Install patches in batches in Windows

In order to ensure the safe operation of the LAN, prevent viruses and trojans from attacking and spreading by exploiting Windows system vulnerabilities, and regularly install the latest patch repair program for the client. However, as the network scale continues to expand, the number of clients increases, and one person cannot complete the patch installation tasks for all clients. Although I told my colleagues how to log on to Microsoft's "Windows Update" website or use the Windows Update Service to install the latest patch, most of my colleagues are still "out-of-the-box" and often encounter issues that cannot install patches.

There are about 120 machines in the LAN, which are connected to the Internet through a hardware router. All of them use Windows or later operating systems and work group operating environments. After learning about this situation, we recommend that you use Microsoft Software Update Services (SUS) to deploy a "SUS server" in the LAN to provide patch issuing Services for clients, in this way, you no longer need to use Microsoft's "Windows Update" service. By using the SUS server in the LAN, you can complete Windows patch installation and the installation process is fully automated, user intervention is not required.

Software Update Services (SUS) System

Tip: SUS is divided into server and client. The server only provides the English and Japanese versions, and can provide upgrade services for 15,000 users at the same time. The client supports 24 language versions including the Chinese version. SUS server provides upgrade services for Windows 2000 + SP2 and later versions, Windows XP and Windows 2003 systems, but does not support Windows 98 and Windows NT systems. In addition, SUS does not provide upgrades for Microsoft products other than the operating system, such as SQL Server and Exchange Server.

I. Preparations

Before installing and configuring the SUS Server, you must first select an appropriate hardware and software platform for it. The recommended hardware configuration is "CPU with a clock speed above MHz, memory above MB, and hard disk space above 6 GB ", SUS Server requires support for Windows 2000 Server + SP2 and later versions, Windows Server 2003 Server OS, and IIS 5/6 Server and IE 5.5 browser and later versions.

SUS Client has no special requirements on the hardware platform, but the operating system must be Windows 2000 + SP2 or later/XP/2003. Windows 98 and Windows NT are not supported.

Tip: for Windows 2000 + SP2 and Windows XP, the SUS Client program needs to be installed. For Windows 2000 + SP3, Windows XP + SP1 (SP2) and later versions and Windows Server 2003, you do not need to install SUS Client. This program is already included in the system.

Ii. Deployment of SUS Server

1. server platform Selection

First, select a Server platform for the SUS Server. because the number of clients is not large, the hardware configuration of the Server does not need to be too high. Select a inspur server in the LAN. Its hardware configuration is P4 2.0 gb cpu, 512 mb ecc memory, and 40 Gb SCSI hard disk, the Windows Server 2003 operating system is installed on this Server, and all partitions use the NTFS file system.

2. Install the IIS service

By default, IIS service is not installed on Windows Server 2003, but SUS Server must be supported by IIS to run properly. Therefore, you must install the service manually.

On the Win2003 server, click "Start> Settings> Control Panel" to run "add or delete programs". In the displayed window, switch to the "Add/delete Windows Components" page. Select the "Application Server" option in the "Windows component wizard" dialog box, click the "details" button below, and select "Internet Information Service (IIS)" in the displayed dialog box) "Component, click" OK. Finally, click "Next" in the "component wizard" dialog box to complete IIS component installation.

Tip: We recommend that you do not provide IIS services on the SUS Server. The best way to run IIS is to provide services for the SUS Server. This is because IIS Lockdown Tool is installed for the system during SUS Server installation, which may cause other users to fail to access the IIS website.

3. install and configure SUS Server

(1) install SUS Server

After IIS is installed, install and configure SUS Server. Download the English version of SUS Server for installation. The installation process is very simple. We recommend that you select the "typical" method, and then click "Next" to complete the installation. The SUS Server Configuration Management page is displayed.

Tip: the hard disk partition used to install SUS Server and save the patch file must be an NTFS file system. Otherwise, an error message is displayed, indicating that the patch cannot be installed successfully.

(2). SUS Server parameter configuration

The typical installation method is used. After completing the installation, the SUS Server cannot provide the patch service, and further configuration is required.

On the Win2003 server, go to Control Panel> management tools and run the Microsoft Software Update Services tool. In the Login Dialog Box, enter the Administrator account and password, and click "OK" to log on to the SUS Server Management page.

Tip: in addition to local management and configuration of SUS Server, you can also remotely configure it, run ie in the remote client, and enter "http: // SUS Server IP Address/SUSAdmin/". Press enter and enter the Administrator account and password.

On the SUS Server Management page, click the "Set Options" Link under "Other Options" in the Left box, and then configure the SUS Server parameters in the right box.

A. Proxy Server Configuration

Set the parameters of the SUS server proxy Server in "Select a proxy Server configuration". If the SUS server is directly connected to the Internet through a router, be sure to select the "Automatically detect proxy server settings" item. If the proxy server is used, select the "Use the following proxy server to access the Internet" item, enter the proxy IP address and port number in the input box.

B. Specify the server name

Then, in the "Specify the name your clients use to locate this update server" column, set a memorable name for the SUS Server, for example, the machine name "TJRAO ", in this way, the client can access the SUS Server through the machine name.

Tip: if the client cannot resolve the NetBIOS name, use the DNS name or IP address to replace the machine name.

C. synchronous content Configuration

Set the source of the patch content in "Select which server to synchronize content from", because this SUS Server is deployed and must be synchronized with Microsoft's patch server, select "Synchronize directly from the Microsoft Windows Update servers.

Tip: if multiple SUS servers are deployed in the LAN, it will not waste a lot of bandwidth and time to synchronize them with the Microsoft patch Server. You only need to synchronize one of them with the Microsoft patch Server, other SUS servers can be synchronized with the local SUS Server. Select "Synchronize from a local Software Update Services server" and enter the name or IP address of the target SUS Server in the input box.

In the "Select where you want to store updates" column, set the method for saving the patch file. We recommend that you Select "Save the updates to a local folder, in this way, you can only synchronize the patches in the required languages to avoid waste. For example, you can only select "Chinese Simplified Chinese" for synchronization, use the default values for other parameters, and click "Apply.

(3). synchronous operation

After completing the SUS Server parameter configuration, You can synchronize and download the patch files you need. On the Management page, click "Synchronize server" in the Left box, and then click "Synchronize Now" in the right box to start synchronization.

Tip: Due to the limitation of network bandwidth and patch file size, synchronization takes a long process. We recommend that you select automatic Synchronization, click the "Synchronization Schedule" button, select the "Synchronization using this schedule" item in the configuration dialog box, and set the Synchronization Date and Time. We recommend that you perform Synchronization in the early morning.

(4). Release operations

After synchronization, the SUS Server does not immediately release the patch file for the user by default. The patch is manually released only when the test patch is correct. On the Management page, click "Approve updates" in the left-side Navigation Pane. The downloaded patch file is displayed in the right-side navigation pane. If some patches are tested normally and you want to release them, select the check box before the patch file and click the "Approve" button.

After agreeing to the End User License Agreement, release the patches. In this way, the SUS Server configuration is completed.

Iii. SUS Client Configuration

After completing the configuration of SUS Server, you must configure SUS Client for the Client to use the upgrade service provided by SUS Server. The management LAN is a working group environment, so the SUS Client configuration for the working group environment is introduced.

1. Whether to install SUS Client

Whether the Client needs to install the SUS Client depends on the operating system it uses and the patch for fixing the installation. For Windows 2000 + SP2 and Windows XP users, the SUS Client must be installed. Windows 2000 + SP3, Windows XP + SP1 and later versions, and Windows Server 2003 do not need to be installed, because the system has built-in SUS Client.

2. properly configure SUS Client

A. Add A template

After installing the SUS Client, you also need to configure it. On the client, click Start> Run and enter gpedit. msc and press Enter. The Group Policy Editor is displayed. Expand "Computer Configuration> Manage template" in sequence, right-click "manage template", and select "Add/delete template ", in the "Add/delete template" dialog box, click "add ".

Find "wuau. adm" in the "x: windowsinf" Directory (x indicates the windows system disk, which is C by default), double-click the file, and add the template.

B. Configure group policies

Expand "Computer Configuration> management template> Windows Components> Windows Update" in sequence, double-click the "Configure Automatic Update" policy in the right column, and configure the Update Time and processing method in the Properties dialog box, select the "enabled" option and select "4-Automatic download and scheduled installation" in the "Automatic Configuration Update" drop-down box ", set the appropriate date and time in the following "scheduled installation date" and "scheduled installation time", and click "OK ".

Open the "specify the Windows Update service location on the Intranet of the enterprise" policy, select "enabled", and then specify the location of the SUS Server in the input box. You can use the SUS Server machine name or IP address, click "OK ".

Next, configure SUS Client for each Client in the LAN according to the above method. After the configuration is complete, all clients can automatically connect to the SUS Server for updates based on the specified settings, and all update operations are automatically performed in the background without human intervention.

Tip: In the working group environment, you need to manually configure SUS Client for each Client. Although this is troublesome, it is acceptable for a small LAN. If