Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Deployment: Windows and apps
 BDD, Vista, and WSUS updates		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

jiveturkey
Seasoned But Casual Onlooker

USA
53 Posts
Status: offline
Posted - 07/29/2008 :  10:09:51 AM  Show Profile  Visit jiveturkey's Homepage  Reply with Quote
I'm getting BDD/WDS up-and-running in our environment. I've got a working Vista image, and can successfully deploy it now. My question is with the security updates/patches - we use WSUS here. Is it truly necessary to add patches to WSUS AND to Deployment Workbench at the same time? Couldn't I just run "wuauclt.exe /detectnow" as part of the imaging process and let WSUS install the necessary patches? Is there a best-practice here? I would greatly appreciate any information anyone is able to provide.
<pimp>me</pimp>

joe_elway
Honorable But Hopeless Addict

Ireland
6673 Posts
Status: offline
Posted - 07/29/2008 :  10:31:12 AM  Show Profile  Visit joe_elway's Homepage  Reply with Quote
Ideally you want your machines to be as up to date as possible when the deployment occurs. But in reality, are you going to update your image every second Tuesday of every month? Maybe ... if you have a team of people responsible only for images and nothing else. Most of us might update it once in a while.

Why as up to date as possible? I did a big XP deployment on a corporate network back in 2003. Some phone engineer from a phone manfacturer had logged onto their server to do some maintenance on the corporate network. It had a modem and he wanted to surf the net in private while working. Along came a spider and shagged the WAN with Blaster. As soon as I deployed RIS images, they got infected. That got rectified pretty quickly with our AV. Had I included updates in the images this infection wouldn't have happened.

We used SUS back then for updates but that still meant there was a window where the machines weren't fully up to date. /DETECTNOW doesn't mean "install updates immediately". You'll also find that if you leave the machines without updates long enough that you require 2 or 3 trips back to WSUS to get up to date.

It's a balancing act for you to decide. As secure as possible VS workload.
Aidan Finn
MCSE, MVP (Virtual Machine: Systems Administration)

IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
My Hyper-V Book: Mastering Hyper-V Deployment
Twitter: http://twitter.com/joe_elway
Edited by - joe_elway on 07/29/2008 10:32:57 AM
Go to Top of Page

jiveturkey
Seasoned But Casual Onlooker

USA
53 Posts
Status: offline
Posted - 07/29/2008 :  10:37:01 AM  Show Profile  Visit jiveturkey's Homepage  Reply with Quote
Thanks for the insight...

I'm thinking that the WSUS route will suit my needs as I can always count on the WSUS server being up-to-date (I have a security team that manages it). I'll just create a .VBS that will run "wuauclt.exe /detectnow" and wait until that process is finished. That will save me from having to add patches to WSUS and having to create them in Deployment Workbench also (why reinvent the wheel?).

Obviously I would update my image with the latest patches whenever I have a need to update my image...
<pimp>me</pimp>
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2009 Mark Minasi Go To Top Of Page
This page was generated in 0.11 seconds. Snitz Forums 2000