Updates
are additions to the system or software that are issued after the
official release. A critical use of updates is to distribute patches for
security issues. Ideally, software wouldn't have any bugs or be
vulnerable to any type of security breaches, but the truth is that
software is inherently insecure.
You keep Windows secure by keeping it up to date. Updates related to security are labeled as security updates
and also as Important updates. Microsoft releases security updates on
the second Tuesday of each month (commonly called Patch Tuesday) and
occasionally releases urgent updates at other times (commonly called
out-of-cycle updates). Security updates often include the number of a
Knowledge Base article (such as KB 958559) that includes amplifying
information.
Here are some of the other common uses of updates:
|
Windows 7 updates
include updates for both the operating system and applications. Early
versions of Windows included only updates for the Windows operating
system, and updates for applications were obtained separately. Windows 7
updates are now used to update applications such as Microsoft Office.
This eliminates the need to manage updates for applications separately.
|
|
Updates are displayed as
Important, Recommended, and Optional by the Windows Update client. These
categories are set by Microsoft when the updates are released, and each
can be configured with different deployment choices.
Important updates
Important updates
are security related and designed to protect your PC from security or
privacy threats. As an example, if a known bug is discovered that can be
exploited by an attacker, a patch would be written to plug the hole.
When the patch is applied as an update, the attacker can no longer use
this method to exploit your system.
Recommended updates
Recommended updates
are performance related and designed to help improve the operation of
your computer. As an example, if a bug is discovered that causes an
application to hang or crash when a user takes specific actions, a patch
would be written to resolve the problem and released as a recommended
update. Alternatively, if a driver is created to improve the performance
of hardware, it would be released as a recommended update.
Optional updates
Optional updates
are free additional software programs that you might like to have on
your system. They aren't related to security or the performance of your
computer but instead add capabilities. Once these optional updates are
installed on your computer, they may be updated using either important
or recommended updates if needed. If they aren't installed on your
computer, you won't be prompted to download other updates related to
them.
1. Deploying Updates
Three primary methods are available to keep Windows 7 up to date in an enterprise:
Automatic Update
Clients individually connect to Microsoft Update for updates. For small organizations of up to 50 clients, the Automatic Update
method is often used. It doesn't require any additional servers to
support it. It's common to use Group Policy to configure the settings
for updates to ensure that all clients are configured to download and
install the updates automatically. However, this method does not give
administrators the ability to approve or decline updates.
Windows Server Update Services
Windows Server Updates Services (WSUS)
is a free server product available from Microsoft. A central server is
used to download updates, and all clients can receive their updates from
this server instead of Microsoft Update. This saves bandwidth because
updates are downloaded only once for an organization, and it also gives
administrators control over what updates are approved and deployed to
clients. WSUS is installed on a server product (not Windows 7), and it
is relatively easy to get up and running.
System Center Configuration Manager
System Center Configuration Manager (SCCM)
is a specialized enterprise server application that must be purchased
(similar to how Microsoft Exchange or Microsoft SQL Server is a separate
enterprise application that must be purchased). It provides a lot more
control to the administrator, including not only what updates are
applied to which clients but also exactly when these updates are
deployed. Large enterprises use SCCM to have more control over deployed
updates. One of the deciding factors on using SCCM is whether the IT
staff has expertise with SCCM or the training funds to get the staff up
to speed on its use.
|
When preparing for the 70-686
exam, you should be aware of the capabilities of SCCM related to
delivering updates to clients. You aren't expected to be an expert on
it, but you should be aware of it. One of the primary benefits of SCCM
over WSUS related to updates is the ability to schedule when updates are
delivered.
|
|
2. Auditing Updates
In addition to deploying
updates, you occasionally need to audit systems for updates. Auditing a
system for updates allows you to verify that updates are installed on
the system.
WSUS and SCCM both have the
ability to audit systems for updates. However, if you're not using WSUS
or SCCM to deploy the updates, you can use the Microsoft Baseline Security Analyzer (MBSA). MBSA includes both a GUI and a command-line interface (MBSACLI) tool.
In addition to checking for
updates, MBSA can be used to check several other security issues on a
system.
3. Deploying Service Packs and Rollups
When you are installing a new
computer, you don't necessarily want to install all of the updates
individually. This can be both time and labor intensive. Instead, you'd
install either a service pack and/or an update rollup to bring the
computer close to being up to date. You'd then apply all the updates
that were released since the service pack or update rollup was released.
Service pack
A comprehensive update to the system that includes all of the critical
updates, security updates, and update rollups since either the last
service pack (SP) or the operating system was released.
Update rollup
A significant number of updates released since the last service pack or
the operating system was released. It is a cumulative set of critical
updates, security updates, hotfixes, and other updates. Update rollups
are usually targeted at specific products. For example, an update rollup
may be released for Microsoft Office, but it wouldn't include updates
for other software.
NOTE
Service packs and
update rollups are usually well tested because the updates have been in
place for a while. This means that there is less risk of a service pack
or an update rollup causing a problem than there may be from the initial
release of another update.
Service packs and update rollups are characterized as either cumulative or incremental.
Cumulative
A cumulative SP includes all the previous service packs. For example,
if SP3 includes the contents of SP1 and SP2, it is considered a
cumulative SP. Update rollups have been consistently released as
cumulative, but that could change.
Incremental
An incremental SP includes only the updates since the last service
pack. This requires you to install the previous SP before you can
install the newer SP.
Microsoft has done
both incremental and cumulative service packs. As an example, Windows XP
SP2 was cumulative, but Windows XP SP3 was incremental. When deploying
service packs, you should be aware of whether it is cumulative and can
be deployed alone or incrementally and needs the previous service packs
to be installed first.
4. Windows Update Client
Windows 7 includes the Windows Update client
that is responsible for installing updates. The Windows Update client
works the same way no matter where the updates are coming from
(Microsoft Update site or internal server).
The Windows Update service is
the primary service used to detect, download, and install updates used
to keep Windows 7 and other applications up to date. This service should
always be running. The Windows Update Agent is used by applications
like WSUS and SCCM to interact with this service.
You can access the Windows Update client by selecting Start => All Programs => Windows Update. Your display will look similar to Figure 1.
This page shows at a glance the
current status of updates on a system, including whether updates are
available, when they were installed, and how updates are received. The
figure shows that updates are received from Microsoft Update. If the
computer was within a network that used WSUS or SCCM, it would instead
state that updates are Managed By Your System Administrator.
|
Windows 7 clients should
normally check for updates once a day, so the date shown for the Most
Recent Check For Updates should be today or yesterday. If it isn't, it
indicates a problem.
|
|
Although Windows Update
automatically checks for updates based on the settings, it is possible
to check for updates manually at any time by clicking the Check For
Updates link on the Windows Update screen. Windows Update will then
attempt to connect to the designated source for updates. This could be
Microsoft Update, WSUS, or SCCM. If updates are available, it will
indicate the type of updates available and how many are available.
|
Windows 7 updates are released as MSU files (named with an .msu
extension). These files aren't executables, but if you double-click
one, it will be installed using the Windows Update Standalone Installer (wusa.exe).
It's worthwhile to understand the format of the naming convention used with MSU files. They are formatted as WindowsVersion-KBnumber-vNumber-platform.
For Windows 7, the
Windows version is 6.1. Windows Vista is version 6. (This common version
number of 6 with Windows Vista and Windows 7 is used for compatibility
checks. If an application is compatible with Windows Vista, it is
compatible with Windows 7.) The KB number lists the associated Knowledge Base number for the update, such as KB958559. If
an update is released a second time, the version number will be
included (such as v2 or v3). For the first version, this is typically
omitted. The platform can be either x86 or x64, indicating the architecture.
As an example, the initial Windows 7 update related to KB958559 for 64-bit systems is called Windows6.1-KB958559-x64.msu.
These updates can be scripted using the WUSA command as follows:
Wusa Windows6.1-KB958559-x64.msu
|
5. Viewing Windows Update Settings
If you launch Windows Update,
you can view and modify the settings by clicking the Change Settings
link on the left side of the window. Figure 2 shows the settings page for Windows Update.
This page includes
several important settings, starting with Important Updates, used to
identify how and when they are installed. If you select the drop-down
box under Important Updates, you'll see several choices:
Install Updates Automatically (Recommended)
Windows will
periodically check for updates and will download them in the background.
Updates will be installed on the computer based on the schedule, with
3:00 AM daily being the default.
Download Updates, But Let Me Choose Whether To Install Them
Updates will be
downloaded in the background, and a text bubble will occasionally appear
when updates have been downloaded and installed. The user must manually
install them. This allows users to take more control over when the
updates are installed but also risks that updates are never installed.
From an administrator's point of view, you can't depend on users to
perform core security steps, but you must instead take control of the
process whenever possible.
Check For Updates, But Let Me Choose Whether To Download And Install Them
Windows Update
will periodically check for updates in the background, and a text bubble
will occasionally appear when updates are available for download. This
is useful when clients are connected through slow connections, such as a
dial-up link, but will rarely be used in an enterprise.
Never Check For Updates (Not Recommended)
A computer that is not
kept up to date will soon be an unsecured computer. It's just a matter
of time before a bug is discovered and can be exploited. About the only
reason to select this setting is if the computer is completely isolated
and cannot receive updates from any source.
You can allow recommended
updates to be installed on the same schedule as the important updates by
checking the box Give Me Recommended Updates The Same Way I Receive
Important Updates, as shown previously in Figure 2.
If you want only administrators
to be able to install updates manually, you can uncheck the box Allow
All Users To Install Updates On This Computer. When this box is checked,
any logged-on user can install updates.
NOTE
Two additional
selections are available to home users or clients that are not joined to
a domain. They are Microsoft Update and Software Notifications.
All of these settings can be controlled using Group Policy.
If the settings are dimmed, it indicates that they have been set by
Group Policy and cannot be modified or configured by the user. In
addition, a message will appear in the window that says Some Settings
Are Managed By Your System Administrator.
6. Installing, Hiding, and Restoring Updates
If you don't have updates set
to install automatically, or you want to install optional updates, you
can install them manually. When updates are available, a link exists on
the Windows Update page that you can click to access the page to install
them.
Figure 3
shows a list of updates that can be selected to install on a system. In
the figure, I have selected the check box next to the nVidia -Display -
NVIDIA GeForce 9600M GT driver update. To install this update, I'd
simply select the check box and click OK to begin the installation.
In addition, updates can be
hidden from this page. Let's say that I decided that I'll never master
the Bulgarian language, so I won't need the Bulgarian language pack on
my system. I can right-click it (as shown in the previous figure) and
select Hide Update. The update will be gone the next time I return to
this page.
But what if I change my mind
and decide that I do want the Bulgarian Language Pack update that I hid?
It's not gone for good. The main page of the Windows Update page
includes the link Restore Hidden Updates. After you click this link, a
display similar to Figure 4 will appear.
To restore the Bulgarian Language Pack update, select the check box for it and click Restore.
7. Viewing Update History
You can view a list of all updates that have been deployed to your computer by clicking the View Update History link on the Windows Update page.
The update history report
includes the common name, the status (Successful or Failed) of the
update installation, the importance (Important, Recommended, or
Optional), and the date it was installed. You can double-click any
update to view additional information.
Figure 5
shows the update history for one of my computers. I also double-clicked
Security Update For Windows 7 For x64-Based Systems (KB975467) to view
additional details on this update.
This is a simple but effective method to verify that an update has been deployed to a system.
