Delivering Wimdows update & AV via Laptop

Posted on 2004-11-17
Last Modified: 2008-03-17
I am a PC Technician, doing a LOT of home users' systems.  Currently I have a CD Rom that has Hijackthis, AdAware, and all Service Packs for all OS's

Right now I am cleaning up the system with hijackthis and adAware, going to windowsupdate and doing updates (installing SP from CD when I can)

PROBLEM: Norton is a big program and requires activation on each new machine.  If I leave it unactivated, then it can affect them if they install Norton at later date.  This makes scanning for viruses unbelievably long tasked.  I want to use Norton 2005 since it also does Adware/Spyware and the like.  Even installing Norton, scanning, and uninstalling - can take hours.

Another thing I would like to do is speed up and streamline the Windows update process.  If someone needs lots of updates and they have dialup, I am forced to either let it run overnight or bring it home and hook up to highspeed.  I like the "resolved on first contact" principle.

I want to be legit with licensing et all etc - so hacking it or patching in installations would be out.

The only way that I can think of doing this is to have Windows Server 2003 running on a laptop, then have the client connect to it via crossover and log into the domain.  Once signed in, I can load the Symantec Corp Edition Client, and do Windows updates with Windows Update Services / Software Update Services (WUS/SUS) ... this could greatly streamline the process, especially if I can automate all the installs once signed in.

The only prob I see with this route is it is ungodly expensive.  You'd need a laptop with enough juice to run Server 2003, you'd need to purchase Windows 2003 Server + appl software, and of cource Symantec Corporate Edition.

Anyone got any better ideas??  I am looking for solutions that do not compromise the quality of work done, yet do it quickly and do not cost a whack of cash.

Question by:Manido
    LVL 2

    Accepted Solution

    Why don't you try looking at a package like WinInstall?? Basically you get a dumb machine and install all the patches / software that you want and you then create an MSI based upon the updates/installs. All you do then is run the one MSI package on each machine to install all the applications. I dont see a problem with licences because you can choose to either activate Norton before you finish the MSI package or (Which i think would be better) just leave it so the components are installed by need tyiding up and setting up.. If you activate Norton within the MSI package so you dont have to register... i don't think they will be that bothered about licences because you can physically produce 20 pieces of paper (even though they all use the same reg code) I might be wrong on this though....

    With regards to patching, I'd put the latest SP on each machine, so for example with XP it might be easier to create an MSI package with SP2, then run the Windows update aftwards.... (Would be less updates, also if you ran SP2 install first, each machine would then in theroy need the same updates so you could create another MSI of these?)

    Just a quick thought though.. i may not have read your post correctly...
    LVL 87

    Assisted Solution

    1. You can download the windows updates as single files by activating and using the windows update catalog. Remember you only need those updates after the last servicepack, since you can also download the complete servicepack for the OS and this SP contains all previos updates and servicepacks.
       -> So you can prepare yourself by downloading these on your Highspeed connection and then saving them to your notebook or CD Rom prior to visiting the client. After you have updated his OS by running all these SPs and updates you should just need to run windowsupdate once more to fetch anything you missed, but if you have missed something it will be small and shouldn't take too long to download from a dialup connection. The same applies to officeupdates from version XP upwards. With older versions you will have to apply at least the 1st office service pack for that version before installing the last one.

    2. You can also download the virus definition files directly from symantec, so to apply those it shouldn't be necessary to have to register. I'm not sure if this applies for the programupdates as well. What you can download also burn to CD or put it on your portable.

    3. Consider another antivirus software. I use Avast! antivirus, which is free for personal use and runs for 90 days before needing a registration. The registration is easy (answer a few questions, enter the users email address and they will receive a serial number which they can copy & paste into the programm. This must be renewed every year). In my opinion the programm works kjust as well as NAV does, it uses less resources. To be as uptodate as possible just download the current version of Avast! before you ge to your customer, The updates you will then have to download once it is installed will be smaller.

    4. You can also download the detection updates for spybot separately, I wouldn't know about adaware, though.

    5. get yourself a free firewall software, or check with your customers. They probably have a CD with firewall software that came with their Modem or ISP contract. If they are using at least Windows XP, it is integrated with SP2.

    If you prepare yourself with all possible and impossible updates before going to your customer you will not have to spend that much online time. You'll only need it to streamline your installation. Keep to free software, it is often just as good and more uptodate than retail software.

    I hope i've been of some help,

    LVL 6

    Assisted Solution

    I installed SUS on my laptop using the patcher here:
    Unfortunately, it is not available at the moment:
    >Important Notice
    >I've taken the patcher offline until I can fix a few related IIS bugs.
    I think I may still have the version of the patcher that I used, but being new to this site, I'm not sure if emailing it to you is allowed! :-)
    In any case, you can keep your eye on the above URL. I've been using SUS on my laptop for a few months now and all is well.
    Hope this helps.
    LVL 1

    Expert Comment

    Why don't you download the IT Professional version of Windows service packs and catalog patches and place them on your laptop from a read-only file share.  Then using a crossover cable, connect and get them as needed.  Much faster than a modem.  Just keep track of when patches were released and only apply the ones after the service pack was released.

    As for Norton, either install then uninstall, or get another virus scanner.  You could consider just using a trial program, such as CA's Etrust at
    ..then get rid of it when completed.

    Using Server 2003 is a waste of money on licensing when a file share can get you what you need using Windows (2k,xp,etc)

    Author Comment


    I have tried the windows update catalog before, but here are the probs:
    * Multi-language and Muliversion updates give you a lot to sift through.
    * There is no indication as to what order they should be applied.
    * When uncompressed, there is no straightforward install

    The time to prepare that and deploy it make WindowsUpdate seem like a better alternative.  I am looking for an automatic deployment

    I am not sure you understand what I mean with antivirus.  I want to do a virus scan on many machines that has no virus protection.  I am very happy with the latest version of Norton/Symantec - so I'd like to stick with that.

    I like your idea - you are essentially talking about doing a difference for the updates, and package it into an MSI install.  Conversely I could use any diff pack and put them on CD in the form of a .zip file and a .reg file, to make it extremely fast.

    I am not sure what you mean regarding Norton - my issue is not registration since it is optional.  Activation works on a specific hardware fingerprint, so patching in an un-activated installation may work, but my guess is it would not be that easy since this method could be used to pirate Norton (it wouldn't be against license if I uninstall it afterwards)

    I like the sound of hacking SUS so it will work on Win2k or XP - but it'd have to be legal.  Then I could put Symantec Corp Edition on the laptop, since you do not have to install it on a server OS.  Only prob would be if Symantec keeps track of the various hardware fingerprints the clients are installed on, as they connect to the server - and stop working after you exceed licenses.

    This seems to be along the lines of what has been suggested.  I was hoping there was a more automatic way.  
    LVL 2

    Expert Comment

    Manido - What i mean with Norton is that each machine will have a different hardware fingerprint even though it will be from the same CD if you get my meaning. To quicken the process you could have your bespoke MSI install Norton but still require you to finish off the install by activation ??

    Or am i missing the point and you don't want to install Norton, only virus check/spy check before you install updates??

    Author Comment

    No, sounds like you are on the right track.

    With my business I am targetting home users primarily, so most of the problems are adware,spyware,virus,updates.   Its about 1 in 50 that is something else - which is why I am looking at streamlining the process.  I charge a flat rate per job, and usually schedule 2-3 a day - If I can streamline it - I can schedule much more.

    This is was curious for a solution with a laptop.  One person here suggested to skip the laptop and use an ipod to hold all the updates / programs and then just mount it as a mass storage device.  Getting lots of suggestions - but not sure that there is one that would make this the easiest without costing a fortune.  

    So far it looks like I will be getting Symantec Corp edition, Server 2003 (for domain logins, not for SUS).  I thought of setting up an elaborate login system to handle everything.  Use one login to automatically load AV Client, scan, reboot, unload AV Client and run AdAware then reboot again.  Then a  second login to run updates and shutdown.

    This way I would only have to plug in laptop when at home for it to automatically download all updates -- then onsite I would just configure domain logins and login as the two users.

    I will leave this thread open for a few more days - I want to see if someone else has an ingenious solution.  I am pretty comfortable with Unix and shell scripting too incase someone wants to think of something with that.
    LVL 4

    Assisted Solution

    Buddy you need this place:

    Your problems are resolved.
    Briefly, for updates you need to slip stream them.
    For software use the procedures on the site.
    Norton activation, i think you'll have to live with, and I wonder how are you managing the WIndows activation in the first place. Do you have a Volume Licensing Key ;-)

    Author Comment

    I have been installing it without Activating - doing the scan then uninstalling .. Only problem with this approach is that nobody else will be able to install Norton on that computer again without activating (including me if they call me back for second time)

    Corp edition does not need activation for the clients - but you have to buy the SAV CE with the necessary licenses. has info for installing XP unattended, and the info for installing updates is helpful but to be of use I'd have to purchase the pro version of the update checker....  Getting Server and using SUS/WUS would be the same cost - probably a lot easier too.

    Hmm .. I like the idea of having an affordable tool do the detection and the installation of updates...   Will see if someone else has something to offer - the longer I leave this the closer we seem to get to a viable option ....   Be nice if I could just run a norton executable with the latest virus definitions from a CDROM directly - and detect/disinfect all the viruses/adware ....
    LVL 6

    Expert Comment

    Earlier, I suggested patching the installer for SUS to allow installation on an XP laptop.
    While I appreciate that this might not be entirely legit, all that the patch does (according to the author) is to remove a restriction in the MSI to prevent installation on an XP or 2k machine. Maybe this is still dodgy, but 1. the actual SUS software is (apparently) untouched and 2. the only effect on the client machines is the installation of legit updates published by MS. Also, using this:
    one can affect a massive reduction in the time taken to update the client.
    As for Norton, although I also consider it the best solution in the corporate envirnment, I think that use of a free AV package for the purpose in question would give at least two major benefits: 1. No worries about licences etc. and 2. You could leave this software on the client thus providing ongoing protection.

    Futhermore, I have just mapped my Laptop's Hard Drive to a Network Drive on another machine and Symantec 9 allows me to scan it from the other machine. Is that not an option? Perhaps the scan would be slower this way, but surely a faster option overall.

    Author Comment

    Sorry for the delayed response - I have been busy :)

    I finally put my evaluation software to good use!  I setup a 2003 Server system, and an XP Pro System.  Setup the 2003 as Domain Controller, and installed the evaluation version of WUS which is now available.   Let it download ALL the updates - 8 gig worth.

    Setup the client machine after everything was done with the server, and installed Office Evaluation on it (see if it will auto-update that too)

    Good News:
    It works.  It downloads all of the updates, and I can see that it will update the Microsoft Office as well.

    Bad News:
    For starters - It is dog slow.  I left the PC unattended and noticed it auto-restarted a few times and installed the updates.   It wanted to have the client computer use windowsupdate to obtain certain updates like SP2, even though the settings in WUS was to download them and install locally.
    There seems to be quite a few timeouts involved - which is more than likely where SUSForce comes in.  I am beginning to think however that this is not the best option because I have had to install quite a bit of software, reboot, install, reboot in order to just get the windows update working - not to mention using gpedit to point the wuauclnt to the WUS server.

    Starting to think that I may have to explore Caeser_Augustus's option and use Shavlik's free HFNetChk Utility to find out which updates are required, then create a WScript to silently install the updates.  This will allow me to non-obtrusively update a system, even if they have partial updates - legit, and without the use of a Domain Controller.  I could probably create a CD for each OS, one for each version of Office and fit all the updates on a standard CDROM, and deploy via CDROM.

    I could make one single DIFF that includes the files and registry changes required to update a system to the latest SP2 - but I am not sure how obtrusive that would be - and one thing you learn quickly is that people very rarely have a perfectly running system that just needs updating ...  so running the updates themselves, IMHO is preferred.

    I am gonna play around and see what I can come up with...  will post back.

    Author Comment


    I spent an evening and wrote a WScript that parses out the HFNetChk results, and looks up the KB id, and cross references it to an update file.  If that update did not exist, it downloaded it from MS.   I got it working .. but was not very happy with the results.  To patch an XP system from SP1 to latest took me 3 hours - Mostly, running each install after one another takes quite a while, and some you cannot run silently, which means everything stands still until the monkey clicks the button.

    So I tried the obtrusive approach.  Reformatted again with XP SP1 and took a snapshot of the system with WinInstall.  Installed all the updates and files, then took another snapshot and made diff file.  Reformatted again and tested it - installed off a cdrom in under 20 minutes.

    This sounds exactly like what I am looking for.   Rob - have you used this before?  Have you run into any problems with it breaking programs?

    As far as the antivirus solution - the answer was so simple.  I was fixing a machine in-shop and installed the Antivirus client off my CDROM (which is an exact copy of the client directory on the server) ..  Halfway through the virus scan (and after the liveupdate) I realized that I was connected into the wrong hub and therefore was not able to access the server.   Little bit of testing and I realized that you do not need to contact the central server in order to use the Symantec Corp Edition client.  I installed the client, updated, scanned, and uninstalled again.  Worked well.   I am unsure if this is within the license agreement - but it should be fine since the client is being uninstalled afterward.

    I think that what I will do is include the Corp Edition client as part of the wininstall image - that way I just install the computer to the latest version, run antivirus and adaware and I am done.  Should speed things up quite a bit (although I have not tested it this way yet I am sure it will work great)

    Author Comment

    I have closed the question, since I more or less have a clear picture of how to proceed.  I gave the majority of points to Rob since he was the first to answer and was with the correct answer.  I divided the rest of the points since, while not the best suited to my needs, provided information I could use elsewhere.

    Thanks all

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
    I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now