Lesson 2: Implementing Patch Management Flashcards
Windows Update program
scans your system to determine the updates and fixes your system needs. You then have the oppor- tunity to select, download, and install each update.
Patch Tuesday
second Tuesday of each month when MSFT releases patches
out-of-band patches
MSFT patches not released on patch Tuesday – released at other times because they are critical or time-sensitive
3 classifications for updates
Important updates
Recommended updates
Optional updates
Important Updates
significant benefits, such as improved security, privacy, and reliability. They should be installed as they become available and can be installed automatically with Windows Update.
Recommended Updates
address noncritical problems or help enhance your computing experience.
Optional Updates
include updates, drivers, or new software from Microsoft to enhance your computing experience. You need to install these manually.
Three types of updates
Security Update
Critical Update
Service Packs
Security Update
broadly released fix for a product-specific, security-related vulnerability.
How are security updates rated?
Based on severity – critical, important, moderate or low
Critical Updates
broadly released fix for a specific problem addressing a critical, non-security related bug.
Service Packs
a tested, cumulative set of hotfixes, security updates, critical updates, and updates, as well as additional fixes for problems found internally since the release of the product.
Hotfix
a single, cumulative package that includes one or more files that are used to address a problem in a software product, such as a software bug.
Not usually available via Win Update
What separates hotfixes from other updates
made to address a specific customer situation, and they often have not gone through the same extensive testing as patches retrieved through Windows Updates.
cumulative patch
multiple hotfixes combined into a single package
Types of updates not available via Windows Update
hotfix
cumulative patch
BITS
Background Intelligent Transfer Service
Performs the download when the computer’s network band- width is idle
Automatic Updates Group Policy Setting: Automatic Update Detection Frequency
Specifies how frequently the Windows Update client checks for new updates. The default is a random time between 17 and 22 hours.
Automatic Updates Group Policy Setting: Allow Automatic Updates Immediate Installation
Specifies whether Windows Updates will immediately install updates that don’t require the computer to be restarted.
Automatic Updates Group Policy Setting: Turn On Recommended Updates Via Automatic Updates:
Determines whether client computers install both critical and recommended updates.
Automatic Updates Group Policy Setting: No Auto-Restart for Scheduled Automatic Installations
Specifies that if a computer needs a restart, it will wait for a user to perform the restart.
Automatic Updates Group Policy Setting: Re-Prompt for Restart Scheduled Installations
Specifies how often the Windows Update client prompts the user to restart the computer.
Automatic Updates Group Policy Setting: Delay Restart for Scheduled Installations
Specifies how long the Windows Update client waits before automatically restarting.
Automatic Updates Group Policy Setting: Reschedule Automatic Updates Scheduled Installations
Specifies how long Windows Update waits after a reboot before continuing with a scheduled installation that was missed previously.
Automatic Updates Group Policy Setting: Enable Client-Side Targeting
Specifies which group the computer is a member of.
Automatic Updates Group Policy Setting: Enables Windows Update Power Management to Automatically Wake up the System to Install Scheduled Updates
If a computer supports Wake On LAN, it automatically starts up and installs an update at the scheduled time.
Automatic Updates Group Policy Setting: Allow Signed Updates from an Intranet Microsoft Update Services Location:
Specifies if Windows will install an update that is signed even if the certificate is not from Microsoft.
WSUS
Windows Server Update Services
allows administrators to manage the testing & distribution of updates and other patches to computers within an organization
Simplest WSUS configuration
single WSUS that downloads updates directly from Microsoft. Then the client computers get updates from the WSUS server.
Two WSUS modes
Autonomous mode
Replica mode
WSUS Mode – Autonomous mode
Distributed management. Updates are approved on each WSUS server, even if one WSUS server is downstream from another.
WSUS Mode – Replica Mode
Central management. All downstream WSUS servers take instructions from a single upstream WSUS server. Updates approved on that server are approved on all servers.
Computer Groups
Placing PCs into these allow you to specify which PCs get updates, when.
Two ways to assign a computer to a group
Client-side targeting
server-side targeting
server-side targeting
you manually assign the computer to a group.
client-side targeting
computers are automatically assigned to a computer group by using group policies or whereby someone manually modifies the registry.
3 WSUS logs
application event log
C:\Program Files\Update Services\LogFiles\Change.txt:
C:\Program Files\Update Services\LogFiles\softwareDistribution.txt:
What does WSUS place in the WSUS logs
errors related to synchronization, Update Services console errors, and WSUS database errors.
What does WSUS place in the Change.txt logs?
This log stores the record of every update installation, synchronization, and WSUS configuration change.
What does WSUS place in the softwareDistribution.txt log?
This is a detailed log file usually used by Microsoft Support to debug a problem.
Restarting the WSUS server on the CLI
Net stop wuauserv
Net start wuauserv
SCCM
System Center Configuration Manager
a more versatile system that can provide remote control, patch management, software distribution, operating system deployment, network access protection, hardware inventory, and software inventory. Of course, while WSUS is free, there is a cost in deploying SCCM.
