Deploying Updates to New Computers

Microsoft will undoubtedly continue to release important updates for Windows 7. When you deploy a new computer, it might not have those updates installed. Therefore, the new computer can have known, but unprotected, vulnerabilities.

To minimize the risk of attack against computers that haven't been updated, you can use the following techniques:

• Integrate updates into the Windows 7 setup files You can integrate service packs and other updates, including non-Microsoft updates, by installing Windows 7 and all updates on a lab computer and then using Windows PE and the XImage tool to create an operating system image (a .wim file) that you can deploy to new computers.
• Include update files with your Windows 7 distribution and install them automatically during setup If you cannot integrate updates into setup files, you should automate their installation after setup. You have several ways to run additional commands during installation:
  • Use the Windows System Image Manager to add a RunSynchronous command to an Unattend.xml answer file. RunSynchronous commands are available in the Microsoft- Windows-Setup and the Microsoft-Windows-Deployment features.
  • Edit the %WinDir%\Setup\Scripts\SetupComplete.cmd file. This file runs after Windows Setup completes and any commands in this file are executed. Commands in the SetupComplete.cmd file are executed with local system privileges. You cannot reboot the system and resume running SetupComplete.cmd; therefore, you must install all updates in a single pass.
• Deploy updates to client computers using removable media If you cannot integrate updates into setup files, you should install them immediately after setup is complete. To minimize the risk of network attacks, set up Windows 7 computers without connecting them to a network. Then install all updates from removable media. When the computer has all critical updates, you can attach it to the network without unnecessary risk. The disadvantage to this technique is that it requires administrators to physically insert the removable media in each new computer.
• Deploy updates to client computers across the network As a more efficient alternative to installing updates from removable media, you can install updates across the network. However, connecting computers to a network exposes them to a risk of attack across that network. Even if the network is internal, other computers on your internal network might have malicious software, such as worms, that can launch attacks. Often, malicious software is extremely efficient at contacting new computers and can infect an unprotected computer within a few seconds after you connect it to a network. Therefore, you cannot necessarily update a networked computer fast enough to protect it. If you install updates for new computers across the network, create a private, nonrouted network for updates; keep the number of computers on the network extremely limited; and audit the computers regularly to ensure that they do not contain malicious software. This type of network is illustrated in Figure below.