Thông tin tài liệu
Planning a Windows 7 Client Update Strategy ■ WSUS server used for update approvals. You congure computers to use this option by setting them to use the WSUS server and then conguring the WSUS server so that it does not store updates locally. ■ The typical WSUS deploy- ment has both updates and approvals coming from the same location. You congure clients to use the WSUS server through Group Policy. You learn how to congure the appropriate policy in Lesson 2 of this chapter. You can choose from several ways to deploy WSUS. The way that you choose often depends on issues of bandwidth utilization and administrative responsibility. In a single WSUS deployment, you deploy a WSUS server on the organizational network that synchronizes with the Microsoft Update servers on the Internet. Clients on the organizational network retrieve updates directly from this server. The WSUS server administrator approves updates for distribution. This is the most common type of WSUS deployment, and a single WSUS 3.0 SP2 server can function as the update server for up to 25,000 computers running the Windows 7 operating system. In general, this type of deployment does not work well for organizations that have a large number of branch ofces because branch ofce client computers each have to retrieve updates from the central WSUS server over a WAN link. Although you can congure clients in branch ofces to retrieve only approval data from the head ofce WSUS server, a single WSUS server can function either as an approvals-only server or as an approvals and updates server. A single WSUS server cannot function as an approvals-only server for one group of clients and an approvals and updates server for another group of clients. This is why many organiza- tions deploy multiple WSUS servers, allowing bandwidth efciencies to be realized in each branch ofce. The options for the deployment of multiple WSUS servers are as follows: ■ A replica WSUS server is a server that retrieves the list of update approvals and WSUS groups from a WSUS server above it in the WSUS hierarchy. This method is appropriate when update approvals are handled centrally for the organiza- tion. A replica WSUS server can obtain updates from the parent WSUS server or from the Microsoft Update servers on the Internet, or it can force WSUS clients to retrieve approved updates from the Microsoft Update servers. ■ An autonomous WSUS server can retrieve update les from a WSUS server above it in the WSUS hierarchy, but approvals are handled by a lo- cal administrator. This allows local administrators to manage the approval process but also allows efciencies in terms of update bandwidth utilization. ■ WSUS servers are managed independently from one another and do not draw updates or approvals from a source on the organizational network. Lesson 1: Designing an Update Management Strategy ■ ■ When WSUS 3.0 SP2 is installed on a computer running the Windows Server 2008 R2 operating system, the BranchCache feature can be enabled. This allows Windows 7 Enterprise and Ultimate clients located in branch ofces to leverage peer caching as a method of optimizing update distribution. Rather than clients on the branch ofce network independently downloading the same update from the head ofce WSUS server, one client downloads the update and then shares the update installation les with other clients on the branch ofce network. This allows organizations to deploy a single WSUS server in a head ofce location and still enjoy the band- width efciencies at branch ofce sites. You can use BranchCache in hosted cache mode in branch ofce locations where there is a computer running the Windows Server 2008 R2 operating system. Hosted cache mode makes peer caching more reliable than the alternative, which is distributed cache mode. Hosted cache mode is more reliable because a server (which is in theory always available) hosts a copy of the cache. In branch ofce locations where there is no computer running the Windows Server 2008 R2 operating system, you can use only BranchCache distributed cache mode. Distributed cache mode is not as reliable as hosted cache mode because clients hosting updates in their local cache might be switched off when other clients attempt to access the same update, requiring those clients to contact the head ofce WSUS server. You should note that clients that have the Windows 7 Professional or Windows Vista operating systems installed cannot access updates through BranchCache. Clients using these operating systems must retrieve updates directly from WSUS or Microsoft Update servers. To use BranchCache with WSUS, ensure that you have performed the following steps: 1. Ensure that the WSUS server has the Windows Server 2008 R2 operating system installed. Ensure that the BranchCache feature is enabled. 2. Congure the clients at the branch ofce to retrieve updates from the BranchCache- enabled WSUs server using the Specify Intranet Microsoft Update Service Location policy. 3. Congure the clients at the branch ofce with the appropriate BranchCache policies. If there is a server with the Windows Server 2008 R2 operating system located at the branch ofce, you can use the Hosted Cache mode. If no branch ofce Windows Server 2008 R2 server is present, clients will need to use Distributed Cache mode. Planning a Windows 7 Client Update Strategy More INforMatIoN http://technet.microsoft.com/en-us/network/dd425028.aspx. When you approve an update on a WSUS server, you choose the WSUS groups that the update deploys to. WSUS groups are collections of computer accounts that allow you to stagger the deployment of updates to computers; you do not have to deploy them to every computer at the same time. WSUS servers have two computer groups by default: the All Computers and the Unassigned Computers group. When clients are set so that they use a specic WSUS server without additional conguration, they are automatically added to the Unassigned Computers group. WSUS computer groups have the following properties: ■ Groups lower in the hierarchy automat- ically inherit update approvals from groups closer to the top of the hierarchy, although you can also congure inheritance blocks where necessary. ■ Assigning computers to multiple WSUS groups allows you to be more selective about the deployment of updates. For example, in an organization that has only a single WSUS server, you could create a group structure that allowed approval based on which department the computer was in and approval based on location. Figure 8-4 shows a computer assigned to multiple WSUS groups. Computer assigned to multiple groups ■ Unless a computer is already assigned to a WSUS group, it belongs to the Unassigned Computers group, as shown in Figure 8-5. Lesson 1: Designing an Update Management Strategy Using WSUS groups to stagger updates WSUS groups are separate from Active Directory security groups. Administrators can manually assign computers to groups using the WSUS console after the computer has con- tacted the WSUS server. Large numbers of computers can be added to existing WSUS groups using the Enable Client-Side Targeting Group Policy item. Figure 8-6 shows the Enable Client- Side Targeting policy congured so that the computers that the policy applies to are made members of both the Accounting and Research WSUS groups. If a group that does not exist on the WSUS server is specied in the client-side targeting policy, the WSUS computer account is added to the Unassigned Computers group. Client-side targeting Planning a Windows 7 Client Update Strategy Although Microsoft tests updates rigorously before releasing them publicly, no one can test every possible software and hardware conguration for adverse side effects that might result when an update is applied. For this reason, you should deploy updates to a small group of computers prior to deploying updates to all computers in your organization and test those computers to determine whether a newly released update conicts with your organization’s specic software conguration. You should ensure that the small group of computers on which you test updates match the software and hardware conguration of computers in your organization and that the computers used for testing are actually used by real people to perform their everyday job- related tasks. You need to do this because you will not be able to detect all possible problems by simply installing the update on a computer that no one actually uses. Only through testing the updates under real-world conditions do any conicts or other problems become evident. You should ensure that you deploy updates to the test computers long enough that you have condence that the updates do not cause problems when deployed generally. You must balance this with not waiting so long that the computers in your organization become vulner- able to the issue that the update addresses. In many organizations, updates are deployed to test computers between 7 to 10 days before being deployed to all other computers in the organization. This period provides enough time to test that the updates do not cause obvious problems with the existing conguration before rolling the updates out more generally. A basic update testing infrastructure would have a separate computer group containing the WSUS computer accounts for all test computers. A WSUS automatic approval rule for all new updates would apply to this WSUS computer group. The WSUS administrator would manually approve updates for the All Computers group after a seven-day period in which no issues had been reported by users of computers that are located in the test group. The nal component in a successful update strategy is ensuring that updates deploy correctly to client computers. There are many reasons why updates might not deploy correctly to client computers, including but not limited to the computer being switched off for a lengthy period of time, synchronization problems, and lack of disk space on the client. One of the simplest ways that you can verify the updates that are installed on local and remote computers running Windows 7 and which are members of the same domain is to manually use the Get-Hotx Windows PowerShell command. You can use the –Computername option to specify the address of the remote computers that you want to check. For example, the command Get-HotFix –Computername wkstn1,wkstn2,wkstn3,wkstn4 provides a report on all of the updates installed on computers wkstn1, wkstn2, wkstn3, and wkstn4. Although this is a quick way to verify which updates are installed on a small number Lesson 1: Designing an Update Management Strategy of computers, it is not an effective technique for determining the status of missing updates across a large number of computers. This is because the output will tell you only which updates are present on the target computers and will not tell you which updates are missing from the target computers. One way you can determine which updates are missing from client computers in your organiza- tion is to use WSUS reports. WSUS servers generate reports based on information forwarded to the WSUS server from the server’s WSUS clients. When a WSUS client retrieves and successfully installs an update, it reports this success back to the WSUS server. WSUS servers do not query clients to determine whether specically approved updates are missing and they can use only information that active clients report back to them. This distinction is important because you cannot learn anything about the update status of client computers that have not reported to the WSUS server. To nd out whether a client computer has suffered some unforeseen conguration problem it has not reported, you must use a tool such as the Microsoft Baseline Security Analyzer, covered later in this lesson, to query client computers to determine whether specic updates are missing. You can access WSUS reports from the Reports node of the WSUS console, as shown in Figure 8-7. WSUS reports can be printed or exported to Microsoft Ofce Excel or PDF format. Because WSUS data can be forwarded to a SQL Server database, you can also perform a separate analysis using your own database queries. There are several basic categories of reports that allow you to view how successful the deployment of a specic update has been or the update status of specic WSUS server clients. WSUS reports Planning a Windows 7 Client Update Strategy As mentioned, you can use Microsoft Baseline Security Analyzer (MBSA) to scan client computers in an organization to determine whether they are missing software updates. You can congure the MBSA tool to check whether a computer is up to date with the updates published by Microsoft through the Microsoft Update servers. You can also congure the MBSA tool to check against the list of approved updates hosted on a local WSUS server. This practice allows you to determine whether a computer is up to date with the updates that have been approved for your specic environment. When used to scan against a WSUS server approval list, the MBSA tool scans using the WSUS server assigned to the scanning computer through policy. The person performing the scan of remote computers must do so with a user account that is a member of the local administrators group on each remotely scanned computer. This requirement ensures that nefarious third parties cannot use the MBSA tool to determine what vulnerabilities computers might have. The MBSA tool can also be used to locate common administrative vulnerabilities incurred by problematic conguration practices. You can use the MBSA tool to scan all computers that are members of a specic domain or all computers that are located in a particular IP address range, as shown by Figure 8-8. When scanning computers, ensure that the Check For Security Updates option is congured. Then you need to choose between conguring the scan to use Microsoft Update or the WSUS server that is congured for the computer performing the scan. Scanning multiple computers with the MBSA tool Lesson 1: Designing an Update Management Strategy Keep in mind that only Microsoft Baseline Security Analyzer 2.11 and later are compatible with the Windows 7 operating system. You install and use the Microsoft Baseline Security Analyzer in the practice exercise at the end of this lesson. More INforMatIoN http://technet.microsoft.com/en-us/security/cc184924.aspx. System Center Conguration Manager is a product available from Microsoft that allows for more sophisticated deployment and management of software updates. System Center Conguration Manager allows you to accomplish the following tasks that are not possible with WSUS: ■ Allows updates for third-party applications to be deployed to client computers running the Windows 7 operating system. ■ Allows update deployment to be scheduled to occur at a specic time rather than at the time the update is approved. ■ Allows more exible control of the distribution of updates. ■ Allows use of Wake On LAN feature to wake clients at a specic time for software update deployment. More INfo http://technet.microsoft.com/en-us/library/bb633264.aspx. exaM tIp PracticE In this set of exercises, you use different techniques to verify the deployment of updates to client computers running the Windows 7 operating system. Verifying the deployment of updates is an important step in the update deployment cycle. Although you can deploy updates from a WSUS server fairly easily, you cannot be certain that client computers have installed those updates until you perform some type of check. Planning a Windows 7 Client Update Strategy ExE rcisE1 You can use Windows PowerShell, which is installed by default on computers running the Windows 7 operating system, to generate a list of installed updates. It is also possible to generate a list of updates on remote computers by running this command against a remote computer that is specially congured for remote management through Windows PowerShell. To complete this exercise, perform the following steps. 1. Log on to computer WKSTN1 with the Mark Lee user account. 2. Start a Windows PowerShell session. 3. Enter the command , and then review the results. 4. In the Search Programs And Files text box, type and then click the View Installed Updates item. Review the list of installed updates, as shown in Figure 8-9. Installed updates ExE rcisE2 The Microsoft Baseline Security Analyzer allows you to scan a computer to see if it is missing any updates. 1. If you have not done so already, log on to computer WKSTN1 with the Mark Lee user account. 2. Locate the Microsoft Baseline Security Analyzer installation le. Double-click this le to begin the installation. You will receive a security warning informing you that the le has been obtained from the Internet. Click Run to start the installation process. 3. On the Microsoft Baseline Security Analyzer Setup page, click Next. 4. On the License Agreement page, select the I Accept The License Agreement option, and then click Next. Lesson 1: Designing an Update Management Strategy 5. On the Destination Folder page, review the default location, and then click Next. On the Start Installation page, click Install. The Microsoft Baseline Security Analyzer begins to install on the computer. You will be presented with another User Account Control dialog box at which you should click Yes. Click OK when you are informed that the Microsoft Baseline Security Analyzer has installed successfully. 6. Double-click the shortcut to the Microsoft Baseline Security Analyzer that has been placed on the desktop by the installation process. At the User Account Control dialog box, click Yes. 7. On the Check Computers For Common Security Miscongurations page, click Scan A Computer. 8. The default values allow for the local computer to be scanned. Select the Advanced Update Services Options check box and then select the Scan Using Microsoft Update Only option. Then click Start Scan. 9. Review the generated report, and then close the Microsoft Baseline Security Analyzer. ■ WSUS is a server role that you can install on a computer running Windows Server 2008 R2. It allows local control over the distribution of software updates. ■ WSUS groups allow the deployment of updates to be staggered. ■ BranchCache allows Windows 7 Enterprise and Ultimate clients in branch ofce to share locally cached copies of deployed updates, which means that you do not need to deploy a branch ofce WSUS server. ■ The MBSA tool allows you to scan computers on a network for missing updates. ■ System Center Conguration Manager allows you to perform more complex update deployment tasks, such as scheduling update deployment and using Wake On LAN functionality. You can use the following questions to test your knowledge of the information in Lesson 1, “Designing an Update Management Strategy.” The questions are also available on the com- panion CD if you prefer to review them in electronic form. Note [...]... Figure 8-1 0 Updating the Windows Update client 3 44 CHAPTER 8 Planning a Windows 7 Client Update Strategy Configuring Update-Related Group Policy Except for a few minor settings that can be configured through the Windows Update control panel, the majority of settings related to update deployment for computers running the Windows 7 operating system are configured through Group Policy The majority of Windows. .. ■ Practice 3 Configure the server to support BranchCache with WSUS Configure local Group Policy on a computer running Windows 7 to support BranchCache distributed cache mode Take a Practice Test The practice tests on this book’s companion CD offer many options For example, you can test yourself on just one exam objective, or you can test yourself on all the 7 0- 686 certification exam content You can... in Figure 9-2 Figure 9-2 An SCCM 20 07 Asset Intelligence report For enterprises that do not use SCCM 20 07, the Microsoft Assessment And Planning Toolkit 5.0 provides a more limited hardware inventory solution, but it has the benefits of requiring no client agent and of being a free download More Info Using MAP Toolkit For more information on the Microsoft Assessment And Planning (MAP) Toolkit 5.0,... installation instructions, and other application components Windows Installer, the installation engine incorporated into Windows 7 and all other Windows versions since Windows 2000, reads the instructions from the package and installs the application on the computer without needing an interactive setup program Windows 7 associates the msi file extension with Windows Installer, so you can simply execute an MSI... http://technet.microsoft.com/en-us/network/bb545 879 .aspx Prior to connecting a client computer running the Windows 7 operating system to a WSUS server, you might need to update the Windows Update client to the latest version Clients that connect to a WSUS server are automatically prompted to update to new client software, provided by the WSUS server, if they need to Figure 8-1 0 shows an update to the Windows Update... workstations are as important as the operating system and its updates The Windows 7 deployment life cycle described in Chapter 1, “Preparing to Deploy Windows 7, ” must consider applications throughout its Plan, Deliver, and Operate phases CHAPTER 9 355 Lesson 1: Designing an Application Deployment Strategy Deploying Windows 7 to your desktop workstations is a complicated enough task, as you have learned... both, many administrators might begin to see it as a viable solution Using Server-Based RDS Deployments If you opt for server-based applications, you have several ways of configuring Remote Desktop Services (RDS) to deploy them RDS, known as Terminal Services in Windows Server 2008 and earlier, is a collection of services that enables administrators to publish individual applications or entire desktops... Applications Server Fat Client Local Applications Figure 9-3 Fat clients with locally installed applications In contrast, another enterprise might choose to purchase relatively minimal, thin-client workstations and run the applications on their servers, as shown in Figure 9-4 Thin Client Server Server Applications Thin Client Figure 9-4 Thin clients with server-based applications These opposing scenarios have... use server-based or client-based applications is more of a philosophical than a practical one Both methods are viable solutions, and both have advantages and disadvantages If you are deploying new workstations into an existing enterprise, you must consider whether your servers and your network are up to the task before you decide on server-based applications If you are deploying Windows 7 and new applications... local administrator privileges on computers running Windows 7 at Contoso Members of the Sales team have portable computers and are regularly out of the office Members of the Sales team should be able to install updates without being delegated unnecessary privileges Which of the following Group Policy policies should the administrators at Contoso configure? A Configure Automatic Updates B Allow Non-Administrators . Planning a Windows 7 Client Update Strategy ExE rcisE1 You can use Windows PowerShell, which is installed by default on computers running the Windows 7 operating. running Windows Server 2008 in its head ofce. This computer’s name is Updates.Contoso.Internal. You have recently deployed Windows 7 Enterprise to all client computers in your organiza- tion http://technet.microsoft.com/en-us/network/bb545 879 .aspx. Prior to connecting a client computer running the Windows 7 operating system to a WSUS server, you might need to update the Windows Update client
Ngày đăng: 09/08/2014, 11:21
Xem thêm: mcts training kit 70 - 686 Windows 7 Enterprise Desktop Support administrator phần 7 pdf
