How to Verify Updates
Microsoft typically releases updates once per month. If a computer does not receive updates, or the updates fail to install correctly, the computer might be vulnerable to security exploits that it would be protected from if the updates were installed. Therefore, it’s critical to the security of your client computers that you verify updates are regularly installed. You can view the update history to verify that an individual computer has updates installed. To view the update history, follow these steps:
1. Click Start, click All Programs, and then click Windows Update.
2. The Windows Update window appears. Click the View Update History link.
3. The View Update History window appears, as shown in Figure 7-4. To view the details of an update, double-click it.
FIGURE 7-4 Reviewing an update history with the Windows Update tool
You can use WSUS or Configuration Manager 2007 to monitor update installation throughout the computers that you manage in your organization. To audit computers on
a network-by-network basis (including computers that are not members of your AD DS, but that you do have administrative credentials to), you can use the Microsoft Baseline Security Analyzer (MBSA). As shown in Figure 7-5, MBSA scans a network to find computers running Windows, connects to them, and checks the current update level.
MORE INFO
MBSA
For more information about MBSA and to download the free tool, visit http://www.microsoft .com/mbsa/.
FIGURE 7-5 Preparing to scan a network with MBSA
Quick Check
1. Which tool would you use to install updates from a script?
2. Which tool would you use to add updates to a Windows 7 image prior to deployment?
3. Which tool would you use to approve updates prior to deployment throughout your organization?
4. Which tool would you use to scan a network for missing updates?
Quick Check Answers
1. Wusa.exe
2. Windows System Image Manager
3. WSUS
4. MBSA
Q
1
How to Troubleshoot Problems Installing Updates
Occasionally, you might experience a problem installing an update. Fortunately, Windows 7 provides detailed information about update installations. The sections that follow describe how to troubleshoot problems with Windows Update and Restart Manager.
How to Troubleshoot Windows Update
To identify the source of the problem causing an update to fail, follow these steps:
1. Examine recent entries in the %Windir%\WindowsUpdate.log file to verify that the client is contacting the correct update server and to identify any error messages. The following example shows a portion of the log file in which Windows Update downloaded Windows Defender information directly from Microsoft:
=========== Logging initialized (build: 7.3.7600.16385, tz: -0400) ===========
Process: c:\program files\windows defender\MpCmdRun.exe
Module: C:\Windows\system32\wuapi.dll
-------------
-- START -- COMAPI: Search [ClientId = Windows Defender]
---------
<<-- SUBMITTED -- COMAPI: Search [ClientId = Windows Defender]
*************
** START ** Agent: Finding updates [CallerId = Windows Defender]
*********
* Online = Yes; Ignore download priority = No
* Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains
'8c3fcc84-7410-4a95-8b89-a166a0190486' and CategoryIDs contains 'e0789628-ce08-
4437-be74-2495b842f43b')"
* ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
* Search Scope = {Machine}
Validating signature for C:\Windows\SoftwareDistribution\WuRedir\\muv4wuredir.cab:
Microsoft signed: Yes
The WindowsUpdate.log file will also detail update errors that occur. For detailed information about how to read the WindowsUpdate.log file, refer to Microsoft Knowledge Base article 902093 at http://support.microsoft.com/kb/902093/.
2. If your organization uses WSUS, verify that the client can connect to the WSUS server by opening a Web browser and visiting http://<WSUSServerName>/iuident.cab. If you are prompted to download the file, this means that the client can reach the WSUS server and it is not a connectivity issue. Otherwise, you could have a name resolution
or connectivity issue or WSUS is not configured correctly.
MORE INFO
TROUBLESHOOTING WSUS
For more information about troubleshooting WSUS from the WSUS client, read “Automatic Updates Must be Updated,” at http://technet.microsoft.com/library/cc708554.aspx
3. If you use Group Policy to configure the Windows Update client, use the Resultant Set of Policy (RSOP) tool (Rsop.msc) to verify the configuration. Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings.
If you have identified a problem and made a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change
take effect and begin another update cycle. You can do this using the Services console or by running the following command with administrative credentials:
net stop wuauserv | net start wuauserv
Within 6 to 10 minutes, Windows Update will attempt to contact your update server.
How to Troubleshoot Restart Manager
The need to update a file that is already in use is one of the most common reasons a user is required to restart a computer. Restart Manager, a feature of Windows Installer, strives to reduce this requirement by closing and restarting programs and services that have files in use. To diagnose a problem with Restart Manager, open Event Viewer and view the following event logs:
■ Windows Logs\Application
■ Applications and Services Logs\Microsoft\Windows\RestartManager\Operational
Search for Warning or Error events with a source of RestartManager. The following is an example of a Warning event with Event ID 10010:
Application 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' (pid 5592) cannot be restarted - Application SID does not match Conductor SID.
You can also view general Windows Update events in the Application log by searching for events with a source of MsiInstaller.
How to Remove Updates
Occasionally, an update might cause compatibility problems. If you experience problems with an application or Windows feature after installing updates and one of the updates was directly related to the problem you are experiencing, you can uninstall the update manually to determine whether it is related to the problem.
To remove an update manually, follow these steps:
1. Click Start and then click Control Panel.
2. Under Programs, click the Uninstall A Program link.
3. Click the View Installed Updates link.
4. Select the update you want to remove. Then, click Uninstall, as shown in Figure 7-6.
FIGURE 7-6 Uninstalling an update to determine whether it is the source of a problem
5. Follow the prompts that appear and restart the computer if required.
You can also remove an update using the Wusa.exe tool, as described in the section entitled “How to Script Updates,” earlier in this chapter. If removing the update does not resolve the problem, you should reapply the update. If removing the update does solve the problem, inform the application developer (in the case of a program incompatibility) or your Microsoft support representative of the incompatibility. The update probably fixes a different problem, so you should make every effort to fix the compatibility problem and install the update.
PRACTICE Distribute Updates
In this practice, you configure a client running Windows 7 to download updates from a WSUS server.
EXERCISE 1
Check Current Update Level
In this exercise, you check the update level on your computer running Windows 7. If you have not installed any updates on the computer running Windows 7, skip to Exercise 2.
1. Log on to a computer running Windows 7 as an administrator.
2. Click Start and then click Control Panel.
3. Under Programs, click Uninstall A Program.
4. On the Programs And Features page, click View Installed Updates.
5. Right-click one of the updates and then click Uninstall. Click Yes when prompted.
If prompted, restart the computer.
Uninstalling this update allows you to reinstall it later using WSUS.
6. Click System And Security and then click Windows Update.
7. Click Check For Updates. At least one update should be available.
8. Click View Available Updates. Because the computer running Windows 7 has the default setting, Windows Update is contacting Microsoft directly to find the latest updates.
EXERCISE 2
Configure WSUS
In this exercise, you install WSUS on a server, approve updates, and then configure a client running Windows 7 to retrieve updates from that server.
1. Log on to a computer running Windows Server 2008 R2 as an administrator.
2. Click Start, click Administrative Tools, and then click Server Manager.
3. Click the Roles node, and then click Add Roles in the Details pane. The Add Roles Wizard appears.
4. On the Before You Begin page, click Next.
5. On the Select Server Roles page, select the Windows Server Update Services role. When prompted, add any required role services. Click Next four times, and then click
Install.
6. When the Windows Server Update Services Setup Wizard appears (it might be behind the Add Roles Wizard), click Next.
NOTE
WSUS VERSION
When you add the WSUS server role, Windows Server 2008 R2 downloads the latest version directly from Microsoft. As of the time of this writing, the current version
of WSUS is WSUS version 3.0 with Service Pack 2. If Microsoft has updated WSUS to a newer version, the steps required to install WSUS will vary. You probably can accept the default settings, but you should choose not to store updates locally.
7. On the License Agreement page, read the license agreement. Then, click I Accept The Terms Of The License Agreement, and click Next.
8. On the Required Components To Use Administration UI page, click Next.
9. On the Select Update Source page, clear the Store Updates Locally check box to prevent the WSUS server from copying updates locally. In a production environment,
you would leave this check box selected so that clients could download updates from your WSUS (across your local area network) instead of directly from Microsoft (using your Internet connection). Click Next.
10. On the Database Options page, click Next.
11. If the Connecting To SQL Server Instance page appears, click Next.
12. On the Web Site Selection page, click Next to use the default IIS Web site. In a production environment, you would create a new WSUS Web site if the WSUS
server hosted other Web sites.
13. On the Ready To Install page, click Next.
14. On the Completing The WSUS Setup Wizard page, click Finish.
15. On the Installation Results page, click Close. Restart your computer if prompted. Next, you configure WSUS to install updates only after you approve them. To do so,
perform these steps:
1. The Windows Server Update Services Configuration Wizard might have opened automatically. If it did not, click Start, click Administrative Tools, and then click Windows Server Update Services.
2. On the Before You Begin page, click Next.
3. On the Join The Microsoft Update Improvement Program page, click Next.
4. On the Choose Upstream Server page, click Next.
5. On the Specify Proxy Server page, click Next.
6. On the Connect To Upstream Server page, click Start Connecting. Wait while the WSUS Configuration Wizard downloads information from Microsoft Update. When the next button is available, click it.
7. On the Choose Products page, notice that only Office and Windows updates are downloaded by default. Browse through the other update types that are available so that
you become familiar with them, and then accept these default settings by clicking Next.
8. On the Choose Classifications page, select the All Classifications check box. Click Next.
9. On the Set Sync Schedule page, click Next.
10. On the Finish page, click Next.
11. On the What’s Next page, make note of other WSUS configuration steps. Click Finish.
NOTE
WSUS CONFIGURATION IN THE REAL WORLD
Because this exam focuses on the client running Windows 7 and not the WSUS server, this exercise does not go through all these configuration steps. However,
in a production environment, WSUS would require additional configuration.
12. Next, you need to configure AD DS Group Policy settings so that domain members synchronize with the WSUS server. On the computer running Windows Server 2008 R2, click Start, click Administrative Tools, and then click Group Policy Management.
13. In the Group Policy Management console, select the Group Policy Management\ Forest\Domains\nwtraders.msft\Default Domain Policy node. Right-click Default
Domain Policy, and then click Edit.
14. In the Group Policy Management Editor, select the Computer Configuration\Policies\ Administrative Templates\Windows Components\Windows Update node.
15. Double-click the Specify Intranet Microsoft Update Service Location setting. Click Enabled. In the Set The Intranet Update Service For Detecting updates box, type http:// and the name of your computer running Windows Server 2008 R2 (such as http://DC1). This configures clients to which the Group Policy Object (GPO) is applied to contact the WSUS server instead of Microsoft Update. Click OK.
16. In the Group Policy Management Editor, double-click the Configure Automatic Updates policy. Click Enabled. In the Configure Automatic Updating list, examine the
different possible settings. Select 3 – Auto Download And Notify For Install. Accept the default settings by clicking OK.
17. Double-click the Turn On Recommended Updates Via Automatic Updates policy. Click Enabled. This enables Windows Update to install both recommended updates, which include driver updates and new Windows features, and important updates. Click OK.
18. Open the Windows Server Update Services console from the Administrative Tools folder on the Start menu.
19. In the Update Services console, if your server does not appear in the Update Services list, click the Connect To Server link in the Actions pane, type the server name, and
then click Connect.
20. Select the Update Services\<server_name>\Computers\Synchronizations node. If a synchronization is currently running, select it. Wait until the synchronization completes.
21. Select the Update Services\<server_name>\Updates\All Updates node. In the Approval, select Unapproved. In the Status list, select Failed Or Needed. Then, click Refresh, and wait several minutes for the Update Services console to display the list of unapproved updates.
22. Right-click any updates that appear, and then click Approve. To select all updates, press Ctrl+A. If no updates appear, verify that your computer running Windows 7 appears when you select the Computers\All Computers node. If you still see no updates, verify that the WSUS server has downloaded available updates from Microsoft. If updates have been synchronized, you might need to wait until Windows Update on the client notifies the WSUS server of its current status.
23. In the Approve Updates dialog box, select the All Computers list and then click Approved For Install, as shown in Figure 7-7. Then, click OK.
FIGURE 7-7 You can approve updates for all computers
24. If prompted, review the license terms and click I Accept as many times as necessary.
25. In the Approval Progress dialog box, click Close.
EXERCISE 3
Retrieve Updates from Windows Server Update Services
In this exercise, you check for updates on your client computer running Windows 7.
1. Log on to your computer running Windows 7.
2. Wait a few minutes for Windows 7 to display a notification bubble informing the user of the presence of updates. Click the bubble.
3. In the Windows Update window, click Install Updates. Follow the prompts that appear to complete the update installation, and restart the computer if required.
EXERCISE 4
Remove an Update
In this exercise, you remove an update from your client computer running Windows 7. In the real world, you might do this if an update caused application compatibility problems.
1. Log on to your computer running Windows 7.
2. Click Start and then click Control Panel.
3. Under Programs, click Uninstall A Program.
4. Click View Installed Updates.
5. Click one of the updates you installed in Exercise 3. Then, click Uninstall.
Lesson Summary
■ Microsoft provides three techniques for distributing updates: the Windows Update client (built into Windows 7), WSUS (a free tool that can be installed on a computer
running Windows Server 2008 R2), and Configuration Manager 2007 (an enterprise software distribution tool). These tools are designed for small, medium-size, and large
organizations, respectively.
■ You should test updates with critical applications before deploying them to large numbers of computers. To minimize the risk of application incompatibility further, deploy updates to a pilot group first. Members of the pilot group are likely to notice compatibility problems and notify IT before the update is distributed to the entire organization.
■ You can verify that an update is installed on a single computer by viewing the update history. If you use WSUS in your organization, you can view the reports that WSUS provides to identify which computers have installed an update. If you need to audit computers on a network (regardless of whether they use WSUS), you can use the free MBSA tool.
■ You can install updates interactively using the Windows Update tool in Control Panel. This would be very time-consuming, however. Instead, you should configure Windows Update either using graphical tools or by using Group Policy settings. If you need to install updates immediately (for example, as soon as a user logs on), you can create scripts that install updates.
■ If you have a problem installing an update, you can diagnose the problem by viewing the Windows Update history, by analyzing the %Windir%\WindowsUpdate.log file,
or by examining WSUS logs. You often can resolve simple problems by restarting the Windows Update service.
■ If you discover a compatibility problem after deploying an update, you can remove it manually or use WSUS to uninstall it.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1, “Updating Software.” The questions are also available on the companion CD if you prefer to review them in electronic form.
No hay comentarios:
Publicar un comentario