you must deploy updates to your client computers. In homes and small offices, Windows automatically downloads the newest critical updates from Microsoft, allowing computers to stay up to date without any administrative effort. This approach does not scale to enterprises, which must manage thousands of computers. In enterprises, IT departments need to test updates to ensure that they do not cause widespread compatibility problems. In addition, having each computer download the same update across the Internet would waste your bandwidth, potentially affecting your network performance when Microsoft releases large updates. This chapter discusses managing, testing, and troubleshooting updates for client computers running Windows 7.

■ Identify and resolve software update issues.

Lesson in this chapter:

■ Lesson 1: Updating Software 271

Before You Begin

To complete the lessons in this chapter, you should be familiar with Windows 7 and be comfortable with the following tasks:

■ Installing Windows 7

■ Connecting a computer to a network physically

■ Performing basic administration tasks on a Windows Server 2008 R2–based domain controller

Exam objective in this chapter:

REAL WORLD

Tony Northrup

In July 2001, the Code Red worm spread quickly across Microsoft Internet Information Server (IIS)–based Web servers on the Internet. At the time, I was part

of a team that managed hundreds of IIS Web servers. The Code Red worm exploited a buffer overflow vulnerability in IIS on Microsoft Windows 2000 Server and Microsoft Windows NT 4.0. About a month prior, Microsoft released an update that fixed the vulnerability and would prevent the Code Red worm from compromising Web servers. So, my servers should have been safe, right? Unfortunately, no. At the time, deploying updates was very difficult. Automatic Updates was not an option, and

Windows Server Update Services (WSUS) did not yet exist. We had a third-party infrastructure for automatically installing updates, but it frequently caused errors.

Because updates almost always required servers to be restarted (causing downtime), we had to schedule every update with the customer. Because of the time required

to install updates and the frequency with which Microsoft was releasing updates, we were several months behind on our update deployments.

The Code Red worm infected hundreds of thousands of IIS Web servers, including dozens of servers that my organization managed. The patching team had to work long hours for weeks at a time to repair damage that could have been prevented easily by installing the update promptly. The cost to our reputation was immeasurable.

Nowadays, Microsoft has made update management far more efficient. The importance of installing updates has only increased, however. Malware authors have become more sophisticated, and when an exploit is found, it can be difficult or impossible to remove. For that reason, this chapter is the most important chapter in the book to master for the real world.

Lesson 1: Updating Software

Because security threats are evolving constantly, Microsoft must release updates to Windows 7 and other Microsoft software regularly. Deploying and managing these updates

are some of the most important security tasks an IT department can perform. This lesson describes the different techniques for deploying updates to computers running

Windows 7 and explains how to install and manage updates and how to troubleshoot update problems.

After this lesson, you will be able to:

■ Choose a deployment technique for distributing updates within your organization.

■ Install updates automatically, manually, and to new computers.

■ Troubleshoot problems installing updates.

■ Uninstall updates.

Estimated lesson time: 45 minutes

Methods for Deploying Updates

Microsoft provides several techniques for applying updates:

■ Directly from Microsoft For home users and small businesses, Windows 7 is configured to retrieve updates directly from Microsoft automatically. This method is suitable only for smaller networks with fewer than 50 computers.

■ Windows Server Update Services (WSUS) WSUS enables administrators to approve updates before distributing them to computers on an intranet. If you want, updates

can be stored and retrieved from a central location on the local network, reducing Internet usage when downloading updates. This approach requires at least one

infrastructure server.

■ Microsoft Systems Center Configuration Manager 2007 (Configuration Manager 2007) The preferred method for distributing software and updates in large, enterprise networks, Configuration Manager 2007 provides highly customizable, centralized control over update deployment, with the ability to audit and inventory client systems. Configuration Manager 2007 typically requires several infrastructure servers.

The sections that follow describe the Windows Update client, WSUS, and Configuration Manager 2007.

Windows Update Client

Whether you download updates from Microsoft or use WSUS, the Windows Update client is responsible for downloading and installing updates on computers running Windows 7 and Windows Vista. The Windows Update client replaces the Automatic Updates client available in earlier versions of Windows. Both Windows Update in Windows 7 and Automatic Updates in earlier versions of Windows operate the same way: they download and install updates from Microsoft or an internal WSUS server. Both clients install updates at a scheduled time and automatically restart the computer if necessary. If the computer is turned off at that time, the updates can be installed as soon as the computer is turned on. Alternatively, Windows Update can wake a computer from sleep and install the updates at the specified time if the computer hardware supports it.

The Windows Update client provides for a great deal of control over its behavior. You can configure individual computers by using the Control Panel\System And Security\Windows Update\Change Settings page, as described in the section entitled “How to Configure Windows Update Using Graphical Tools” later in this chapter. Networks that use Active Directory Domain Services (AD DS) can specify the configuration of each Windows Update client by using Group Policy, as described in the section entitled “How to Configure Windows Update Using Group Policy Settings,” later in this chapter.

After the Windows Update client downloads updates, the client checks the digital signature and the Secure Hash Algorithm (SHA1) hash on the updates to verify that they have not been modified after they were signed by Microsoft. This helps mitigate the risk of an attacker either creating malware that impersonates an update or modifying an update to add malicious code.

Windows Server Update Services

WSUS is a version of the Microsoft Update service that you can host on your private network. WSUS connects to the Microsoft Update site, downloads information about available updates, and adds them to a list of updates that require administrative approval. After an administrator approves and prioritizes these updates, WSUS automatically makes them available to any computer running Windows Update (or the Automatic Updates client on earlier versions of Windows). Windows Update (when properly configured) then checks the WSUS server and automatically downloads and installs updates as configured by the administrators. As shown in Figure 7-1, you can distribute WSUS across multiple servers and locations to scale to enterprise needs. WSUS meets the needs of medium-size organizations and many enterprises.

You must install WSUS on at least one infrastructure server, such as a computer running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. To deploy updates to computers running Windows 7, you must have WSUS 3.0 SP2 or later installed on your server.

FIGURE 7-1 WSUS can scale to support thousands of computers.

MORE INFO

WSUS

For more information about update management with WSUS, visit http://www.microsoft.com/wsus/.

Configuration Manager 2007

Configuration Manager 2007 is a tool for efficiently managing, distributing, and inventorying software in enterprise environments. Although WSUS is sufficient to meet the needs of medium-size organizations, Configuration Manager 2007 can supplement WSUS in enterprise organizations that manage hundreds or thousands of computers.

EXAM TIP

You definitely won’t need to know how to use Configuration Manager 2007 for the exam, but it wouldn’t hurt to be familiar with what it can do. For more information

about Configuration Manager 2007, visit the Configuration Manager 2007 Web site at http://www.microsoft.com/sccm.

How to Check Update Compatibility

Microsoft performs some level of compatibility testing for all updates. Critical updates (small updates that fix a single problem) receive the least amount of testing because they occur in large numbers and they must be deployed quickly. Service packs (large updates that fix many wsus/problems previously fixed by different critical updates) receive much more testing because they are released infrequently.

Whether you are planning to deploy critical updates or a service pack, you can reduce the chance of application incompatibility by testing the updates in a lab environment. Most enterprises have a Quality Assurance (QA) department that maintains test computers in a lab environment with standard configurations and applications. Before approving an update for deployment in the organization, QA installs the update on the test computers and verifies that critical applications function with the update installed.

Whether you have the resources to test updates before deploying them, you should install updates on pilot groups of computers before installing the updates throughout your

organization. A pilot group is a small subset of the computers in your organization that receive an update before wider deployment. Ideally, pilot groups are located in an office

with strong IT support and have technology-savvy users. If an update causes an application compatibility problem, the pilot group is likely to discover the incompatibility before it affects more users.

If you are using WSUS to deploy updates, you can configure a pilot group by creating a computer group named Pilot and adding computers to the Pilot group. Then, approve

updates for the Pilot group before you approve them for the rest of your organization.

EXAM TIP

This exam focuses on Windows 7, and WSUS runs only on server versions of Windows. Therefore, the exam will probably not require you to know exactly how to deploy updates with WSUS. For that reason, this lesson discusses WSUS only at a high level.

Practice 2, at the end of this lesson, walks you through the process of installing WSUS on a computer running Windows Server 2008 R2, synchronizing updates from Microsoft, and then approving updates. Practice 2 should give you sufficient experience with WSUS to pass this exam; however, after completing the practice, you should add to your real-world experience with WSUS by examining every aspect of the software, including creating a pilot group of computers.

If users experience problems that you think might be related to an update, you can use Reliability Monitor to help identify updates that might be related to the cause of the problem. For information about how to use Reliability Monitor, refer to Chapter 1, “Troubleshooting Hardware Failures.”

How to Install Updates

Ideally, you would deploy new computers with all current updates already installed. After deployment, you can install updates manually, but you’ll be much more efficient if you choose an automatic deployment technique. For situations that require complete control over update installation but still must be automated, you can script update installations. The sections that follow describe how to apply updates to new computers, how to install updates manually, how to install updates automatically, and how to script update installations.

How to Apply Updates to New Computers

When you deploy new computers, you should deploy them with as many recent updates as possible. Even though Windows 7 immediately checks for updates the first time it starts (rather than waiting for the scheduled automatic update time), it might take hours for Windows to download and install all updates. Applying updates to new computers provides improved security for the computer the first time it starts, reducing the risk that a patched vulnerability will be exploited before updates can be applied.

You can use the following techniques, in order of most secure to least secure, to apply updates to new computers:

■ Integrate updates into Windows 7 setup files

If you use an automatic deployment technology such as the Microsoft Deployment Toolkit (MDT) 2010, you can ensure that updates are present during setup by installing Windows 7 and all updates on a lab computer and then using Windows PE and the XImage tool to create an operating system image (a .wim file) that you can deploy to new computers.

MORE INFO

MDT 2010

For more information about MDT, visit http://www.microsoft.com/mdt.

■ Install updates automatically during setup

Using scripting, you can install updates

automatically during setup. Ideally, you would distribute the update files with your Windows 7 installation media or on the distribution server. You can use MDT to

configure updates for installation during setup, or you can configure updates manually using one of the following techniques:

• Use the Windows System Image Manager to add a Run Synchronous command to an answer file in your Windows 7 image. Run Synchronous commands are available

in the <platform>-Microsoft-Windows-Setup, <platform>-Microsoft-Windows-Deployment, and the <platform>-Microsoft-Windows-Shell-Setup features. For detailed instructions, read “Add a Custom Command to an Answer File,” at http://technet.microsoft.com/library/dd799295.aspx. For information about how to install updates from a script, read “How to Script Updates” later in this lesson.

• Edit the %windir%\Setup\Scripts\SetupComplete.cmd file in your Windows 7 image. Windows 7 runs any commands in this file after Windows Setup completes. Commands in the SetupComplete.cmd file are executed with local system privilege and actions are logged to the SetupAct.log file. You cannot reboot the system and resume running SetupComplete.cmd; therefore, you must install all updates in a single pass. Add the update package to the distribution share or answer file. For more information, read “Add Applications, Drivers, Packages, Files, and Folders,” at http://technet.microsoft.com/library/dd744568.aspx.

■ Install updates manually using removable media

One of the best ways to minimize the risk of a new computer being attacked before it installs updates is to deploy computers while disconnected from the network, using removable media. If you choose this approach, you should also use removable media to install updates before connecting the computer to unprotected networks.

■ Use WSUS to apply updates to new computers

After Windows 7 starts the first time, it immediately attempts to download updates (rather than waiting for the scheduled Windows Update time). Therefore, even with the default settings, the time new computers spend without updates is minimized. To further minimize this, ask your WSUS administrators to configure the most critical updates with a deadline. The deadline forces new computers downloading the updates to install the critical updates and then immediately restart to apply them.

How to Install Updates Manually

With previous versions of Microsoft Windows, you could apply updates manually by visiting the http://windowsupdate.com Web site. In Windows 7, you must follow these steps:

1. Click Start, click All Programs, and then click Windows Update.

2. The Windows Update window appears. Click the Check For Updates link.

3. If any updates are available, click Install Updates, as shown in Figure 7-2. To install optional updates, click View Available Updates.

FIGURE 7-2 Using the Windows Update tool to check for updates

If an update does not appear on the list, it might have been hidden. To fix this, click the Restore Hidden Updates link in the Windows Update window.

4. Windows Updates downloads and installs the available updates.

5. If required, restart the computer by clicking Restart Now.

If you choose not to restart the computer immediately, Windows Update regularly prompts the user to restart. The user can postpone the update prompt for up to four hours. Administrative credentials are not required to install updates.

How to Install Updates Automatically

You can configure automatic updates by using either graphical, interactive tools or by using Group Policy. The sections that follow describe each of these techniques.

HOW TO CONFIGURE WINDOWS UPDATE USING GRAPHICAL TOOLS

During an interactive setup, Windows 7 prompts users to choose update settings. Setup recommends enabling automatic updates. To configure automatic updates on a computer manually, follow these steps (which require administrative privileges):

1. Click Start, and then click Control Panel.

2. Click the System And Security link.

3. Under Windows Update, click the Turn Automatic Updating On Or Off link.

4. Adjust the settings, including whether updates are installed automatically and the time they are installed, and then click OK.

HOW TO CONFIGURE WINDOWS UPDATE USING GROUP POLICY SETTINGS

You can configure Windows Update client settings using local or domain Group Policy settings. This is useful for the following tasks:

■ Configuring computers to use a local WSUS server

■ Configuring automatic installation of updates at a specific time of day

■ Configuring how often to check for updates

■ Configuring update notifications, including whether non-administrators receive update notifications

■ Configure client computers as part of a WSUS target group, which you can use to deploy different updates to different groups of computers Windows Update settings are  located at Computer Configuration\Administrative Templates\Windows Components\Windows Update. The most useful Windows Update Group Policy settings are as follows:

■ Configure Automatic Updates

Specifies whether client computers will receive security updates and other important downloads through the Windows Update service. You also use this setting to configure whether the updates are installed automatically and what time of day the installation occurs.

■ Specify Intranet Microsoft Update Service Location

Specifies the location of your WSUS server.

■ Automatic Updates Detection Frequency

Specifies how frequently the Windows Update client checks for new updates. By default, this is a random time between

17 and 22 hours.

■ Allow Non-Administrators To Receive Update Notifications

Determines whether all users or only administrators will receive update notifications, as shown in Figure 7-3.

Non-administrators can install updates using the Windows Update client.

FIGURE 7-3 Users are notified of available updates with a notification bubble.

■ Allow Automatic Updates Immediate Installation

Specifies whether Windows Update will install updates immediately that don’t require the computer to be restarted.

■ Turn On Recommended Updates Via Automatic Updates

Determines whether client computers install both critical and recommended updates, which might include updated drivers.

■ No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installations

Specifies that to complete a scheduled installation, Windows Update will wait for the computer to be restarted by any user who is logged on instead of causing the computer to restart automatically.

■ Re-Prompt For Restart With Scheduled Installations

Specifies how often the Windows Update client prompts the user to restart. Depending on other configuration settings, users might have the option of delaying a scheduled restart. However, the Windows Update client will remind them automatically to restart based on the frequency configured in this setting.

■ Delay Restart For Scheduled Installations

Specifies how long the Windows Update client waits before automatically restarting.

■ Reschedule Automatic Updates Scheduled Installations

Specifies the amount of time for Windows Update to wait, following system startup, before continuing with a scheduled installation that was missed previously. If you don’t specify this amount of time, a missed scheduled installation will occur one minute after the computer is next started.

■ Enable Client-Side Targeting

Specifies which group the computer is a member of.

■ Enabling Windows Update Power Management To Automatically Wake Up The System To Install Scheduled Updates

If people in your organization tend to shut down their computers when they leave the office, enable this setting to configure computers with supported hardware to start up automatically and install an update at the scheduled time. Computers will not wake up unless there is an update to be installed. If the computer is on battery power, the computer will return to Sleep In addition, the following two settings are available at the same location under User Configuration (which you can use to specify per-user settings) in addition to Computer Configuration:

■ Do Not Display ‘Install Updates And Shut Down’ Option In Shut Down Windows Dialog Box

Specifies whether Windows shows the Install Updates And Shut Down option.

■ Do Not Adjust Default Option To ‘Install Updates And Shut Down’ In Shut Down Windows Dialog Box

Specifies whether Windows automatically changes the default shutdown option to Install Updates And Shut Down when Windows Update is waiting to install an update.

Finally, one user setting is available only at User Configuration\Administrative Templates\ Windows Components\Windows Update:

■ Remove Access To Use All Windows Update Features

When enabled, this setting prevents the user from accessing the Windows Update interface.

How to Script Updates

Windows 7 opens MSU files with the Windows Update Standalone Installer (Wusa.exe). To install an update from a script, run the script with administrative privileges, call Wusa and provide the path to the MSU file. For example, you can install an update named Windows6.0-KB929761-x86.msu in the current directory by running the following command:

wusa Windows6.0-KB929761-x86.msu

In addition, Wusa supports the following standard command-line options:

■ /?, /h, or /help Displays the command-line options.

■ /uninstall Removes the specified package. Add the /kb option to specify the package to be removed using the Knowledge Base (KB) number.

■ /quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. Use quiet mode when installing an update as part of a script.

■ /norestart When combined with /quiet, does not restart when installation has completed. Use this parameter when installing multiple updates simultaneously. All but the last  update installed should have the /norestart parameter.

■ /warnrestart When combined with /quiet, the installer warns the user before restarting the computer.

■ /promptrestart When combined with /quiet, the installer prompts the user to confirm that the computer can be restarted.

■ /forcerestart When combined with /quiet, the installer closes all applications and restarts the computer.

Scripting is not usually the best way to install updates on an ongoing basis. Instead, you should use Windows Update, WSUS, or Systems Management Server (SMS). However, you might create a script to install updates on new computers or to install updates on computers that cannot participate in your standard update distribution method.