Batch update of Windows 2000/XP in LAN

More and more Windows vulnerabilities are discovered, especially some major vulnerabilities that may paralyze the entire network. Although we can use Windows Updata that comes with Windows XP/2000 for online upgrades, however, it is not that easy to upgrade a large number of computers in the machine room or company, especially when the outbound bandwidth of the LAN is small or it is inconvenient to access the Internet, which makes the Administrator very headache.

Now Microsoft has prepared a proper solution for us, that is, SUS (Software Update Service Software upgrade server ). You can create a Windows upgrade server in the LAN through SUS, and then the computer in the LAN can be upgraded through this server.

Tip: currently, SUS can only provide clients with key updates and Service packs for Windows and IE browsers, but cannot provide Update Services for Office or other Microsoft software. In addition, all update activities are automatically updated through the Windows background, which is very convenient without any intervention.
　　
Server installation:

For servers, we recommend that you configure a processor with a clock speed of not less than 2000 MHz, a memory of 2003 MB or more, and a hard disk space of more than 6 GB. The software requirements are Windows Server or Windows Server, IIS5 or IIS 6, IE 5.5 or later.

Tip: This configuration is recommended based on the upgrade service provided by 15000 computers. If there are fewer machines in your LAN, the server configuration can be reduced accordingly.

Before installation, you must first install and configure IIS on the server and install the SUS server. The installation process is simple and everything can be done by default. Then we start to set SUS. Here there are two methods: local setting or remote setting. For local settings, double-click Microsoft Software Update Services in Control Panel/management tools. For remote settings, you can use a computer with IE5.5 installed, enter http: // IP/susadmin in the address bar of IE. Press enter and enter the account and password of the user with administrator permissions on the computer where the SUS server is located. (1) management Interface.

First, click "Set Options" in the list on the left to Set the server. Here we have the following notes:

Select which server to synchronize content from (Select Service synchronization source). This option allows you to set the SUS server update source. If your network has multiple SUS servers, you can synchronize all other servers with one server, which is much faster. However, if your network only has one SUS server, then you can only set "Synchronize directly from the Microsoft Windows Update servers (directly Synchronize with Microsoft's Windows Update Server.
Select how you want to handle new versions of previusly approved updates (Select the way you release the new patch). you can Select the release method of the new patch, if you think that each new patch should be carefully tested before it is released to your network, you can select "Do not automatically approve new versions of approved updates. I will manually approve these updates later (not automatically released, manually released) ", so that the patch cannot be downloaded by your client immediately after a new patch is synchronized, instead, you must conduct an effective test. You can publish the patch to the network only after you think it is okay. This prevents updates from conflicting with the software used by the LAN.

Synchronize installation packages only for these locales (only patches in the following languages are synchronized). Pay special attention to this option, by default, the SUS server will download all patches from Microsoft in all languages. If the network only has a Simplified Chinese version of the system or other languages, so there is no need to spend additional time downloading these language patches that you don't need, which can save a lot of hard disk space.

After setting, click the "Apply" button in the lower-right corner of the page. These settings will take effect.

Click the "Synchronize server" link in the list on the left. You can see the page (Figure 2) where you can specify that SUS will be synchronized with other servers immediately.

In addition, you can set the synchronization plan here, so that you can set the server to perform synchronization every night, because the network utilization rate is the lowest at this time, it will not affect other people. Click "Synchronization Schedule". A window is displayed, where you can set the Synchronization time, frequency, and number of retries. If you click "Synchronize Now", the synchronization starts immediately. The first synchronization process will take a long time, depending on the network speed and the number of patches downloaded.
If you have set the release patch for testing and tested all the patches, you need to release them to the LAN. Click the "Approve updates (publish update)" link on the left side to view the page (Figure 3. All unapproved patches are marked with red "New. Select the check box before the patch to be approved, and click the "Approve (release)" button in the lower right corner to complete the approval.

After the server is configured, configure the client.

SUS has some requirements on the client. First, the operating system. SUS only supports Windows 2000 SP2 and later versions of the operating system and software, windows 2000 SP2 and Windows XP both need to install a SUS client software first, while Windows 2000 SP3, Windows XP SP1, and Windows Server 2003 already come with the client software and do not require additional installation.

If your network is in a working group environment, you need to set the SUS client on each computer separately. Run Gpedit. msc open the Group Policy Editor, open "Computer Configuration/management template", right-click "manage template", select "Add/delete template", and then in (Figure 4) on the page, click "add" and find wuau under the % windir % inf directory. adm file, double-click Add. Next, open "Windows Components/Windows Update" (this item only appears after the client software is installed and added). Two available policies are displayed on the right of the window. "Automatic configuration Update" allows you to set the Update Time and processing method, and "specify the internal Internet of the Enterprise ..." This parameter is used to specify the server location. You can enter the server location in the form of "http: // server name" or "http: // server IP Address.

If you have a domain controller in your network and all computers are added to the domain, it is simpler. After installing the client for the operating system on which the client needs to be installed, enter "dsa. msc and press enter to open the Active Directory user and computer settings window. Right-click the OU or domain in which the policy is to be created and select "properties ", in the Properties window, open the "Group Policy" tab and click "new" to name the new policy (figure 5 ). Select the new group policy and click "edit". A group policy setting window is displayed, which is similar to running gpedit. the msc window is similar, but you can set group policies for all computers in the entire domain.

In this window, open "Computer Configuration/management template/Windows component/Windows Update" in sequence, and then set the operating parameters of the SUS client for all computers in the region by setting the policy here. All clients will apply these settings the next time they restart.

After the client is deployed, we believe that, after such deployment, you can patch your computer in the network more conveniently and quickly, and the security can also be greatly improved.