"Patch" is also automatic

zhaozj2021-02-12  160

The security issues of the Windows operating system are more and more attention, every other time, Microsoft will release the patches of the repair system vulnerability. However, since many users cannot use these patch reinforcement systems in time, there is often a major loss, so it is very important to play patch in time. However, the scale of the LAN is now getting bigger and bigger. For network administrators, the workload of manually installing patches for each client is too big, it is difficult to complete in time.

Patching smart

In fact, as long as Software Update Services, SUSs provided in the company's LAN, you can automate the upgrade operation.

SUS is built from the network administrator in the LAN, with SUS, you can send Microsoft's latest patch to the user. It is divided into two parts: server side and clients, providing upgrade services for 15,000 users. Microsoft has only launched English and Japanese versions on the server side, while the client has a version that supports 24 languages, including Chinese. SUS Server provides upgrade services for Windows 2000 SP2 and above, Windows XP, Windows 2003 systems, but does not support Windows 98 and Windows NT systems.

SUS as a solution, solves the management and release of installation patches. Given that Microsoft's frequency is high, it is necessary to use tools like SUS, which makes network managers easily facilitate excessive workload on each client machine.

When the SUS deployment of the unit PC according to certain information, I have encountered some cases that are not consistent with expectations, and I feel confused. After a period of use and test, some issues have an answer. The specific installation steps can be done by manual, and below talk about some experience in the installation process.

Forced installation update

When deploying the SUS client, a question that is often encountered is: First use Group Policy defined "Automatically download update, and install it according to my designation", but not updated as specified. This is found in debugging that this is actually related to the DetectionStartTime string value. If the WindowsUpdate service has been launched, it has been set in WindowsUpdate in the Control Panel (there is existed value in the registry), then the update method is defined in the group policy, hkey_local_machine / software / microsoft /

Windows / CurrentVersion / WindowsUpdate / Auto Update does not have string values ​​DetectionStartTime. As long as the DetectionStartTime value appears, the WindowsUpdate service will immediately view if there is a new update existence, then download it immediately, and install it at the specified time. Therefore, the problem now is that the DetectionStartTime string value can appear in any case.

We found that the easiest way is: If Windows 2000 is installed on the client, launch the Auto Update tool in the Control Panel. If the client is based on Windows XP, use the Right-click My Computer, click the Properties * Auto Update tab. If you have already paracce the "Automatic Update" check box, then clear it, press "OK", see Figure 1.

At this point, the value Austate = "7", AuOptions = "1", is an initial state of "Automatic Update", see Figure 2.

Select Auto Update again and set options as you want. Press "OK" (if you do not set up the update option here, it is also the same in the Group Policy), see Figure 3. At this point, the value Austate = "2", auOptions = selected value is in the registry. At this point, a new value will appear in the registry: "DetectionStartTime", and this value is displayed to be the current time, see Figure 4.

Then the status bar will quickly appear the "Automatic Update" small icon, prompt you to install (if you define auOptions = 3 or you define auOptions = 4 but the update time is not yet). This value will disappear and have a new value "LastWaitTimeout" after a few minutes.

Installation strategy

1. Setting parameters

If you want to update, the time is enabled in accordance with the definition to take effect, then "Specify the Intranet Microsoft Update Service Location" in the Group Policy (GPEDIT.MSC), and configure it as the SUS server location, it is best to enter the IP address directly. Enable the "Re-scheduled Auto Update Schedule installation to 1. Enable or do not enable "Do not schedule automatic update installation and restart" (depending on your app and login permission, etc.).

Note: If these policy settings are applied in the domain level, "local group policies" cannot overwrite these settings.

2. The following operation is performed in the control panel

(1) Set the option in the way you want. Click to clear the Enable Auto Update check box, and then click Apply.

(2) Waiting for a few seconds, click to select the Enable Auto Update check box, and then click OK. This will enforce an inspection cycle.

In addition to using "automatic updates" for the first time, download, installation updates will function properly according to the method you set. Note: The deployment of the deployment mentioned in the article is: unwielded domain controller and directory management.

Related key value

During deploying SUS, the following key values ​​are used, and the following instructions are used.

1. Austate

Austate = 2 "Automatic Update" Waiting for Detection Update

Austate = 3 "Auto Update" Wait for Download Update

Austate = 4 "Auto Update" Download Update

Austate = 5 "Auto Update" has been downloaded updates

Austate = 6 "Auto Update" installation update

Austate = 7 does not enable "Auto Update"

Austate = 8 "Auto Update" Waiting to Restart to complete the installation

2. NoautorebootwithLoggedonusers

If the normal user without starting system privileges When the update is updated in the background, if the value is 1, a notification window appears, prompting you to restart the system, but at this time, all options can be selected (see Figure 5) Therefore, it is only possible to wait for a user who launched system privileges to restart the system. If the value is 0, a notification window appears, with a 5 minute countdown, 5 minutes, the machine is restarted, see Figure 6.

3. Reschedulewaittime

If the update has not yet to install the specified time machine has been turned off. After the machine is restarted, if the value is 1, then after the startup, the time set by this value will be installed and updated, and the results are shown in Figure 7. If this value is 0, you must wait until the next installation update time can be installed.

Note that MISSDSCHEDULEDINSTALL and RESCHEDULE are new value, while SchedledInstallDate shows the currently modified specific update time.

If you understand the aspects described above, and combined with the specific application correctly define your own demand, you will feel that SUS is very easy to use, you can have a big guarantee in computer security, and the management workload is greatly reduced. . (Reproduced)

转载请注明原文地址:https://www.9cbs.com/read-6342.html

New Post(0)