Understanding Updates
Updates are files that address functionality issues and address
security vulnerabilities in operating systems and applications.
Because vulnerabilities can be quickly exploited after the details of
the vulnerability are published, you must ensure that updates that
address the vulnerabilities are deployed to computers in your
organization with reasonable haste.
Unfortunately, updates do alter a computer’s configuration, and
an update that addresses one issue in an application or operating
system can cause problems with other parts of the configuration. These
problems might become apparent only after the update is deployed. As
an enterprise desktop administrator, you must seek a balance, ensuring
that you test updates adequately prior to deployment, but also
ensuring that updates are deployed in a timely and effective
manner.
Microsoft assigns a classification to each update it
publishes. The classification allows you to prioritize the
deployment of updates, and you should test and deploy updates that
have a more urgent classification before testing and deploying
updates with less urgent classifications. The update bulletin
provides details on its classification as well as the location from
which you can obtain the update files if an automated update
solution is not in place. Updates published by Microsoft can have
one of the following three classifications:
-
Important
Updates. These updates address critical security issues such as
those an attacker can use remotely to take control of a
computer. In some cases, Important updates address security
issues for which exploit code has already been published on
the Internet. In cases for which exploit code is not
available, attackers quickly reverse-engineer updates in an
attempt to determine which vulnerabilities the update might
address and use this as the basis of developing their own
exploit code. You should prioritize the deployment of updates
with this classification over the deployment of other
updates.
-
Recommended
Updates. These updates often address issues related to
the existing functionality of the computer. Figure 1 shows a Recommended update
that relates to application compatibility. Recommended updates
are of lower priority than Important updates, But you should
still deploy updates with this classification to computers in
your organization in a timely manner.
-
Optional
Updates. These updates include items such as language packs and
driver updates. Optional updates often extend the
functionality of the computer. Optional updates are strictly
optional. Organizations should assess the changes that
Optional updates introduce to the software ecosystem prior to
rolling the updates out to desktop computers. The deployment
of Optional updates is rarely time-sensitive in the way that
the deployment of other updates is.
Update Deployment
When the Windows 7 operating system is installed on a computer,
the installation routine queries you about how you want to treat
automatic updates. This dialog box is shown in Figure 2. The default
setting is for updates classified as Important and Recommended to be
automatically downloaded and installed on the computer as they are
released by Microsoft. When a computer running Windows 7 is configured
using the default settings, the Windows Update client on the computer
regularly checks with the Microsoft Update servers on the Internet to
see whether any new updates have been published. If a new update has
been published, the Windows Update client downloads and installs the
update and then reboots the computer if that is a necessary part of
the update installation process.
In many small-size to medium-size organizations, this
default configuration for Windows Updates is acceptable. As
organizations get larger, they are more likely to want to take control
of the deployment and approval of updates. The next pages tell you
about the solutions that are available to an organization that wants
to take control of the update management process.
Installing Updates Manually
The first update management option that organizations can
implement is manually deploying updates, rather than having the
updates downloaded directly by clients from the Internet. You can
download update files from the Microsoft Web site and install them
manually using the Wusa.exe command-line utility. Update files have
the .msu extension.
Manual installation of updates might be necessary for
computers located on secure isolated networks, or for stand-alone
computers that are not connected to any network. In some cases, it
will be necessary to install multiple updates. One problem with
manual update installation is that many updates require the computer
to be restarted for the installation process to complete. As a way
of dealing with this problem, you can chain the installation of
updates using the /norestart parameter. A script that installs three
updates with a single command would have a format similar to the
following:
Wusa.exe i:\windows6.1-kb123456-x64.msu /quiet /norestart
Wusa.exe i:\windows6.1-kb123457-x64.msu /quiet /norestart
Wusa.exe i:\windows6.1-kb123458-x64.msu /quiet
Manual update installation can be a tedious process
because an administrator must ensure that update files are placed in
a location accessible to the computer being updated; the
administrator also must type out long update file names in a
command-line window. In some cases though, installing updates
manually is the only way that you can deploy updates to computers
running the Windows 7 operating system.
More Info
WINDOWS UPDATE STAND-ALONE
INSTALLER
To find out more about the Windows Update Stand-alone
installer (Wusa.exe), consult the following article on the
Microsoft Web site: http://support.microsoft.com/kb/934307.