1. How to Check Update Compatibility
Microsoft performs some level of compatibility testing for all
updates. Critical updates (small updates that fix
a single problem) receive the least amount of testing because they
occur in large numbers and they must be deployed quickly.
Service packs (large updates that fix many
problems previously fixed by different critical updates) receive much more testing because they
are released infrequently.
Whether you are planning to deploy critical updates or a
service pack, you can reduce the chance of application incompatibility by testing the updates in a lab
environment. Most enterprises have a Quality Assurance
(QA) department that maintains test computers in a lab
environment with standard configurations and applications. Before
approving an update for deployment in the organization, QA installs
the update on the test computers and verifies that critical
applications function with the update installed.
Whether you have the resources to test updates before deploying
them, you should install updates on pilot groups
of computers before installing the updates throughout your
organization. A pilot group is a small subset of the computers in your
organization that receive an update before wider deployment. Ideally,
pilot groups are located in an office with strong IT support and have
technology-savvy users. If an update causes an application
compatibility problem, the pilot group is likely to discover the
incompatibility before it affects more users.
If you are using WSUS to deploy updates, you can configure a
pilot group by creating a computer group named Pilot and adding
computers to the Pilot group. Then, approve updates for the Pilot
group before you approve them for the rest of your
organization.
Tip
EXAM TIP
This exam focuses on Windows 7, and WSUS
runs only on server versions of Windows. Therefore, the exam will
probably not require you to know exactly how to deploy updates with
WSUS. For that reason, this lesson discusses WSUS only at a high
level.
Practice 2, at the end of this lesson,
walks you through the process of installing WSUS on a computer
running Windows Server 2008 R2, synchronizing updates from
Microsoft, and then approving updates. Practice 2 should give you
sufficient experience with WSUS to pass this exam; however, after
completing the practice, you should add to your real-world
experience with WSUS by examining every aspect of the software,
including creating a pilot group of computers.
If users experience problems that you think might be related to
an update, you can use Reliability Monitor to help identify updates
that might be related to the cause of the problem.
2. How to Install Updates
Ideally, you would deploy new computers with all current updates
already installed. After deployment, you can install updates manually,
but you'll be much more efficient if you choose an automatic
deployment technique. For situations that require complete control
over update installation but still must be automated, you can script
update installations.
The sections that follow describe how to apply updates to
new computers, how to install updates manually, how to
install updates automatically, and how to script update installations.
2.1 How to Apply Updates to New Computers
When you deploy new computers, you should deploy them with as
many recent updates as possible. Even though Windows 7 immediately
checks for updates the first time it starts (rather than waiting for
the scheduled automatic update time), it might take hours for
Windows to download and install all updates. Applying updates to new
computers provides improved security for the computer the first time
it starts, reducing the risk that a patched vulnerability will be
exploited before updates can be applied.
You can use the following techniques, in order of most secure
to least secure, to apply updates to new computers:
-
Integrate updates into Windows 7
setup files If you use an automatic deployment
technology such as the Microsoft Deployment Toolkit (MDT) 2010, you can
ensure that updates are present during setup by installing
Windows 7 and all updates on a lab computer and then using
Windows PE and the XImage tool to create an operating system
image (a .wim file) that you can deploy to new computers.
-
Install updates automatically during
setup Using scripting, you can install updates
automatically during setup. Ideally, you would distribute the
update files with your Windows 7 installation media or on the distribution server.
You can use MDT to configure updates for installation during
setup, or you can configure updates manually using one of the
following techniques:
-
Use the Windows System Image Manager to add a
RunSynchronous command to an answer file in your Windows 7
image. RunSynchronous commands are available in the
<platform>-Microsoft-Windows-Setup,
<platform>-Microsoft-Windows-Deployment, and the
<platform>-Microsoft-Windows-Shell-Setup features.
-
Edit the %windir%\Setup\Scripts\SetupComplete.cmd file
in your Windows 7 image. Windows 7 runs any commands in this
file after Windows Setup completes. Commands in the
SetupComplete.cmd file are executed with local system
privilege and actions are logged to the SetupAct.log file.
You cannot reboot the system and resume running
SetupComplete.cmd; therefore, you must install all updates
in a single pass.
-
Add the update package to the distribution share or
answer file.
-
Install updates manually using
removable media One of the best ways to minimize the risk of a
new computer being attacked before it installs updates is to
deploy computers while disconnected from the network, using
removable media. If you choose this approach, you should also
use removable media to install updates before connecting the
computer to unprotected networks.
-
Use WSUS to apply updates to new
computers After Windows 7 starts the first time, it
immediately attempts to download updates (rather than waiting
for the scheduled Windows Update time). Therefore, even with the
default settings, the time new computers spend without updates is minimized.
To further minimize this, ask your WSUS administrators to
configure the most critical updates with a deadline. The
deadline forces new computers downloading the updates to install
the critical updates and then immediately restart to apply
them.
