Tuesday, December 12, 2006

Microsoft Patching - On the Grand Scale!

Most all (home) tech support geeks are faced with confronting the problem of handing Microsoft's Windows Updates.

(Did you get today's offered updates?)

In the enterprise environment I'm sure we are all using Group Policy, Windows Server Update Services, or even manually configuring Windows Automatic Updates to download and apply patches to the systems, right?

Then again, there is the old standby...going to Microsoft Windows Updates website, running a manual check. Then you can pick and choose, download and install. This generally isn't too painful a process...providing you've got a broadband connection and have been keeping up with the Update Joneses.

You can also manually download the updates yourself, if you know where to look and which ones to get.

But what to do when Uncle Albert calls you to come over to his house in the boonies to help set up his "brand-new" XP system? You show up, and Uncle Albert's pc has a bare hard-drive, he has a XP setup disk, and a dial-up modem. Well, up until recently you have had very few choices. Chances are you are looking at a very large group of updates. Load the system, slap on a firewall, break out the brewskies and sit back and wait for the updates to trickle down the dialup pipe.

Sure, you can download the biggest ones and keep them handy on a USB stick or CD, but it can still be a lot of work collecting all of them

Until now!

SANS-ISC points us to a new utility offered by heise Security: Offline Update 3.0

It's very clever.

Read the accompanying article carefully. Then download and unzip the file. Then run the application. You can pick from updates for XP / 2000 / Server 2003. You also need to specify if you want to download the English or German version of the patches. You can download all three sets or just two or even one. Depending on your choice you must then decide to have the patches bundled in a CD or DVD ISO for burning. A script will open up a WGET session which will download all the critical security patches for the selected OS(s). What is really cool is that the downloads occur directly from the Microsoft download servers, so you know you are getting valid update files. Once the downloads are completed (not too long assuming you are using your broadband connection) the program rolls them up into a handy ISO file. Then use your favorite ISO burning application to burn them to your CD/DVD media.

Place the burned CD/DVD in Uncle Albert's pc and an autorun file will kick it off. Give it an affirmative, and it will begin to apply all the patches to the system. No downloads to wait for! Sweet!

Drawbacks...well, since the program doesn't check the system update catalog, it doesn't know which updates are already on the system---so it puts them all on, even if they are already present. Not a big deal, but good to be aware of. The program actually uses some text files in the structure to decide which patches to download and install. So with some fairly easy tweaking you can add more or remove the ones you don't want. Also, it does create a temporary updating user profile on the system with Administrator rights to allow the updates to be installed. It is deleted at the end of the update process. Depending on how you feel this is either a great thing or a deal-breaker. Finally, you will still need to run one final manual Windows Updates session to verify that you catch and apply any additional updates that the script doesn't get.

Benefits...a very automated update process, almost all updates on a removable media disk, limited time lost waiting for updates to download and apply. Not a bad deal. Oh yeah, did I mention that it is free?

Read the whole 4-page article from the publisher to get an good idea of what is going on.

Another alternative is Autopatcher.

This gem has been out for some time. It is highly polished and packed with goodies.

Like Offline Update 3.0 it supports XP / 2000 / 2003 Microsoft systems. Unlike Offline Update 3.0, each OS can be selected in Full, Lite, and Update versions.

The Full versions come with all the usual updates, and then the developers toss in a ton of "extras" like desktops, system tweaks, Windows Power Toys, additional application updates, the whole kitchen sink. You appear to be able to decide at installation which ones you want to add and which ones you don't, so you still have some installation control. The Lite version strips out many of the additional items and tweaks. Finally, use the Update version to patch a system you have already run either the Full or Lite version on, as it will just include the latest updates.

Drawbacks...you get some extra download items that you may not want. Like before, there doesn't seem to be a check for the existence of pre-installed patches already on the system, so you will get overwriting again. Also, the developers have already downloaded and packaged the updates already, so unlike Offline Update 3.0 which downloads directly from the Microsoft servers, you will have to trust the developers as your source. You decide.

Benefits...you just need to make a single package. That's it. Burn it to a CD/DVD or it looks like you can even copy the downloaded file to flash media if it is large enough to hold it. The installation options looks a bit more selective as well.

Nice work!

Two other slipstreaming alternatives:

RyanVM's Windows XP Post-SP2 Update Pack - Quoting from the developer's site "This pack is designed to bring a Windows XP CD with SP2 integrated fully up to date with all of the latest hotfixes released by Microsoft since SP2's release. It accomplishes this task via direct integration, where files on the CD are directly overwritten by the updated files."

I haven't played with this one yet, but it appears to be a slipstreaming process. You can also add in additional features via modules.

Another very slick tool is nLite. Quoting the developer's site again, " nLite is a tool for permanent Windows components removal and pre-installation Windows setup. After removal there is an option to make bootable image ready for burning on cd or testing in virtual machines. With nLite you will be able to have Windows installation which on install doesn't include, or even contain on cd, unwanted components."

nLite Features

- Service Pack Integration
- Component Removal
- Unattended Setup
- Driver Integration *
- Hotfixes Integration **
- Tweaks
- Services Configuration
- Patches ***
- Bootable ISO creation

* - Textmode (CD Boot) and normal PnP
** - hotfixes with white icons, *KB*.exe, including update packs and Internet Explorer 7
***- supports generic SFC, Uxtheme, TcpIp and Usb Polling patching.

Also in works from the same group...vLite. For Vista deployments

So, now you know of quite a few solutions for bulk-patching systems.

These also might be dead useful for you corporate/enterprise sysadmins as well. Instead of constantly updating images with current patches or slipstreaming, just keep a Offline Update 3.0 or Autopatcher disk handy and bring the deployed image up to date, without the download delay times. Sweet!

These solutions aren't for everyone. These can help manage the bulk patch updating process when you have a very "young" system. By being able to apply these critical service patches before you even need to put the pc on the Net, you can help improve the system security and cut down on the chance of it being open to a vulnerability. And save a fair amount of your time in the process. Besides...it looks pretty cool and can impress Uncle Albert (and save his beer).

Not a bad deal!

See you in the skies.


1 comment:

Claus said...

OK. A couple of updates to my post from last night. I'll go back and make corrections to the original post soon.

According to the Offline Updater website....while the script will download all available updates to the CD/ISO file, the "...download script downloads the complete Microsoft update catalogue, which contains significantly more update packets than are needed to patch a freshly installed system – but only the necessary ones are then installed."

So that's a very good thing!

And based on my testing of the AutoUpdater program, you have a very high degree of control over exactly which patches, tweaks and addons you want to apply.

Very nice! I'm very impressed.