Windows 7 / Getting Started

Deploying Updates to New Computers

Microsoft will undoubtedly continue to release important updates for Windows 7. When you deploy a new computer, it might not have those updates installed. Therefore, the new computer can have known, but unprotected, vulnerabilities.

To minimize the risk of attack against computers that haven't been updated, you can use the following techniques:

  • Integrate updates into the Windows 7 setup files You can integrate service packs and other updates, including non-Microsoft updates, by installing Windows 7 and all updates on a lab computer and then using Windows PE and the XImage tool to create an operating system image (a .wim file) that you can deploy to new computers.
  • Include update files with your Windows 7 distribution and install them automatically during setup If you cannot integrate updates into setup files, you should automate their installation after setup. You have several ways to run additional commands during installation:
    • Use the Windows System Image Manager to add a RunSynchronous command to an Unattend.xml answer file. RunSynchronous commands are available in the Microsoft- Windows-Setup and the Microsoft-Windows-Deployment features.
    • Edit the %WinDir%\Setup\Scripts\SetupComplete.cmd file. This file runs after Windows Setup completes and any commands in this file are executed. Commands in the SetupComplete.cmd file are executed with local system privileges. You cannot reboot the system and resume running SetupComplete.cmd; therefore, you must install all updates in a single pass.
  • Deploy updates to client computers using removable media If you cannot integrate updates into setup files, you should install them immediately after setup is complete. To minimize the risk of network attacks, set up Windows 7 computers without connecting them to a network. Then install all updates from removable media. When the computer has all critical updates, you can attach it to the network without unnecessary risk. The disadvantage to this technique is that it requires administrators to physically insert the removable media in each new computer.
  • Deploy updates to client computers across the network As a more efficient alternative to installing updates from removable media, you can install updates across the network. However, connecting computers to a network exposes them to a risk of attack across that network. Even if the network is internal, other computers on your internal network might have malicious software, such as worms, that can launch attacks. Often, malicious software is extremely efficient at contacting new computers and can infect an unprotected computer within a few seconds after you connect it to a network. Therefore, you cannot necessarily update a networked computer fast enough to protect it. If you install updates for new computers across the network, create a private, nonrouted network for updates; keep the number of computers on the network extremely limited; and audit the computers regularly to ensure that they do not contain malicious software. This type of network is illustrated in Figure below.
Create a Separate Subnet to Protect new Computers before Installing Updates
[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Software Updates
  2. Methods for Deploying Updates
  3. Windows Update Client
  4. Windows Server Update Services
  5. System Center Configuration Manager 2007 R2
  6. Manually Installing, Scripting, and Removing Updates
  7. Overview of Windows 7 Update Files
  8. How to Script Update Installations
  9. How to Remove Updates
  10. Deploying Updates to New Computers
  11. Other Reasons to Use a Private Network for New Computers
  12. Managing BITS
  13. BITS Behavior
  14. BITS Group Policy Settings
  15. Configuring the Maximum Bandwidth Served For Peer Client Requests Policy
  16. Managing BITS with Windows PowerShell
  17. Windows Update Group Policy Settings
  18. Configuring Windows Update to Use a Proxy Server
  19. Tools for Auditing Software Updates
  20. The MBSA Console
  21. MBSACLI
  22. Scheduling MBSA
  23. Troubleshooting the Windows Update Client
  24. The Process of Updating Network Software
  25. Assembling the Update Team
  26. Inventorying Software
  27. Creating an Update Process
  28. Discovering Updates
  29. Evaluating Updates
  30. Speeding the Update Process
  31. Retrieving Updates
  32. Testing Updates
  33. Installing Updates
  34. Removing Updates
  35. Auditing Updates
  36. How Microsoft Distributes Updates
  37. Security Updates
  38. Update Rollups
  39. Service Packs
  40. Microsoft Product Life Cycles