Deploying Service Packs and Hotfixes
What are Service Packs and Hotfixes
Service packs and hotfixes are network updates that need to be applied to network computers. Hotfixes are also sometimes referred to as security hotfixes or security fixes. Before delving into the differences between service packs, and hotfixes; you can think of a service pack as being a collection of updates, or large executable files that relate to an Operating System (OS), and a hotfix as being one or multiple files that are applied to the OS to fix a specific critical problem. Service packs typically deal with setup, security, and application compatibility enhancements or issues, while hotfixes corrects a particular critical OS problem.
Service packs usually improve the reliability and security of the OS. They are issued by Microsoft every couple of months to basically ensure that the OS is up to date, and to correct issues. Service packs improve on the functionality of a computer when they include new tools and capabilities. They can also contain device drivers.
Hotfixes on the other hand deals with fixing a particular critical system fault. A hotfix can include once-off fixes for a server or client fault/problem. Hotfixes can be downloaded from the Windows Update site, or from the TechNet Security page at www.microsoft.com/technet/security/default.asp. The Microsoft Network Security Hotfix Checker (HFNetChk) included with the Microsoft Baseline Security Analyzer (MBSA) tool can be used to determine whether your network computers have all the necessary hotfixes. This powerful tool can speedily check all your network computers. The MBSA tool can also be used to identify security misconfigurations and weaknesses.
One of the following methods is typically used to deploy updates on existing computers:
-
Windows Update
-
Automatic Updates
-
Software Update Services (SUS)
-
Scripting
-
Systems Management Server (SMS)
-
Group Policy
-
You can also manually deploy an update from a network share or CD-ROM after you have obtained it.
Automatic Updates, manual deployment, and Windows Update can only deploy the update to a single computer or a small number of computers, while Software Update Services (SUS), Group Policy, and scripting, can apply updates to multiple computers. Software Update Services (SUS) can only be used to deploy service packs and hot fixes for Windows 2000, Windows XP and Windows Server 2003 computers. Scripting and SMS can be used to deploy hot fixes and service packs to all the versions of Windows computers. The Software Installation and Maintenance feature of Group Policy, and scripting work well when a large number of network computers require the identical update.
Preparing for Service Pack/Hotfix Deployment
The common tasks that should be included when you plan for deploying updates are listed below:
-
Determine the deployment method that you are going to use:
-
Integrated deployment: The OS and service packs are installed at the same time
-
Update deployment: Updates are installed on existing network computers
-
Combination deployment: A combination of the former two methods.
-
-
Determine which deployment tools or files are needed
-
Determine the method to use for scanning existing computers for missing updates
-
Verify space requirements: Any updates that are installed on a computer have space requirements for the actual installation, and uninstall.
-
Thoroughly test the deployment
Before you deploy service packs and hotfixes, you should carefully test the updates to determine what impact the updates have on the OS. Testing is often considered the most intricate component of actually deploying updates. After the updates have been tested, you can deploy them. You would normally use scripting as the deployment method for new computers. Updating the Windows Setup files ensures that new computers have the service pack applied when they are installed.
How to use Windows Update to analyze if a computer needs to be updated
Before you can deploy service packs or security fixes on your existing computers, you have to determine the status of these computers. Windows Updates works well where the number of computers that need to have service packs/hotfixes applied are relatively small.
-
Click Start, click All Programs, and then click Windows Update
-
This opens a Internet Explorer window for Windows Update
-
To analyze the computer, click Scan for updates
-
After the scan is competed, you are presented with a list of the updates that are considered necessary for the particular computer.
How to use Microsoft Baseline Security Analyzer (MBSA) to check for missing hotfixes
MBSA can be run on Windows 2000, Windows XP and Windows Server 2003 computers to scan for security weaknesses and missing hotfixes. MBSA works for
-
Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional
-
Windows XP Professional
-
Windows NT 4.0
-
SQL Server 2000, SQL Server 7.0
-
Internet Information Server 4.0 / 5.0
-
IE 5.01
-
Office 2000, and Office 2002 – XP
When MBSA is run from the GUI, it places reports in the SecurityScans folder of the user profile that creates the reports. You can also use MBSA to analyze for updates from the command-line.
You can use the following steps to run MBSA from the GUI to analyze a computer for needed hotfixes
-
Download the MBSA tool from the Microsoft website.
-
Double-click the mbasetup.msi installer, and click Next when the wizard starts.
-
Proceed to accept the end user license agreement. Click Next.
-
On the User information page, enter the appropriate information in the Full Name and Organization text boxes. Click Next
-
You can either accept the default installation path, or specify another path on the Destination Folder page. Click Next
-
When the Choose install options page appears, select your options, and click Next
-
Click Next, and then click Finish
-
Open the MBSA that you just installed
-
Choose Scan a computer
-
When the Pick a computer to scan page appears, select the computer you want to scan. Choose the scan options that you want to use.
-
Click Start scan
-
Click Yes to install the MSSecureXML file. This is the file which is updated each time Microsoft issues new updates or hotfixes.
-
The MBSA tool displays the scan results after the scan is completed. You can click Result Details if you want to view additional information.
How to use Microsoft Network Security Hotfix Checker (HFNetChk) to scan for missing hotfixes/service packs
The Microsoft Network Security Hotfix Checker (HFNetChk) that is included in the Microsoft Baseline Security Analyzer tool can be used to analyze one or multiple computers for necessary service packs. The attractive feature of this tool is that it can be scripted to scan a number of different configurations. It can also scan for necessary updates for one or multiple products. HFNetChk can scan the following:
-
Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional
-
Windows XP Professional
-
Windows NT 4.0
-
Windows Media Player
-
Microsoft Data Engine 1.0
-
Exchange Server 5.0, and 2000
-
SQL Server 2000, SQL Server 7.0
-
Internet Information Server 4.0 / 5.0
-
IE 5.01
-
Office 2000, and Office 2002 – XP
The HFNetChk tool uses a XML file when it runs that contains detailed information on all the available hotfixes for many products. The XML file is downloaded from the Microsoft Web site when it is not includd in the directory from where HFNetChk is run. The XML file has a digitally signed CAB format. When downloaded, the file is compressed. Then, when HFNetChk runs, it uses this file. It initially scans your existing computers to find out what OSs, programs and service packs have been installed. It then uses the XML file to determine if any hotfixes or service packs are required for each computer's configuration. After the scan is completed, HFNetChk provides information about all the updates that are needed to ensure that the computers are secure and current. It does not display information on any updates that are considered unimportant.
When HFNetChk determines whether an update is important, it looks at the following:
-
File version installed by the update
-
The Checksum
-
The registry key installed by the update
When HFNetChk locates the registry key, it proceeds to compare the existing file version and checksum with the information available in the XML file. When HFNetChk cannot locate the registry key, it automatically considers the update as not being installed on the computer.
The syntax of the HFNetChk tool and a description of its associated switches are detailed below:
mbsacli.exe /hf [-h hostname] [-i ipaddress] [-d domainname] [-n] [-b]
[-r range] [-history level] [-t threads] [-o output]
[-x datasource] [-z] [-v] [-s suppression] [-nosum]
[-u username] [-p password] [-f outfile] [-about]
[-fh hostfile] [-fip ipfile] [-fq ignorefile]
-
-h hostname
, indicates the computer's NetBIOS name that should be scanned. The default though is localhost -
-i ipaddress
, the IP address of the particular computer that you want to scan -
-d domainname
, the domain name that should be scanned. In this case each computer in the specified domain is included in the scan. -
-n
, the local network that should be scanned All computers on the local network are included in the scan. -
-b
, all existing hotfixes are compared to the minimally acceptable secure baseline. -
-r range
, the IP address range defined will be scanned. -
-history level
, the history of the hotfixes is displayed. -
-t threads
, indicates how many threads should be used for running the scan. The default is 64. -
-o output
, indicates the format that HFNetChk should use for displaying result information. The default is wrap -
-x
datasource, indicates what the XML data source is for the scan. -
-z
, indicates that registry key checking should not be included in the scan -
-v
, specifies that all available information for Patch NOT Found, WARNING, and NOTE information messages should be displayed. -
-s suppression
, indicates whether WARNING and NOTE messages should be suppressed. By default, all messages are displayed. -
-nosum
, indicates that checksum checking is omitted -
-u username
, indicates a username for logging on to remote computer -
-p password
, indicates the password associated with username -
-f outfile
, indicates the name of the file that HFNetChk should save information to. The default setting displays information on the screen. -
-about
, the version of HFNetChk running -
-fh hostfile
, indicates the file that should be used for the scan. The file contains all the NetBIOS names of computers that should be scanned -
-fip ipfile
, indicates the file that should be used for the scan. The file contains all the IP addresses that should be scanned -
-fq ignorefile
, indicates the file which includes the Q numbers that should be suppressed
How to manually deploy service packs/hotfixes
You can manually install an update from a network share, CD-ROM, or by using Windows Update.
Use the steps below to deploy updates using a network share
-
Connect to either the network or computer that you want to create the update distribution folder on
-
Create the distribution folder for the service pack on the particular network share
-
Proceed to copy the service pack onto this network share
-
Run the service pack from the share using ServicePack.exe.
How to use Windows Update Catalog to obtain necessary service packs/hotfixes
Corporate Windows Update has since been replaced by Windows Update Catalog and Software Update Services. Windows Update Catalog includes the same capabilities as Corporate Windows Update.
Use the steps below to obtain updates using Windows Update Catalog:
-
Enter the following URL in the address bar of Internet Explorer to open the Windows Update Catalog tool: http://windows update.microsoft.com/catalog
-
To identify any updates that are missing on your computers, click Find updates for Microsoft Windows operating systems.
-
Proceed to select the Os's that should be used to find all the available updates for.
-
Click Advanced search options if you want to explicitly specify items that should be deployed.
-
Click Search to start the scanning process.
-
Click Critical Updates and Service Packs to view information on these items
-
Click Read more to view additional information on particular items.
-
To add any items to the download basket, simply click Add
-
After you have added all necessary items to the download basket, click Go to Download Basket
-
All the items that you have selected are displayed on the screen.
-
Click Download now to start downloading the items
-
Click Accept to accept the licensing agreement
-
All items that are downloaded are noted in Download History
-
You now have to use a deployment method to install the updates on your computer.
How to use Windows Update to deploy service packs/hotfixes
Windows Update is ideal for deploying updates on single computer, or a small number of computers (less than 5)
-
You would typically need to first scan the computer(s) to determine what fixes are missing. Following this, you would choose the updates that should be downloaded and applied to the computer.
-
When your computer needs updates that are components of the Service Packs and Critical Updates classes, Windows Update puts these into your download folder. You can click the Critical Updates or Service Packs link to examine these updates. Click Read more if you want additional information displayed on a particular item listed under Critical Updates or Service Packs.
-
The items that are under Windows 2000 updates are not automatically added to the list of items that should be installed. Click the Windows 2000 link if you want to add any of these items to your installation list.
-
All recent device drivers are listed under Driver Updates. Click the link to add any of these items to your installation list.
-
After selecting all the items that you want to deploy to the computer, Click Review and install updates.
-
After you have rechecked the items that you want to install, click Install Now.
-
Accept the licensing agreement.
-
Windows Update proceeds to download and install the updates that you have earmarked for deployment on the computer.
-
When prompted, proceed to restart the computer.
How to install and use Software Update Services (SUS) to deploy service packs/hotfixes
You have to install the required SUS files before you can use it, or the Automatic Updates feature to deploy service packs and hotfixes. Use the following URL to obtain the necessary SUS files from the Microsoft Website: www.microsoft.com/windows2000/downloads/recommended/susserver/default.asp.
Before installing SUS, ensure that your system meets the following SUS requirements:
-
The server that you identified as the SUS server must be running Internet Explorer 5.5 or later, and IIS 5.0 or later.
-
The system partition on the server has to using NTFS
-
SUS also has to be installed on a NTFS partition
-
If you have SUS SP1, you can install SUS on domain controllers and on Small Business Server servers
To install and set up SUS to deploy updates, use the following steps:
-
Download the necessary SUS files from the Microsoft Website
-
To start installing SUS, double-click the SUSSetup.msi file.
-
Click Next to proceed with the installation wizard
-
Click I accept the terms in the License Agreement to accept the license agreement. Click Next
-
When the Choose setup type page appears, click Custom
-
On the Choose file locations page, specify the location to store any updates that are downloaded. Click Next.
-
On the Language Settings page, choose the language option, and click Next.
-
When the Handling new versions of previously approved updates page appears, it is recommended to choose the I will manually approve new versions of approved updates option. Click Next
-
The Ready to install page lists the URL that clients should use for the Automatic Updates client.
-
Click Install to install SUS.
-
Click Finish to exit the wizard
-
Proceed to open a browser and specify the location of the SUS server to open the SUS server admin page.
-
To start using SUS, you should first synchronize the SUS server. Click Synchronize server to perform this task.
-
You should also configure a synchronization schedule for your SUS server. Click Synchronization Schedule to do this using the Schedule Synchronization dialog box
-
Click Set options on the left pane if you need to specify options for a proxy server.
-
Click Synchronize Now to immediately synchronize the SUS server and download updates
-
Click OK once the download is completed.
-
You will next be informed that the downloaded updates need to be approved and tested.
-
After you have thoroughly tested the updates, you can click the Approve updates button to approve them.
-
When the Approve Updates screen appears, choose each update that should be approved, and click Approve.
-
Click Yes to continue.
-
Click Accept to accept the license agreement. The list of approved updates is now available to Automatic Updates clients.
-
Click OK
How to install Automatic Updates client software on client computers, and use it to install service packs/hotfixes
In order to install Automatic Updates on client computers so that they can access the updates made available by SUS, you have to download and install the Automatic Updates client software. For downloading, use www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp.
You can only use Automatic Updates on:
-
Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional with SP2 or above
-
Windows XP Professional Windows XP Home Edition with SP1
To install and configure Automatic Updates on your client computers to deploy updates, use the following steps:
-
Download the necessary Automatic Updates client software from the Microsoft Website.
-
To install the Automatic Updates client, double-click WUAU22.msi.
-
You have to enable the Automatic Updates client because it is not be default enabled.
-
You now have to configure the Automatic Updates client to download updates that you have approved from the SUS server.
-
ForSUS, a Group Policy administrative template is used to configure Automatic Updates settings. This then has to be added to the particular Group Policy object (GPO).
-
To do this for the local computer, enter gpedit.msc at the command line.
-
Expand the Computer Configuration node, then right-click Administrative Templates and select Add/Remove Templates from the shortcut menu.
-
Click Add, select the wuau.adm template, and then click Open
-
Click close to exit Add/Remove Templates
-
Proceed to expand Administrative Templates to locate Windows Updates
-
Now, set the Configure Automatic Updates object and Specify intranet Microsoft update server location as needed.
-
Updates will now be installed with no user intervention, or it will require user intervention, as specified by your settings.
-
Once Group Policy is used to configure Automatic Updates settings, you have to change it using Group Policy settings.
How to deploy service packs using the Software Installation and Maintenance feature of Group Policy
You can use the Software Installation and Maintenance Group Policy feature to deploy any required service packs. When using Group Policy you can use one of two methods to deploy the updates:
-
Publish the updates. Users will have to use the Add/Remove Programs feature located in Control Panel to install the updates
-
Assign the updates to computers. Updates that are assigned to computers are installed when the computer next restarts.
Use the following steps to deploy updates using Group Policy
-
Access the server that you want to use as the software distribution point (SDP), and then create a folder for the service pack that you want to deploy.
-
Copy the service pack to the SDP.
-
Proceed to create a Group Policy object (GPO) for the service pack.
-
In the console tree of the GPO, expand Computer Configuration, and then Software Installation.
-
Use the Action menu to select New, and then Package.
-
Proceed to locate the folder that contains the service pack on the software distribution point, and click Open.
-
Next, use the My Network Places icon to find the particular package.
-
In the Deploy Software dialog box, choose Assigned.
-
Click OK
How to install service packs using Systems Management Server (SMS)
You can use SMS to install service packs on SMS client computers from a network distribution share. Using SMS for deploying updates involves the following steps:
-
You have to create a SMS package that includes the location of the service pack source files and the package definition file (.pdf) for distributing the service pack. The package definition file includes the information that would be needed to create the SMS package. The SMS package includes command-line executables as well. These executables runs on the SMS client computers to manage how the SMS package executes.
-
You then have to distribute the SMS package to the distribution points that you have identified
-
Lastly, you have to create an SMS advertisement that will inform the SMS clients on the available service packs.
How to create a SMS package for a service pack
-
Access the computer or network that you want to use for the source files
-
Proceed to create the source files directory for the service pack.
-
Next, copy the executable files of the service pack to the source files directory which you have created.
-
Open the SMS Administrator console
-
Select Packages
-
Use the Action menu to choose New, and then Package from Definition
-
When the Welcome page appears, click Next.
-
Click Browse to find the folder that holds the package definition file of the service pack.
-
Click the package definition file. Click Next
-
When the Source Files page appears, choose Always obtain files from a source directory. Click Next
-
Enter the path for the package source files in the Source directory box. Click Next, and then click Finish.
-
Choose Programs, and in the details pane double-click the service pack program.
-
When the Program Properties dialog box appears, ensure that the information in Command line of the General tab is correct.
-
Use the Requirements tab, Environment tab and Advanced tab to set options for running the program
-
Click OK
How to distribute the SMS package to the distribution points that you have identified
-
Open the SMS Administrator console
-
Choose Packages
-
Choose the SMS package which you have created for the particular service pack, and choose Distribution Points.
-
Use the Action menu to choose New, and then Distribution Point
-
When the wizard starts, click Next to continue
-
Choose the particular distribution point(s) that you want to use for the service pack. You need to ensure that the distribution point(s) you choose have enough available disk space for the SMS package.
-
Click Finish
-
The SMS package is now distributed to the distribution point(s) that you have specified.
How to create an SMS advertisement to inform clients of pending service packs installations
After creating a SMS package for the service pack and deploying it to your distribution point(s), you have to create an SMS advertisement that will inform the SMS clients about the service packs that can be deployed.
Use the following steps for this task
-
Open the SMS Administrator console
-
Use direct membership rules or a query to create a collection of the SMS clients that should receive the installation program.
-
Proceed to right-click the collection that you have just created, and choose All Tasks/Distribute Software from the shortcut menu.
-
When the wizard starts, click Next to proceed
-
Choose Distribute an existing package.
-
Select the particular SMS package for the service pack. Click Next
-
When the Distribution Points dialog box appears, ensure that the proper distribution points are reflected. Click Next.
-
When the Advertise a Program dialog box is displayed, choose Yes. Advertise a program, and then select the program to advertise. Click Next
-
When the Advertisement Target dialog box appears, ensure that the clients included in the collection are displayed.
-
You can alternatively click Browse to locate the collection that you want to use. Click Next.
-
When the Advertisement Name dialog box appears, enter a name for the advertisement. Click Next
-
You should now select any subgroups that have to receive the SMS advertisement. Click Next.
-
Enter a time that the SMS advertisement should be offered. Set an expiration for the SMS advertisement.
-
Click Yes, Next and then Finish. The client now receives the advertisement for the new service pack that should be deployed.
Comments - One Response to “Deploying Service Packs and Hotfixes”
Sorry but comments are closed at this time.