I am trying to solve a few problems with this post, these being:
1) How can I incorporate the latest updates into my gold image & thereby increase the security of my gold image?
2) How do I install updates that are not serviceable offline?
3) How can I speed up a build and capture?
4) How can I Save time when creating Software update groups?
Now
most of you at this point are probably thinking "Does he
not know about the variable PreserveDriveLetter? and offline
servicing", well yes I do and don't get me wrong both of these serve a
great purpose and can be invaluable at times. However I have built far
too many windows images to know that offline servicing, as great as it
is doesn't always work 100% of the time and requires manual effort to check through the OfflineServicingEngine log and also to know that no matter how much you tell yourself its OK you really should have put .Net x
into that image because now that its complete you have a long wait
whilst your "fully patched wim" installs 20+ .NET updates, I could go
on....
Anyway, I am a big believer in running MBSA scans on a "gold" image for a number of reasons:
1) To ensure it is as secure as possible the second that the image is applied to the disk
2) To capture any updates that are not serviceable offline (more on this later)
3) Peace of mind
As you may or may not know, when you run MBSA (link here) it generates you a nice report that you can save as a text file. The report will tell you which updates are missing/ recommended.
So what I usually do is install windows inside a virtual machine (The exact version the customer requires), install the ConfigMgr client (as this has certain prereqs that need to be patched) and then run the MBSA to tell me what is missing.
I then create a software update group containing only those updates, create a build and capture task sequence and throw updates such as KB2533552 or KB2538243 in there, along with .NET.
What this gives me is a lean build and capture process that includes all security updates for the OS, .NET etc and also some updates that cannot be serviced offline such as KB2533552 or that are not available via WSUS such as KB2538243. See MS Article here for more information.
It also gives the customer a bunch of updates they can use to patch
their existing estate to this baseline and gives them a place to start
with patching moving forward
To make this a little more automatic I wrote a script that will analyse the output from MBSA and create a software update group containing all of the missing updates for that particular architecture. Call it version 0.1 as it has only had limited testing, but it has saved me a lot of time, I do intend to make it a lot slicker with logging if I get the chance.
Be aware this will add ALL missing updates to the new group, I recommend manually checking and removing things like Internet Explorer version X if not required.
The script can be found on my skydrive here
EDIT: V0.2 of the script is up now, still needs some work.....
Thanks for reading
Wayne
No comments:
Post a Comment