Lesson 2: Updating Software

Because security threats are constantly evolving, Microsoft must regularly release updates to Windows Vista. Deploying and managing these updates are some of the most important security tasks an IT department can perform. To simplify this task, Windows Vista includes several improved update capabilities compared to Windows XP:

  • Windows Update is a stand-alone tool instead of a webpage.
  • Windows Update will immediately connect to an update server the first time Windows Vista connects to a network.
  • Windows Update automatically installs drivers for devices that are using generic drivers or that do not have any driver installed.
  • Administrators can configure Windows Update to automatically install recommended updates as well as critical updates.
  • Now non-administrators can approve update installations without providing administrative credentials.
  • Windows Update can wake a computer from sleep to install updates, so users no longer need to leave their computers running to enable updates to be installed overnight.

This lesson describes the different techniques for deploying updates to Windows Vista computers and explains how to install and manage updates and how to troubleshoot update problems.

After this lesson, you will be able to:

  • Choose a deployment technique for distributing updates within your organization.
  • Install updates automatically, manually, and to new computers.
  • Troubleshoot problems installing updates.
  • Uninstall updates.

Estimated lesson time: 30 minutes

Methods for Deploying Updates

Microsoft provides several techniques for applying updates:

  • Directly from Microsoft For home users and small businesses, Windows Vista is configured to automatically retrieve updates directly from Microsoft. This method is suitable only for smaller networks with fewer than 50 computers.
  • Windows Server Update Services (WSUS) WSUS enables administrators to approve updates before distributing them to computers on an intranet. Optionally, updates can be stored and retrieved from a central location on the local network, reducing Internet usage when downloading updates. This approach requires at least one infrastructure server.
  • Microsoft Systems Management Server (SMS) The preferred method for distributing software and updates in large, enterprise networks, SMS provides highly customizable, centralized control over update deployment, with the ability to audit and inventory client systems. SMS typically requires several infrastructure services.

The sections that follow describe each of these deployment methods in more detail.

Windows Update Client

Whether you download updates from Microsoft or use WSUS, the Windows Update client is responsible for downloading and installing updates on Windows Vista computers. The Windows Update client replaces the Automatic Updates client available in earlier versions of Windows. Both Windows Update in Windows Vista and Automatic Updates in previous versions of Windows operate the same way: they download and install updates from Microsoft or an internal WSUS server. Both clients install updates at a scheduled time and automatically restart the computer if necessary. If the computer is turned off at that time, the updates can be installed as soon as the computer is turned on. Alternatively, Windows Update can wake a computer from sleep and install the updates at the specified time if the computer hardware supports it.

The Windows Update client provides for a great deal of control over its behavior. You can configure individual computers by using the Control Panel\Security\Windows Update\Change Settings page, as described in “How to Configure Windows Update Using Graphical Tools” later in this section. Networks that use Active Directory can specify the configuration of each Windows Update client by using Group Policy, as described in “How to Configure Windows Update Using Group Policy Settings.”

After the Windows Update client downloads updates, the client checks the digital signature and the Secure Hash Algorithm (SHA1) hash on the updates to verify that they have not been modified.

Windows Server Update Services

Windows Server Update Services (WSUS) is a version of the Microsoft Update service that you can host on your private network. WSUS connects to the Windows Update site, downloads information about available updates, and adds them to a list of updates that require administrative approval.

After an administrator approves and prioritizes these updates, WSUS automatically makes them available to any computer running Windows Update (or the Automatic Updates client on earlier versions of Windows). Windows Update (when properly configured) then checks the WSUS server and automatically downloads and installs updates as configured by the administrators. As shown in Figure 5-8, you can distribute WSUS across multiple servers and locations to scale to enterprise needs. WSUS meets the needs of medium-sized organizations and many enterprises.


Figure 5-8 WSUS can scale to support thousands of computers

You must install WSUS on at least one infrastructure server, and you manage it by using a Web browser. To deploy updates to Windows Vista computers, you must have WSUS Service Pack 1 or later installed on your server.

MORE INFO Windows Server Update Services (WSUS)

For more information about update management with WSUS and to download WSUS, visit http:// www.microsoft.com/wsus/.

Systems Management Server

Microsoft Systems Management Server (SMS) 2003 is a tool for efficiently managing, distributing, and inventorying software in enterprise environments. Although WSUS is sufficient to meet the needs of medium-sized organizations, SMS can supplement WSUS in enterprise organizations that manage hundreds or thousands of computers.

MORE INFO Systems Management Server (SMS)

For more information about SMS, visit the SMS website at http://www.microsoft.com/smserver


MORE INFO Using SMS for update management

For information about using SMS for update management, refer to the article “Patch Management Using Systems Management Server 2003” at http://www.microsoft.com/technet/itsolutions/cits/mo/swdist/pmsms/2003/pmsms031.mspx.

How to Install Updates

Ideally, you would install all current updates immediately when you deploy new computers. After deployment, you can manually install updates, but you’ll be much more efficient if you choose an automatic deployment technique. For situations that require complete control over update installation but still must be automated, you can script update installations.

How to Apply Updates to New Computers

When you deploy new computers, you should deploy them with as many recent updates as possible. Even though Windows Vista immediately checks for updates the first time it starts (rather than waiting for the scheduled automatic update time), this provides improved security for the computer the first time it starts, rather than waiting for it to retrieve updates after startup.

You can use the following techniques, in order of most secure to least secure, to apply updates to new computers:

  • Integrate updates into Windows Vista setup files If you use an automatic deployment technology such as the Microsoft Solution Accelerator for Business Desktop Deployment 2007 (BDD), you can ensure that updates are present during setup by installing Windows Vista and all updates on a lab computer and then using Windows PE and the XImage tool to create an operating system image (a .wim file) that you can deploy to new computers.

MORE INFO Solution Accelerator for Business Desktop Deployment 2007 (BDD)

For more information about BDD, visit http://www.microsoft.com/technet/desktopdeployment/bdd/2007/.

  • Install updates automatically during setup Using scripting, you can install updates automatically during setup. Ideally, you would distribute the update files with your Windows Vista installation media or on the distribution server. You can use BDD to configure updates for installation during setup, or you can manually configure updates using one of the following techniques:
    • Use the Windows System Image Manager to add a RunSynchronous command to an Unattend.xml answer file in your Windows Vista image. RunSynchronous commands are available in the Microsoft-Windows-Setup and the Microsoft-Windows-Deployment components.
    • Edit the %windir%\Setup\Scripts\SetupComplete.cmd file in your Windows Vista image. Windows Vista runs any commands in this file after Windows Setup completes. Commands in the SetupComplete.cmd file are executed with local system privilege. You cannot reboot the system and resume running SetupCom-plete.cmd; therefore, you must install all updates in a single pass.
  • Manually install updates using removable media One of the best ways to minimize the risk of a new computer being attacked before it installs updates is to deploy computers while disconnected from the network, using removable media. If you choose this approach, you should also use removable media to install updates before connecting the computer to the public Internet.
  • Use WSUS to apply updates to new computers After Windows Vista starts the first time, it immediately attempts to download updates (rather than waiting for the scheduled Windows Update time). Therefore, even with the default settings, the time new computers spend without updates is minimized. To further minimize this, ask your WSUS administrators to configure the most critical updates with a deadline. The deadline forces new computers downloading the updates to install the critical updates and then immediately restart to apply them.

How to Manually Apply Updates

In previous versions of Windows, you could apply updates by visiting the http://windowsupdate .com website. In Windows Vista, you must follow these steps:

  1. Click Start, click All Programs, and then click Windows Update.

  2. The Windows Update window appears. Click the Check For Updates link.

  3. If any updates are available, click Install Updates, as shown in Figure 5-9. To install optional updates, click View Available Updates.


    Figure 5-9 Using the Windows Update tool to check for updates

    NOTE If an update is not listed

    If an update does not appear on the list, it might have been hidden. To fix this, click the Restore Hidden Updates link in the Windows Update window.

  4. Windows Updates downloads and installs the available updates.

  5. If required, restart the computer by clicking Restart Now.

    If you choose not to immediately restart the computer, Windows Update will regularly prompt the user to restart, as shown in Figure 5-10. The user can postpone the update prompt for up to four hours. Administrative credentials are not required to install updates.


    Figure 5-10 The reminder from Windows Update that updates are waiting for the computer to be restarted

How to Automatically Apply Updates

You can configure automatic updates by using either graphical, interactive tools or by using Group Policy. The sections that follow describe each of these techniques.

How to Configure Windows Update Using Graphical Tools

During an interactive setup, Windows Vista prompts users to choose update settings. Setup recommends enabling automatic updates. To manually configure automatic updates on a computer, follow these steps (which require administrative privileges):

  1. Click Start, and then click Control Panel.
  2. Click the Security link.
  3. Under Windows Update, click the Turn Automatic Updating On Or Off link.
  4. Adjust the settings, including whether updates are installed automatically and the time they are installed, and then click OK.

How to Configure Windows Update Using Group Policy Settings

You can configure Windows Update client settings using local or domain Group Policy settings. This is useful for the following tasks:

  • Configuring computers to use a local WSUS server
  • Configuring automatic installation of updates at a specific time of day
  • Configuring how often to check for updates
  • Configuring update notifications, including whether non-administrators receive update notifications
  • Configure client computers as part of a WSUS target group, which you can use to deploy different updates to different groups of computers

Windows Update settings are located at Computer Configuration\Administrative Templates \Windows Components\Windows Update. The Windows Update Group Policy settings are:

  • Configure Automatic Updates Specifies whether client computers will receive security updates and other important downloads through the Windows Update service. You also use this setting to configure whether the updates are installed automatically and what time of day the installation occurs.
  • Specify Intranet Microsoft Update Service Location Specifies the location of your WSUS server.
  • Automatic Updates Detection Frequency Specifies how frequently the Windows Update client checks for new updates. By default, this is a random time between 17 and 22 hours.
  • Allow Non-Administrators To Receive Update Notifications Determines whether all users or only administrators will receive update notifications. Non-administrators can install updates using the Windows Update client.
  • Allow Automatic Updates Immediate Installation Specifies whether Windows Update will immediately install updates that don’t require the computer to be restarted.
  • Turn On Recommended Updates Via Automatic Updates Determines whether client computers install both critical and recommended updates, which might include updated drivers.
  • No Auto-Restart For Scheduled Automatic Updates Specifies that to complete a scheduled installation, Windows Update will wait for the computer to be restarted by any user who is logged on instead of causing the computer to restart automatically.
  • Re-Prompt For Restart With Scheduled Installations Specifies how often the Windows Update client prompts the user to restart. Depending on other configuration settings, users might have the option of delaying a scheduled restart. However, the Windows Update client will automatically remind them to restart based on the frequency configured in this setting.
  • Delay Restart For Scheduled Installations Specifies how long the Windows Update client waits before automatically restarting.
  • Reschedule Automatic Updates Scheduled Installations Specifies the amount of time for Windows Update to wait, following system startup, before continuing with a scheduled installation that was missed previously. If you don’t specify this amount of time, a missed scheduled installation will occur one minute after the computer is next started.
  • Enable Client-Side Targeting Specifies which group the computer is a member of. This option is useful only if you are using WUS; you cannot use this option with SUS.
  • Enabling Windows Update Power Management To Automatically Wake Up The System To Install Scheduled Updates If people in your organization tend to shut down their computers when they leave the office, enable this setting to configure computers with supported hardware to automatically start up and install an update at the scheduled time. Computers will not wake up unless there is an update to be installed. If the computer is on battery power, the computer will automatically return to Sleep after two minutes.

Additionally, the following two settings are available at the same location under User Configuration (which you can use to specify per-user settings) in addition to Computer Configuration:

  • Do Not Display ‘Install Updates And Shut Down’ Option In Shut Down Windows Dialog Box Specifies whether Windows XP with Service Pack 2 or later shows the Install Updates And Shut Down option.
  • Do Not Adjust Default Option To ‘Install Updates And Shut Down’ In Shut Down Windows Dialog Box Specifies whether Windows XP with Service Pack 2 or later automatically changes the default shutdown option to Install Updates And Shut Down when Windows Update is waiting to install an update.

Finally, the last user setting is available only at User Configuration\Administrative Tem-plates\Windows Components\Windows Update:

  • Remove Access To Use All Windows Update Features When enabled, prevents user from accessing the Windows Update interface.

How to Script Updates

Windows Vista opens MSU files with the Windows Update Standalone Installer (Wusa.exe). To install an update from a script, run the script with administrative privileges, call Wusa and provide the path to the MSU file. For example, you can install an update named Windows6.0-KB929761-x86.msu in the current directory by running the following command:

wusa Windows6.0-KB929761-x86.msu

Additionally, Wusa supports the following standard command-line options:

  • /?, /h, or /help Displays the command-line options.
  • /quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. Use quiet mode when installing an update as part of a script.
  • /norestart Does not restart when installation has completed. Use this parameter when installing multiple updates simultaneously. All but the last update installed should have the /norestart parameter.

Scripting is not usually the best way to install updates on an ongoing basis. Instead, you should use Windows Update, WSUS, or SMS. However, you might create a script to install updates on new computers or to install updates on computers that cannot participate in your standard update distribution method.

How to Troubleshoot Problems Installing Updates

Occasionally, you might experience a problem installing an update. Fortunately, Windows Vista provides detailed information about update installations. The sections that follow describe how to troubleshoot problems with Windows Update and Restart Manager.

How to Troubleshoot Windows Update

Occasionally, you might discover a client that isn’t automatically installing updates correctly. You can identify missing updates using an automated tool such as the Microsoft Baseline Security Analyzer (MBSA).

MORE INFO Microsoft Baseline Security Analyzer (MBSA)

For more information about MBSA and to download the free tool, visit http://www.microsoft.com/mbsa/.

Alternatively, you can manually identify problems installing updates by viewing the update history. To view the update history, follow these steps:

  1. Click Start, click All Programs, and then click Windows Update.

  2. The Windows Update window appears. Click the View Update History link.

  3. The View Update History window appears, as shown in Figure 5-11. To view the details of an update, double-click it.


    Figure 5-11 Reviewing an update history with the Windows Update tool

To identify the source of the problem causing an update to fail, follow these steps:

  1. Examine the %windir%\WindowsUpdate.log file to verify that the client is contacting the correct update server and to identify any error messages. For detailed information about how to read the WindowsUpdate.log file, refer to Microsoft Knowledge Base article 902093 at http://support.microsoft.com/kb/902093/.

  2. If your organization uses WSUS, verify that the client can connect to the WSUS server by opening a Web browser and visiting http://<WSUSServerName>/iuident.cab. If you are prompted to download the file, this means that the client can reach the WSUS server, and it is not a connectivity issue. Otherwise, you could have a name resolution or connectivity issue, or WSUS is not configured correctly.

    MORE INFO Troubleshooting WSUS

    For more information about troubleshooting WSUS, visit http://technet2.microsoft.com /WindowsServer/en/library/b23562a8-1a97-45c0-833e-084cd463d0371033.mspx?mfr.

  3. If you use Group Policy to configure the Windows Update client, use the Resultant Set of Policy (RSOP) tool (Rsop.msc) to verify the configuration. Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings. Figure 5-12 shows the RSOP snap-in.


    Figure 5-12 The RSOP snap-in

If you have identified a problem and made a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change take effect and begin another update cycle. You can do this using the Services console or by running the following two commands:

net stop wuauserv 
net start wuauserv

Within 6 to 10 minutes, Windows Update will attempt to contact your update server.

How to Troubleshoot Restart Manager

Windows Vista includes Windows Installer 4.0, a new version of the application installation infrastructure that is not available for earlier versions of Windows. One of the most significant improvements in Windows Installer 4.0 is Restart Manager. Installation routines can communicate with Restart Manager to indicate which files need to be updated. Restart Manager then coordinates updating the files while minimizing the impact on the user.

The need to update a file that is already in use is one of the most common reasons a user is required to restart a computer. Restart Manager strives to reduce this requirement by closing and restarting programs and services that have files in use. Although some installations will always require the computer to be restarted (especially if they need to upgrade system files that are in use), Restart Manager should minimize this requirement. In Windows Vista all installers must take advantage of the Restart Manager for the program to receive Certified for Windows Vista status.

To diagnose a problem with Restart Manager, open Event Viewer and view the following event logs:

  • Windows Logs\Application
  • Applications and Services Logs\Microsoft\Windows\RestartManager\Operational

Search for Warning or Error events with a source of RestartManager. The following is an example of a Warning event with Event ID 10010:

Application 'C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE' 
(pid 5592) cannot be restarted - Application SID does not match 
Conductor SID. 

You can also view general Windows Update events in the Application log. Search for events with a source of MsiInstaller.

How to Remove Updates

Occasionally, an update might cause compatibility problems. If you experience problems with an application or Windows feature after installing updates and one of the updates was directly related to the problem you are experiencing, you can uninstall the update to determine whether it is related to the problem.

How to Manually Remove an Update

To remove an update, follow these steps:

  1. Use Windows Update to view the update history, as described in “How to Troubleshoot Windows Update” earlier in this chapter. View the details of each update to identify the update that might be causing a problem. Make note of the Knowledge Base (KB) number for the update.

  2. Click Start, and then click Control Panel.

  3. Under Programs, click the Uninstall A Program link.

  4. Under Tasks (in the upper-left corner of the window), click the View Installed Updates link.

  5. Select the update you want to remove by using the KB number you noted in step 1. Then, click Uninstall, as shown in Figure 5-13.


    Figure 5-13 Uninstalling an update to determine whether it is the source of a problem

  6. Follow the prompts that appear and restart the computer if required.

If removing the update does not resolve the problem, you should reapply the update. If removing the update does solve the problem, contact the application developer (in the case of a program incompatibility) or your Microsoft support representative to inform them of the incompatibility. The update probably fixes a different problem, and therefore you should make every effort to fix the compatibility problem and install the update.

How to Remove an Update using WSUS

If you use Windows Software Update Services (WSUS) to distribute updates internally, you might be able to remove the update from the WSUS server to prevent it from being distributed. Many updates do not support being removed. To remove an update for a group of computers or all computers with WUSA, follow these steps:

  1. View the WSUS Updates page.
  2. Select the update, and then click Change Approval under Update Tasks.
  3. Click the Approval list, and then click Remove (if available).
  4. Click OK.

How to Recover a Computer that Won’t Start

If an update prevents Windows Vista from starting correctly, you can use the Startup Repair tool to quickly restore the computer. To run Startup Repair, follow these steps:

  1. Insert the Windows Vista DVD in your computer.

  2. Restart your computer. When prompted to boot from the DVD, press any key. If you are not prompted to boot from the DVD, you might have to configure your computer’s startup sequence.

    Windows Vista Setup loads.

  3. When prompted, select your regional preferences and keyboard layout, and then click Next.

  4. Click Repair Your Computer.

    System Recovery scans your hard disks for Windows Vista installations.

  5. If the standard Windows Vista drivers do not detect a hard disk because the disk requires drivers that were not included with Windows Vista, click the Load Drivers button to load the drivers, and then select an operating system to repair. Click Next.

  6. If Windows failed to start during its last attempt, Windows Vista launches the Startup Repair tool automatically. Otherwise, the Choose A Recovery Tool page appears. Click Startup Repair, and then follow the prompts that appear.

  7. After the Startup Repair tool completes its diagnosis and repair, click Click Here For Diagnostic And Repair Details. At the bottom of the report, Startup Repair lists a root cause, if found, and any steps taken to repair the problem.

If Startup Repair does not repair the problem, repeat steps 1–5. Then, in the System Recovery Options dialog box, click System Restore and follow the prompts that appear. Windows Vista automatically creates a System Restore point before any update is installed, so restoring a System Restore point effectively uninstalls any updates.

Practice: Distribute Updates

In this lab, you configure a Windows Vista client to download updates from a WSUS server.

Practice 1: Distribute Updates with Windows Server Update Services

In this practice, you install WSUS on a server, approve updates, and then configure a Windows Vista client to retrieve updates from that server.

  1. Log on to a Windows Server 2003 computer as an administrator. If necessary, add the Application Server role (a requirement of WSUS).

  2. Visit http://www.microsoft.com/wsus/ to download and install the latest version of WSUS on your Windows Server 2003 computer.

  3. Configure WSUS to install updates only after you approve them. Then, open the WSUS management webpage and approve several recent updates that need to be installed on your Windows Vista computer.

  4. Log on to your Windows Vista computer. If you have installed any of the updates you approved within WSUS, uninstall them now using the Control Panel.

  5. Click Start, type Mmc, and then press Enter.

  6. An empty MMC console opens.

  7. Click File, and then click Add/Remove Snap-In. From the Available Snap-Ins list, select Group Policy Object Editor. Click Add.

  8. On the Welcome To The Group Policy Wizard page, click Browse. Select the Default Domain Policy, and then click OK. Click Finish.

  9. In the Add Or Remove Snap-In dialog box, click OK.

  10. In the Group Policy Object Editor snap-in, browse to Computer Configuration\Admin-istrative Templates\Windows Components\Windows Update. Specify the policy settings shown in Table 5-2.


    Table 5-2 PNG Sample Policy Setting

  11. Click start, type gpupdate /force, and press Enter. This retrieves the latest Group Policy settings from the domain controller.

  12. Wait a few minutes for Windows Vista to display a notification bubble informing the user of the presence of updates. Allow them to be automatically installed and the computer to restart.

Lesson Summary

  • Microsoft provides three techniques for distributing updates: the Windows Update client (built into Windows Vista), Windows Server Update Services (a free tool that can be installed on a Windows Server 2003 computer), and Systems Management Tool (an enterprise software distribution tool). These tools are designed for small, medium, and large organizations, respectively.
  • You can install updates interactively using the Windows Update tool. This would be very time-consuming, however. Instead, you should configure Windows Update either using graphical tools or by using Group Policy settings. If you need to install updates immediately (for example, as soon as a user logs on), you can create scripts that install updates.
  • If you have a problem installing an update, you can diagnose the problem by viewing the Windows Update history, by analyzing the %windir%\WindowsUpdate.log file, or by examining WSUS logs. You can often resolve simple problems by restarting the Windows Update service.
  • If you discover a compatibility problem after deploying an update, you can manually remove it or use WSUS to uninstall it.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 2, “Updating Software.” The questions are also available on the companion CD if you prefer to review them in electronic form.

NOTE Answers

Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book.

  1. Which of the following would you recommend for distributing updates to a small business with five Windows Vista client computers?
    1. Instructing employees to manually launch Windows Update when they experience problems
    2. Configuring Windows Update on each computer to download updates directly from Microsoft
    3. Installing WSUS and configuring Windows Update to download updates from the WSUS server
    4. Deploying updates using SMS and WSUS
  2. You are working for a medium-sized organization that manages about 100 client computers. The IT department insists on testing all updates before they are applied to computers. Which of the following would you recommend for distributing updates within this organization?
    1. Instructing employees to manually launch Windows Update when they experience problems
    2. Configuring Windows Update on each computer to download updates directly from Microsoft
    3. Installing WSUS and configuring Windows Update to download updates from the WSUS server
    4. Deploying updates using SMS and WSUS
  3. You are creating a batch file that installs updates when a Windows Vista computer starts for the first time. How should you do this?
    1. Call Update.exe and provide the path to the update file.
    2. Call Msiexec.exe and provide the path to the update file.
    3. Run the executable file included with the update.
    4. Call Wusa.exe and provide the path to the update file.

< Back      Next >



© Microsoft. All Rights Reserved.