Sunday, May 06, 2007

Windows Offline Updater...Updated!

I've been using the Heise Security's Offline Updater (DIY Service Pack) package for some time in our IT workshop to keep freshly reimaged systems almost fully patched right after deployment, but before connection to the network.

I highly recommend this for anyone deploying a new Windows 2000/XP system. It's a great way to get a system almost fully patched before attaching it to the wild wild network and any baddies that might be floating around the Web or the local network.

It basically works like this,

Download the updater program to a "host" system.

Run the launcher and pick your operating system(s) to update.

The application will go out and download all the needed patches off Microsoft's own servers using their update catalog.

It will then wrap them up in an ISO format file...ready for burning.

Deploy on individual CD media or all of them on a single DVD.

To install pop the auto-run cd/DVD media in the system needing updating. Select the "run" option and let the updates flow.

If you want to bring your update media up to date (after the next patch release cycle by Microsoft) just rerun the application off the host system and it will only download and add any new updates, creating a new ISO file.

It's very neat and slick, and can even be customized to include or skip particular patches and files.

Version 3.02 worked great.

Beginning in version 3.03 I began having some issues with the updater not downloading/installing the packages quite correctly.

Then I found a post thread that helped; What fixed it for me with errors I found using v3.04 - via Offline Update | heisec-UK Forums

Basically, I copied the files mentioned from a previous Offline Update disk that did work to the locations mentioned in the new updater. Then I ran it as normal. This ensured the files needed were already present. No more problems.

I noticed Friday night that they released another new version, 3.11 with a number of fixes and tweaks.

I'm going to give this one a clean test without the "hack" mentioned above when I get to work next week.

Hopefully it will work like a charm.

I highly recommend this Windows Update utility for any Windows IT shop. It saves a bunch of time on downloading updates over the wire...especially if it is a brand-new, unpatched system. Also great for users still on dialup (although you still got to make and get the files first...broadband is highly recommended!).

Similar Windows updater packages exist as I have previously blogged, but this is by far the best in my book. Simple, fast and directly delivered to you from Microsoft's own servers.

Go roll your own!

--Claus

2 comments:

Anonymous said...

Thanks - I learned about this tool from one of your earlier posts, and I love it. In addition to the security aspects, it is MUCH quicker than installing via Windows Update. Do you know of a similar tool for Microsoft Office?

Anonymous said...

Hi Mark,

Actually, with a bit of tweaking on your part, Heise's tool should be able to handle quite a number of the Office updates as well.

Heise: Tweaking the parameters

Quoting from that page.

"Additional Microsoft patches not covered in the base configuration of the offline update can be added in later as static updates. To arrange for the download script to download an additional packet, add its URL into one of the text files in the "static" directory. For the English version of XP, for example, this is the file StaticDownloadLinks-wxp-enu.txt. The download script sorts the downloaded files into the proper folder within \client.

To arrange for the installation script to install the additional update, you must add its KnowledgeBase ID into a file within \client\static associated with the applicable operating system; for XP this is StaticUpdateIds-wxp.txt. Because the installation script cannot check whether a static update has already been installed, it basically installs the entire list, even if individual updates are already present.

The offline update is set up modularly and is easy to adjust. It would also be conceivable to use the mechanisms employed there to install updates for other Microsoft products such as Office."

I've played with this a bit at work where we run Office 2000 and 2003.

What I did was to fully (Windows) patch a test target system. Then I ran the Office Updater (on-line) and wrote down all the KB#'s that it offered. Then you need to do some research to get the download URL's for each of these patches. Put both items in their proper locations per Heise's tips.

It's been a while since I played with trying to manually roll the Office updates into it but I want to say some worked great and others didn't. However, just getting the ones that do saves a bit of time.