Manido
asked on
Delivering Wimdows update & AV via Laptop
I am a PC Technician, doing a LOT of home users' systems. Currently I have a CD Rom that has Hijackthis, AdAware, and all Service Packs for all OS's
Right now I am cleaning up the system with hijackthis and adAware, going to windowsupdate and doing updates (installing SP from CD when I can)
PROBLEM: Norton is a big program and requires activation on each new machine. If I leave it unactivated, then it can affect them if they install Norton at later date. This makes scanning for viruses unbelievably long tasked. I want to use Norton 2005 since it also does Adware/Spyware and the like. Even installing Norton, scanning, and uninstalling - can take hours.
Another thing I would like to do is speed up and streamline the Windows update process. If someone needs lots of updates and they have dialup, I am forced to either let it run overnight or bring it home and hook up to highspeed. I like the "resolved on first contact" principle.
I want to be legit with licensing et all etc - so hacking it or patching in installations would be out.
------------
The only way that I can think of doing this is to have Windows Server 2003 running on a laptop, then have the client connect to it via crossover and log into the domain. Once signed in, I can load the Symantec Corp Edition Client, and do Windows updates with Windows Update Services / Software Update Services (WUS/SUS) ... this could greatly streamline the process, especially if I can automate all the installs once signed in.
The only prob I see with this route is it is ungodly expensive. You'd need a laptop with enough juice to run Server 2003, you'd need to purchase Windows 2003 Server + appl software, and of cource Symantec Corporate Edition.
Anyone got any better ideas?? I am looking for solutions that do not compromise the quality of work done, yet do it quickly and do not cost a whack of cash.
Thx
Right now I am cleaning up the system with hijackthis and adAware, going to windowsupdate and doing updates (installing SP from CD when I can)
PROBLEM: Norton is a big program and requires activation on each new machine. If I leave it unactivated, then it can affect them if they install Norton at later date. This makes scanning for viruses unbelievably long tasked. I want to use Norton 2005 since it also does Adware/Spyware and the like. Even installing Norton, scanning, and uninstalling - can take hours.
Another thing I would like to do is speed up and streamline the Windows update process. If someone needs lots of updates and they have dialup, I am forced to either let it run overnight or bring it home and hook up to highspeed. I like the "resolved on first contact" principle.
I want to be legit with licensing et all etc - so hacking it or patching in installations would be out.
------------
The only way that I can think of doing this is to have Windows Server 2003 running on a laptop, then have the client connect to it via crossover and log into the domain. Once signed in, I can load the Symantec Corp Edition Client, and do Windows updates with Windows Update Services / Software Update Services (WUS/SUS) ... this could greatly streamline the process, especially if I can automate all the installs once signed in.
The only prob I see with this route is it is ungodly expensive. You'd need a laptop with enough juice to run Server 2003, you'd need to purchase Windows 2003 Server + appl software, and of cource Symantec Corporate Edition.
Anyone got any better ideas?? I am looking for solutions that do not compromise the quality of work done, yet do it quickly and do not cost a whack of cash.
Thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rindi:
I have tried the windows update catalog before, but here are the probs:
* Multi-language and Muliversion updates give you a lot to sift through.
* There is no indication as to what order they should be applied.
* When uncompressed, there is no straightforward install
The time to prepare that and deploy it make WindowsUpdate seem like a better alternative. I am looking for an automatic deployment
I am not sure you understand what I mean with antivirus. I want to do a virus scan on many machines that has no virus protection. I am very happy with the latest version of Norton/Symantec - so I'd like to stick with that.
Rob_991:
I like your idea - you are essentially talking about doing a difference for the updates, and package it into an MSI install. Conversely I could use any diff pack and put them on CD in the form of a .zip file and a .reg file, to make it extremely fast.
I am not sure what you mean regarding Norton - my issue is not registration since it is optional. Activation works on a specific hardware fingerprint, so patching in an un-activated installation may work, but my guess is it would not be that easy since this method could be used to pirate Norton (it wouldn't be against license if I uninstall it afterwards)
jholland79:
I like the sound of hacking SUS so it will work on Win2k or XP - but it'd have to be legal. Then I could put Symantec Corp Edition on the laptop, since you do not have to install it on a server OS. Only prob would be if Symantec keeps track of the various hardware fingerprints the clients are installed on, as they connect to the server - and stop working after you exceed licenses.
Jasonw3:
This seems to be along the lines of what has been suggested. I was hoping there was a more automatic way.
I have tried the windows update catalog before, but here are the probs:
* Multi-language and Muliversion updates give you a lot to sift through.
* There is no indication as to what order they should be applied.
* When uncompressed, there is no straightforward install
The time to prepare that and deploy it make WindowsUpdate seem like a better alternative. I am looking for an automatic deployment
I am not sure you understand what I mean with antivirus. I want to do a virus scan on many machines that has no virus protection. I am very happy with the latest version of Norton/Symantec - so I'd like to stick with that.
Rob_991:
I like your idea - you are essentially talking about doing a difference for the updates, and package it into an MSI install. Conversely I could use any diff pack and put them on CD in the form of a .zip file and a .reg file, to make it extremely fast.
I am not sure what you mean regarding Norton - my issue is not registration since it is optional. Activation works on a specific hardware fingerprint, so patching in an un-activated installation may work, but my guess is it would not be that easy since this method could be used to pirate Norton (it wouldn't be against license if I uninstall it afterwards)
jholland79:
I like the sound of hacking SUS so it will work on Win2k or XP - but it'd have to be legal. Then I could put Symantec Corp Edition on the laptop, since you do not have to install it on a server OS. Only prob would be if Symantec keeps track of the various hardware fingerprints the clients are installed on, as they connect to the server - and stop working after you exceed licenses.
Jasonw3:
This seems to be along the lines of what has been suggested. I was hoping there was a more automatic way.
Manido - What i mean with Norton is that each machine will have a different hardware fingerprint even though it will be from the same CD if you get my meaning. To quicken the process you could have your bespoke MSI install Norton but still require you to finish off the install by activation ??
Or am i missing the point and you don't want to install Norton, only virus check/spy check before you install updates??
Or am i missing the point and you don't want to install Norton, only virus check/spy check before you install updates??
ASKER
No, sounds like you are on the right track.
Background:
With my business I am targetting home users primarily, so most of the problems are adware,spyware,virus,updat
This is was curious for a solution with a laptop. One person here suggested to skip the laptop and use an ipod to hold all the updates / programs and then just mount it as a mass storage device. Getting lots of suggestions - but not sure that there is one that would make this the easiest without costing a fortune.
So far it looks like I will be getting Symantec Corp edition, Server 2003 (for domain logins, not for SUS). I thought of setting up an elaborate login system to handle everything. Use one login to automatically load AV Client, scan, reboot, unload AV Client and run AdAware then reboot again. Then a second login to run updates and shutdown.
This way I would only have to plug in laptop when at home for it to automatically download all updates -- then onsite I would just configure domain logins and login as the two users.
I will leave this thread open for a few more days - I want to see if someone else has an ingenious solution. I am pretty comfortable with Unix and shell scripting too incase someone wants to think of something with that.
Background:
With my business I am targetting home users primarily, so most of the problems are adware,spyware,virus,updat
This is was curious for a solution with a laptop. One person here suggested to skip the laptop and use an ipod to hold all the updates / programs and then just mount it as a mass storage device. Getting lots of suggestions - but not sure that there is one that would make this the easiest without costing a fortune.
So far it looks like I will be getting Symantec Corp edition, Server 2003 (for domain logins, not for SUS). I thought of setting up an elaborate login system to handle everything. Use one login to automatically load AV Client, scan, reboot, unload AV Client and run AdAware then reboot again. Then a second login to run updates and shutdown.
This way I would only have to plug in laptop when at home for it to automatically download all updates -- then onsite I would just configure domain logins and login as the two users.
I will leave this thread open for a few more days - I want to see if someone else has an ingenious solution. I am pretty comfortable with Unix and shell scripting too incase someone wants to think of something with that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have been installing it without Activating - doing the scan then uninstalling .. Only problem with this approach is that nobody else will be able to install Norton on that computer again without activating (including me if they call me back for second time)
Corp edition does not need activation for the clients - but you have to buy the SAV CE with the necessary licenses.
http://unattended.msfn.org has info for installing XP unattended, and the info for installing updates is helpful but to be of use I'd have to purchase the pro version of the update checker.... Getting Server and using SUS/WUS would be the same cost - probably a lot easier too.
Hmm .. I like the idea of having an affordable tool do the detection and the installation of updates... Will see if someone else has something to offer - the longer I leave this the closer we seem to get to a viable option .... Be nice if I could just run a norton executable with the latest virus definitions from a CDROM directly - and detect/disinfect all the viruses/adware ....
Corp edition does not need activation for the clients - but you have to buy the SAV CE with the necessary licenses.
http://unattended.msfn.org has info for installing XP unattended, and the info for installing updates is helpful but to be of use I'd have to purchase the pro version of the update checker.... Getting Server and using SUS/WUS would be the same cost - probably a lot easier too.
Hmm .. I like the idea of having an affordable tool do the detection and the installation of updates... Will see if someone else has something to offer - the longer I leave this the closer we seem to get to a viable option .... Be nice if I could just run a norton executable with the latest virus definitions from a CDROM directly - and detect/disinfect all the viruses/adware ....
Earlier, I suggested patching the installer for SUS to allow installation on an XP laptop.
See http://www.nextwish.org/geek.php?page=suspatcher.
While I appreciate that this might not be entirely legit, all that the patch does (according to the author) is to remove a restriction in the MSI to prevent installation on an XP or 2k machine. Maybe this is still dodgy, but 1. the actual SUS software is (apparently) untouched and 2. the only effect on the client machines is the installation of legit updates published by MS. Also, using this:
http://home.comcast.net/~hkaldas/SUSForce.zip
one can affect a massive reduction in the time taken to update the client.
As for Norton, although I also consider it the best solution in the corporate envirnment, I think that use of a free AV package for the purpose in question would give at least two major benefits: 1. No worries about licences etc. and 2. You could leave this software on the client thus providing ongoing protection.
Futhermore, I have just mapped my Laptop's Hard Drive to a Network Drive on another machine and Symantec 9 allows me to scan it from the other machine. Is that not an option? Perhaps the scan would be slower this way, but surely a faster option overall.
John.
See http://www.nextwish.org/geek.php?page=suspatcher.
While I appreciate that this might not be entirely legit, all that the patch does (according to the author) is to remove a restriction in the MSI to prevent installation on an XP or 2k machine. Maybe this is still dodgy, but 1. the actual SUS software is (apparently) untouched and 2. the only effect on the client machines is the installation of legit updates published by MS. Also, using this:
http://home.comcast.net/~hkaldas/SUSForce.zip
one can affect a massive reduction in the time taken to update the client.
As for Norton, although I also consider it the best solution in the corporate envirnment, I think that use of a free AV package for the purpose in question would give at least two major benefits: 1. No worries about licences etc. and 2. You could leave this software on the client thus providing ongoing protection.
Futhermore, I have just mapped my Laptop's Hard Drive to a Network Drive on another machine and Symantec 9 allows me to scan it from the other machine. Is that not an option? Perhaps the scan would be slower this way, but surely a faster option overall.
John.
ASKER
Sorry for the delayed response - I have been busy :)
I finally put my evaluation software to good use! I setup a 2003 Server system, and an XP Pro System. Setup the 2003 as Domain Controller, and installed the evaluation version of WUS which is now available. Let it download ALL the updates - 8 gig worth.
Setup the client machine after everything was done with the server, and installed Office Evaluation on it (see if it will auto-update that too)
Good News:
It works. It downloads all of the updates, and I can see that it will update the Microsoft Office as well.
Bad News:
For starters - It is dog slow. I left the PC unattended and noticed it auto-restarted a few times and installed the updates. It wanted to have the client computer use windowsupdate to obtain certain updates like SP2, even though the settings in WUS was to download them and install locally.
There seems to be quite a few timeouts involved - which is more than likely where SUSForce comes in. I am beginning to think however that this is not the best option because I have had to install quite a bit of software, reboot, install, reboot in order to just get the windows update working - not to mention using gpedit to point the wuauclnt to the WUS server.
Starting to think that I may have to explore Caeser_Augustus's option and use Shavlik's free HFNetChk Utility to find out which updates are required, then create a WScript to silently install the updates. This will allow me to non-obtrusively update a system, even if they have partial updates - legit, and without the use of a Domain Controller. I could probably create a CD for each OS, one for each version of Office and fit all the updates on a standard CDROM, and deploy via CDROM.
I could make one single DIFF that includes the files and registry changes required to update a system to the latest SP2 - but I am not sure how obtrusive that would be - and one thing you learn quickly is that people very rarely have a perfectly running system that just needs updating ... so running the updates themselves, IMHO is preferred.
I am gonna play around and see what I can come up with... will post back.
I finally put my evaluation software to good use! I setup a 2003 Server system, and an XP Pro System. Setup the 2003 as Domain Controller, and installed the evaluation version of WUS which is now available. Let it download ALL the updates - 8 gig worth.
Setup the client machine after everything was done with the server, and installed Office Evaluation on it (see if it will auto-update that too)
Good News:
It works. It downloads all of the updates, and I can see that it will update the Microsoft Office as well.
Bad News:
For starters - It is dog slow. I left the PC unattended and noticed it auto-restarted a few times and installed the updates. It wanted to have the client computer use windowsupdate to obtain certain updates like SP2, even though the settings in WUS was to download them and install locally.
There seems to be quite a few timeouts involved - which is more than likely where SUSForce comes in. I am beginning to think however that this is not the best option because I have had to install quite a bit of software, reboot, install, reboot in order to just get the windows update working - not to mention using gpedit to point the wuauclnt to the WUS server.
Starting to think that I may have to explore Caeser_Augustus's option and use Shavlik's free HFNetChk Utility to find out which updates are required, then create a WScript to silently install the updates. This will allow me to non-obtrusively update a system, even if they have partial updates - legit, and without the use of a Domain Controller. I could probably create a CD for each OS, one for each version of Office and fit all the updates on a standard CDROM, and deploy via CDROM.
I could make one single DIFF that includes the files and registry changes required to update a system to the latest SP2 - but I am not sure how obtrusive that would be - and one thing you learn quickly is that people very rarely have a perfectly running system that just needs updating ... so running the updates themselves, IMHO is preferred.
I am gonna play around and see what I can come up with... will post back.
ASKER
Well.
I spent an evening and wrote a WScript that parses out the HFNetChk results, and looks up the KB id, and cross references it to an update file. If that update did not exist, it downloaded it from MS. I got it working .. but was not very happy with the results. To patch an XP system from SP1 to latest took me 3 hours - Mostly, running each install after one another takes quite a while, and some you cannot run silently, which means everything stands still until the monkey clicks the button.
So I tried the obtrusive approach. Reformatted again with XP SP1 and took a snapshot of the system with WinInstall. Installed all the updates and files, then took another snapshot and made diff file. Reformatted again and tested it - installed off a cdrom in under 20 minutes.
This sounds exactly like what I am looking for. Rob - have you used this before? Have you run into any problems with it breaking programs?
As far as the antivirus solution - the answer was so simple. I was fixing a machine in-shop and installed the Antivirus client off my CDROM (which is an exact copy of the client directory on the server) .. Halfway through the virus scan (and after the liveupdate) I realized that I was connected into the wrong hub and therefore was not able to access the server. Little bit of testing and I realized that you do not need to contact the central server in order to use the Symantec Corp Edition client. I installed the client, updated, scanned, and uninstalled again. Worked well. I am unsure if this is within the license agreement - but it should be fine since the client is being uninstalled afterward.
I think that what I will do is include the Corp Edition client as part of the wininstall image - that way I just install the computer to the latest version, run antivirus and adaware and I am done. Should speed things up quite a bit (although I have not tested it this way yet I am sure it will work great)
I spent an evening and wrote a WScript that parses out the HFNetChk results, and looks up the KB id, and cross references it to an update file. If that update did not exist, it downloaded it from MS. I got it working .. but was not very happy with the results. To patch an XP system from SP1 to latest took me 3 hours - Mostly, running each install after one another takes quite a while, and some you cannot run silently, which means everything stands still until the monkey clicks the button.
So I tried the obtrusive approach. Reformatted again with XP SP1 and took a snapshot of the system with WinInstall. Installed all the updates and files, then took another snapshot and made diff file. Reformatted again and tested it - installed off a cdrom in under 20 minutes.
This sounds exactly like what I am looking for. Rob - have you used this before? Have you run into any problems with it breaking programs?
As far as the antivirus solution - the answer was so simple. I was fixing a machine in-shop and installed the Antivirus client off my CDROM (which is an exact copy of the client directory on the server) .. Halfway through the virus scan (and after the liveupdate) I realized that I was connected into the wrong hub and therefore was not able to access the server. Little bit of testing and I realized that you do not need to contact the central server in order to use the Symantec Corp Edition client. I installed the client, updated, scanned, and uninstalled again. Worked well. I am unsure if this is within the license agreement - but it should be fine since the client is being uninstalled afterward.
I think that what I will do is include the Corp Edition client as part of the wininstall image - that way I just install the computer to the latest version, run antivirus and adaware and I am done. Should speed things up quite a bit (although I have not tested it this way yet I am sure it will work great)
ASKER
I have closed the question, since I more or less have a clear picture of how to proceed. I gave the majority of points to Rob since he was the first to answer and was with the correct answer. I divided the rest of the points since, while not the best suited to my needs, provided information I could use elsewhere.
Thanks all
Thanks all
As for Norton, either install then uninstall, or get another virus scanner. You could consider just using a trial program, such as CA's Etrust at
http://www3.ca.com/Solutions/Collateral.asp?CID=39914&ID=156
..then get rid of it when completed.
Using Server 2003 is a waste of money on licensing when a file share can get you what you need using Windows (2k,xp,etc)