Deploying Patches with Software Update Services 1.0

Introduction

An important way to help keep your network secure is to install the latest operating system updates to computers running Microsoft Windows operating systems.

Software Update Services (SUS) Server 1.0 with Service Pack 1 (SP1) provides a solution to the problem of managing and distributing critical Windows updates that resolve known security vulnerabilities and other stability issues in Microsoft Windows operating systems.

Note: SUS Server 1.0 with SP1 addresses the compatibility issues that existed between Windows 2000 Server and SUS Server 1.0.

If you use SUS, you do not need to manage the updates for each individual computer on the network by using the Windows Update Web site. You can manage the updates on a computer running Microsoft Windows Server 2003 (or running Windows 2000 Server) and configure it to distribute the updates to your computers automatically. The computers receiving the updates do not need Internet access. SUS can provide updates for computers running Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, Windows XP Home, and Windows Server 2003 operating systems.

If you are running another version of Windows, you can find instructions for how to update it on the Windows Downloads page on the Microsoft Web site at http://www.microsoft.com/windows/downloads/default.mspx.

If you have five or fewer computers, using SUS is not efficient. Instead, configure each client computer to download and install updates from Windows Update using Automatic Updates. For more information about Windows Update and Automatic Updates, see the Microsoft Web site at http://www.microsoft.com/athome/security/protect/update.mspx.

Note: If you have computers that are not part of the domain, you can update them using Automatic Updates. If you have computers running Windows XP Home, you can use Automatic Updates or you can upgrade to Windows XP Professional. Windows XP Professional is designed to work with the Windows Server 2003 network environment. This adds security while also improving reliability, performance, and functionality for the local network. For information about upgrading client computers, see the Windows XP Professional Upgrade Center on the Microsoft Web site at http://www.microsoft.com/windowsxp/pro/upgrading/default.mspx.

This document includes information about the following tasks:

•	Planning and deploying SUS Server 1.0 SP1
•	Installing IIS
•	Installing and configuring SUS
•	Downloading updates for SUS
•	Updating client computers
•	Defining policies for installing updates
•	Updating computers with SUS 1.0
•	Suggested methods for testing updates

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Top of page

Before You Begin

Before you deploy SUS, you should already have installed and configured Windows Server 2003. Your Windows client computers and any other Windows servers should have already been added to the network.

Top of page

Planning and Deploying SUS Server 1.0 SP1

The following steps are used when planning and deploying SUS Server 1.0 with SP1:

•	Identifying installed and missing software updates
•	Installing Microsoft Internet Information Services (IIS)
•	Installing and configuring SUS
•	Downloading updates for SUS
•	Updating client computers
•	Defining policies for installing updates

Identifying Installed and Missing Software Updates

It is essential to identify which software updates have been installed on your computers. SUS does not include any auditing tools. To determine which software updates have been installed on servers and workstations within the organization, you must use the Microsoft Baseline Security Analyzer (MBSA), which is available for download from the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyID=b13ebd6b-e258-4625-b0a3-64a4879f7798&DisplayLang=en. MBSA will report missing security updates and service packs and will identify vulnerabilities for installations of Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0. It will also report whether the computer configuration adheres to common security best practices (such as the use of strong passwords).

Requirements

•	You must be logged on as a member of the Administrators group.

•

To identify installed and missing software updates using MBSA

1.	Open the MBSA Web page on the Microsoft Web site at http://www.microsoft.com/technet/security/tools/mbsahome.mspx.
2.	Click Download.
3.	In the File Download dialog box, click Open.
4.	In the Microsoft Baseline Security Analyzer Setup dialog box, click Next.
5.	On the License Agreement page, select I accept the license agreement, and then click Next.
6.	On the User Information page, click Next.
7.	On the Destination Folder page, click Next.
8.	On the Choose install options page, click Next.
9.	On the Select Features page, click Next.
10.	On the Ready to Install the Application page, click Next, and then click Finish.
11.	Switch to the Microsoft Baseline Security Analyzer application.
12.	Click Scan more than one computer.
13.	In the Domain name box, type the name of your domain.
14.	Click Start scan.
15.	Click Print to print a copy of the report.
16.	After all of the computers on the network have been updated, MBSA should be run a second time to ensure that all updates were installed.

Take an Inventory of the Computers on Your Network

You must take an inventory of each computer on your network to determine its name and the operating system it is running. You will use this information later to determine whether any computers need to be updated without using SUS and whether the Automatic Updates software on any of the computers needs to be updated to work with SUS. Use the following procedure for each computer on your network and record the information in the table provided on the next page.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To determine client computer names and operating system versions

Log on to each computer as Administrator or with an account that has administrative rights and permissions.

Click Start, click Run, and then type msinfo32.

Click OK.

In the following table, record the information for each computer.

Repeat for each computer on the network.

Names and Operating Systems of Each Computer

Computer Name	Operating System Name	Operating System Version and Service Pack

Computers running Windows 2000 must have SP2 or later installed.

•

To update computers running Windows 2000 to the latest service pack

1.	Log on as Administrator or with an account that has administrative credentials.
2.	Click Start, and select Windows Update.
3.	In the Security Warning dialog box, click Yes to install and run Windows Update.
4.	On the Windows Update Web page, click Scan for Updates.
5.	Click Critical Updates and Service Packs.
6.	Scroll through the list of updates and click Remove for all the updates except the Windows 2000 Service Pack 4 Express Install for End Users update. You can use SUS to install the other updates later.
7.	Click Review and Install Updates, and then click Install Now.
8.	On the License Agreement dialog box, click Accept. The Windows 2000 Service Pack 4 Setup Wizard appears.
9.	Click Next.
10.	On the License Agreement page, click I Agree, and then click Next.
11.	To accept the default option to archive files, click Next. The download and installation begins.
12.	When the installation is complete, click Finish, and then click OK to restart your computer.

You will also need to determine your Windows domain name. This information will be needed in a later step when you configure the proxy server.

•

To determine your Windows domain name

1.	Click Start, and then click Run.
2.	In the Open box, type cmd, and then click OK.
3.	At the command prompt, type set, and then press ENTER. In the output text, you will see a line that reads *USERDOMAIN=yourWindowsdomain* where yourWindowsdomain** is the name of your Windows domain.
4.	Write down your domain name.

Top of page

Installing IIS

The SUS administrative Web page allows you to synchronize and approve content, configure SUS options, monitor server status, and administer SUS remotely. To use the SUS administrative Web page, you must install IIS.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To install IIS

1.	Log on as Administrator or with an account that has administrative credentials.
2.	Insert the Microsoft Windows Server 2003 CD into the CD drive.
3.	When the Microsoft Windows Server 2003 Family window appears, click Exit.
4.	On the Start menu, click Control Panel.
5.	Double-click Add or Remove Programs, and then click Add/Remove Windows Components.
6.	In the Windows Components Wizard, select the Application Server check box, and then follow the directions to install it.

Top of page

Installing and Configuring SUS

You must download SUS 1.0 Service Pack 1 from Microsoft and install and configure it on your computer running Windows Server 2003.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To download Sus10sp1.exe

1.	Log on as Administrator or with an account that has administrative credentials.
2.	Download Software Update Services Server 1.0 with Service Pack from the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyID=a7aa96e4-6e41-4f54-972c-ae66a4e4bf6c&DisplayLang=en. This file is approximately 33 megabytes (MB) in size. With a 56 Kbps Internet connection, it will take approximately 80 minutes to download.
3.	Follow the links to download Software Update Services with Service Pack . This file is approximately 33 megabytes (MB) in size.
4.	On the Software Update Services Server 1.0 with Service Pack 1 page, select the language to download, click Go, and then click Download.
5.	Click Open to begin the download.
6.	When the download is complete, click Open to begin the installation.

•

To install SUS

1.	On the Welcome page of the Setup Wizard, click Next.
2.	Read and accept the End User License Agreement, and then click Next.
3.	On the Choose setup type page, click Typical.
4.	On the Ready to install page, write down the download URL that will be used by Automatic Updates on the client computers to get updates from the SUS server. You will use this URL when you define the policy for configuring SUS later in this document.
5.	Click Install.
6.	When the Completing the Microsoft Software Update Services Setup Wizard page appears, write down the URL to access the SUS administrative Web site.
7.	Click Finish to complete the installation. The Software Update Services administrative Web page appears.
8.	On the SUS administrative Web page, under Other options, click Set Options.

If you are running a proxy server on your Windows network, you must perform the following procedure.

•

To configure SUS to use a proxy server

1.	Click Use a proxy server to access the Internet.
2.	Click Use the following proxy server to access the Internet. In the Address box, type *proxy_server_computername, and in the Port* box, type 80 (where *proxy_server_computername* is the name of your proxy server.)
3.	Click Use the following user credentials to access the proxy server. In the User box, type *yourWindowsdomain\administrativeaccount* (where *yourWindowsdomain* is the name of your Windows domain and *administrativeaccount* is the name of a user account that has administrative credentials.

•

To configure SUS for install package locales

1.	Scroll to the bottom of the page.
2.	Click Clear All, and select only those locales that match the operating system languages that you need to support.
3.	Click Apply.
4.	In the VBScript dialog box, click OK.

Top of page

Downloading Updates for SUS

You must download all available updates for all operating systems for the locales you selected in the previous section.

The amount of data that you download will be large (approximately 600 MB for one locale). Downloading 600 MB of data will take approximately 125 minutes over a 640 Kbps broadband connection, or 23 hours through a 56.6 Kbps dial-up connection. Schedule the download for a time when no business activity is taking place on your Internet connection. Also, do not schedule the download for the same time as your system backup.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To download updates for SUS

1.	Using Internet Explorer, open the SUS administrative Web page at *http://yourservername/SUSAdmin*.
2.	In the console tree (left pane), click Synchronize server.
3.	Click the Synchronization Schedule.
4.	Click Synchronize using this schedule, accept the defaults (3:00am, daily, 3 retries), and then click OK.
5.	Click Synchronize Now to download the updates. The updates will not be distributed to computer until you approve them.
6.	On the VBScript dialog box, click OK to complete the synchronization. The Approve updates Web page appears. Do not approve any updates at this time.

Top of page

Updating Client Computers

If your computers are running any of the following operating systems, the Automatic Updates program on those computers must be updated to work with SUS.

•	Windows 2000 Professional, SP2
•	Windows 2000 Server, SP2
•	Windows XP Professional, (no service pack)
•	Windows XP Home, (no service pack)

You do not need to update the Automatic Updates program for computers running any of the following operating systems.

•	Windows 2000 SP3 or later
•	Windows XP SP or later
•	Windows Server 2003

•

To update the Automatic Updates program

1.	Log on using your administrator password.
2.	Go to the Automatic Updates download page on the Microsoft Web site.
3.	Select your language from the drop-down list at the top of the page and then click Go.
4.	Under Download, click Automatic Update Client.
5.	To start the installation immediately, click Open or Run this program from its current location.

Top of page

Defining Policies for Installing Updates

You must configure how and when updates will be handled on your network. This includes when updates will be downloaded and installed. A policy is a mechanism used in Windows to define settings for users and computers that can be automatically distributed throughout your network.

The Basic SUS Configuration policy allows updates to be automatically downloaded and allows the user to choose when to install them. This policy typically applies to servers on your network, but you can use it to give users on both client computers and servers the option to install updates when they choose.

The Scheduled Install SUS Configuration policy is an optional policy that allows updates to be automatically downloaded and installed according to a schedule you define. This policy typically applies to client computers on your network.

The procedures to configure the two different policies are listed below and on the next two pages. You must configure only one of these policies.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To create the Basic SUS Configuration policy

1.	Log on as Administrator or with an account that has administrative credentials.
2.	Click Start, point to Settings, and then click Control Panel.
3.	Double-click Administrative Tools.
4.	Double-click Active Directory Users and Computers.
5.	Right-click *yourDomainName, and then click Properties*.
6.	In the *yourDomainName* Properties dialog box, click Group Policy, and then click New.
7.	Type Basic SUS Config Policy, and then press ENTER.
8.	Click Edit.
9.	In the console tree of Group Policy Object Editor, under Computer Configuration, expand Administrative Templates.
10.	Expand Windows Components, and then click Windows Update.
11.	Double-click Configure Automatic Updates.
12.	Select Enabled.
13.	Under Configure automatic updating (3 - Auto download and notify for install), accept the default settings, and then click OK.
14.	Double-click Specify intranet Microsoft update service location. The Specify intranet Microsoft update service location window opens.
15.	Click Enabled.
16.	Type *http://yourservername* in the Set the intranet update service for detecting updates text box and the Set the intranet statistics server text box, and then click OK (where yourservername is the name of the server where you installed SUS.) Note: This is the URL that you wrote down when you installed SUS. Be sure to type the entire URL, including http:**//.
17.	Close Group Policy Object Editor.

Create the Scheduled Install SUS Configuration policy if you want to schedule the installation of the Windows updates on your client and server computers. Remember, you must only create only one SUS Configuration policy.

•

To create the Scheduled Install SUS Configuration policy

1.	Log on as Administrator or with an account that has administrative credentials.
2.	Click Start, point to Settings, and then click Control Panel.
3.	Double-click Administrative Tools.
4.	Double-click Active Directory Users and Computers.
5.	Right-click *yourDomainName, and then click Properties*.
6.	In the *yourDomainName* Properties dialog box, click Group Policy, and then click New. Group Policy Object Editor opens.
7.	Type Scheduled Install SUS Config Policy, and then press ENTER.
8.	Click Edit.
9.	In the console tree, under Computer Configuration, expand Administrative Templates.
10.	Expand Windows Components, and then select Windows Update.
11.	Double-click Configure Automatic Updates.
12.	Select Enabled.
13.	Under Configure automatic updating, select 4 - Auto download and schedule the installation.
14.	For Scheduled install day, leave at the default (0 - Every day).
15.	From Scheduled install time, select 05:00, and then click OK.
16.	Double-click Specify intranet Microsoft update service location. The Specify intranet Microsoft update service location window opens.
17.	Click Enabled.
18.	Type *http://yourservername* in the Set the intranet update service for detecting updates text box and the Set the intranet statistics server text box, and then click OK (where yourservername is the name of the server where you installed SUS.) Note:** This is the URL that you wrote down when you installed SUS.
19.	Double-click Reschedule Automatic Updates scheduled installations. The Reschedule Automatic Updates scheduled installations window opens.
20.	Click Enabled.
21.	Accept the default value of 5 for Wait after system startup (minutes), and click OK.
22.	Double-click No auto-restart for scheduled Automatic Updates installations. The No auto-restart for scheduled Automatic Updates installations window opens.
23.	Click Disabled, and then click OK.
24.	Close the Group Policy Object Editor window.

Top of page

Updating Computers with SUS 1.0

This section provides the following step-by-step instructions for updating your computers with SUS Server 1.0 SP1:

•	Testing the updates (optional)
•	Approving the updates
•	Verifying that client computers are receiving updates
•	Installing updates on server computers
•	Continuing to apply updates

Testing the Updates

You should test the updates if you have business applications that would be at risk if new Windows updates were installed. If you use critical business applications, you should test the updates before you install them on all of your computers. If you test the updates before approving them, see the "Suggested Methods for Testing Updates" section later in this document.

Approving the Updates

After you have tested the Windows updates, you can approve them so that they can be distributed to the computers on your network.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To approve the updates

1.	Log on as Administrator or with an account that has administrative credentials.
2.	Click Start, select Administrative Tools, and then click Microsoft Software Update Services.
3.	In the console tree, click Approve Updates.
4.	Scroll through the list of updates and find the ones that passed your test. Select the check box next to each update.
5.	Repeat until you have found all of your tested updates. Note: To find a particular update, use Sort by at the top of the list of updates. You can use this feature to sort by platform, status, title, or date.
6.	After you have found and checked all of your updates, click Approve.
7.	Click Yes to continue.
8.	Click Accept to accept the terms of the License Agreement (if necessary).
9.	Click OK to complete the approval of the updates. The list of updates is sorted by status, with the approved updates at the top of the list.
10.	Close the SUS administrative page.

Note: For best results, instruct your users to save their data, close their applications, and leave their computers on at night so that updates are installed automatically before they arrive the next morning.

Verifying That Client Computers Are Receiving Updates

By 5:00 am the next morning, your client computers should have downloaded and installed the approved updates that apply to their operating system. If the updates have not been installed after 48 hours, perform troubleshooting procedures to try to fix the problem.

Many Windows updates are specific to a particular operating system or browser version. If a computer is not running that particular operating system or browser, that update will not apply to them and will not be downloaded and installed.

Note: If you did not create the Scheduled Install SUS Configuration policy, follow the "Install Updates on Server Computers" step later in this document.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To verify that the updates have been installed on a client computer

1.	Log on to the computer as Administrator or with an account that has administrative credentials.
2.	Click Start, click Control Panel, and then click Add or Remove Programs.

You will see a list of currently installed programs. The updates that you approved will be listed.

If more than 48 hours have elapsed and the updates do not appear, perform the following procedures to try to fix the problem.

•

To verify that a computer has received the appropriate Group Policy using the Resultant Set of Policy tool (Windows XP only)

1.	Log on to the computer as Administrator or with an account that has administrative credentials.
2.	Click Start, and then click Run.
3.	In the Open text box, type rsop.msc, and then click OK. The Resultant Set of Policy window opens.
4.	In the console tree, under Computer Configuration, click Administrative Templates.
5.	Double-click Windows Components.
6.	Double-click Windows Update.
7.	If necessary, in the details pane (right pane), scroll to see all of the columns.

If you created the Scheduled Install SUS Config policy, you should see the following on a client computer:

Client computer Group Policy settings

Setting	State	GPO Name
Configure Automatic Updates	Enabled	Scheduled Install SUS Config
Specify intranet Microsoft Update service location	Enabled	Scheduled Install SUS Config
Reschedule Automatic Updates scheduled installations	Enabled	Scheduled Install SUS Config
No auto-restart for scheduled Automatic Updates installations	Disabled	Scheduled Install SUS Config

If you did not create the Scheduled Install SUS Configuration policy, you should see the following on a client computer:

Client computer Group Policy settings

Setting	State	GPO Name
Configure Automatic Updates	Enabled	Basic SUS Config
Specify intranet Microsoft Update service location	Enabled	Basic SUS Config

If you do not see these settings, double-check that you followed the procedures in the defining Policies for Installing Updates??section of this document.

If it a computer appears to have the Group Policy applied, but the expected updates still do not appear, try forcing a Group Policy update on that computer.

•

To force a Group Policy update on a computer running Windows XP

1.	Log on to the computer as Administrator or with an account that has administrative credentials.
2.	Click Start, and then click Run.
3.	In the Open box, type cmd, and then click OK.
4.	At the command prompt, type gpupdate /force, and then press ENTER.

•

To force a Group Policy update on a computer running Windows 2000

1.	Log on to the computer as Administrator or with an account that has administrative credentials.
2.	Click Start, and then click Run.
3.	In the Open box, type cmd, and then click OK.
4.	At the command prompt, type secedit /refreshpolicy machine_policy /enforce, and then press ENTER.

Group Policy will be updated from the computer running Windows Server 2003 configured as a domain controller. Check again for updates after 48 hours have elapsed. If you did not create the Scheduled Install SUS Configuration policy, check to see if the update icon appears in the taskbar. You may need to wait a few hours after the completion of this procedure for this icon to appear.

Installing Updates on Server Computers

Install the updates manually on your server computers at a time that is convenient for you.

Requirements

•	You must be logged on as a member of the Administrators group.

•

To install updates on a server computer

1.	Log on to the server as Administrator or with an account that has administrative credentials.
2.	In the taskbar in the lower right-hand corner of the desktop, you should see the Updates icon (Windows flag on globe) indicating that updates have been uploaded to the computer and are ready to install.
3.	Click the icon, and install the updates at your convenience.

If you do not see this icon and more than 48 hours has elapsed, perform the following procedures to try to fix the problem.

•

To verify that a computer has received the appropriate Group Policy using the Resultant Set of Policy tool (Windows Server 2003 only)

1.	Log on to the computer as Administrator or with an account that has administrative credentials.
2.	Click Start, and then click Run.
3.	In the Open box, type rsop.msc, and then click OK. The Resultant Set of Policy window opens.
4.	In the console tree, under Computer Configuration, click Administrative Templates.
5.	Double-click Windows Components.
6.	Double-click Windows Update.
7.	If necessary, in the details pane, scroll to see all of the columns.

Your server computers will display the following information:

Server computer Group Policy settings

Setting	State	GPO Name
Configure Automatic Updates	Enabled	Basic SUS Config
Specify intranet Microsoft Update service location	Enabled	Basic SUS Config

If you do not see these settings, double-check that you followed the procedures in the defining Policies for Installing Updates??section of this document.

If a computer appears to have the Group Policy applied, but the expected updates still do not appear, try forcing a Group Policy update on that computer.

•

To force a Group Policy update on a computer running Windows Server 2003

1.	Log on to the computer as Administrator.
2.	Click Start, and then click Run.
3.	In the Open box, type cmd, and then click OK.
4.	At the command prompt, type gpupdate /force, and then press ENTER.

•

To force a Group Policy update on a computer running Windows 2000

1.	Log on to the computer as Administrator or with an account that has administrative credentials.
2.	Click Start, and then click Run.
3.	In the Open box, type cmd, and then click OK.
4.	At the command prompt, type secedit /refreshpolicy machine_policy /enforce, and then press ENTER.

Group Policy will be updated from the computer running Windows Server 2003 and configured as a domain controller. Check to see if the update icon appears in the taskbar. You may need to wait a few hours after the completion of this procedure for the icon to appear.

Continuing to Apply Updates

The server that is running SUS downloads new updates automatically when they are released by Microsoft. Periodically check the SUS Administration page for new updates that you need to review for approval. To remind you that new updates are available, you can subscribe to receive update notifications using the "Get Notified Right Away of Important Security Updates" Web page on the Microsoft Web site at http://www.microsoft.com/security/default.mspx. If you subscribe, you will receive e-mail when new updates are released.

Requirements

•	You must be logged on as a member of the administrator group.

•

To keep your computer up-to-date

1.	Check your e-mail for new updates.
2.	Check the SUS Administration page under Approve Updates to see if any new updates have been downloaded to the computer running SUS. New updates appear in the list with a status of New.
3.	When you have new updates, repeat the steps in this section.

Top of page

Suggested Methods for Testing Updates

To test the Windows updates, designate one of your computers as the test computer. This computer should run your important applications and be used by a person who is technically advanced enough to help you troubleshoot the problems that might arise from the tests. You will need more than one test computer if you have multiple operating system versions or if you cannot find a computer that runs all your important applications. For example, if you use Windows XP and Windows 2000, you need a Windows XP test computer and a Windows 2000 test computer.

Download the updates directly from Microsoft Windows Update Services and apply them to your test computer.

On test computers running Windows XP, you can use System Restore to protect your system from potential harmful changes. You use System Restore to create a restore point before testing the Windows updates. If the updates that you test cause problems with your applications, you can use System Restore to undo the updates. For computers that are not running Windows XP, you must manually uninstall the updates by using Add or Remove Programs from Control Panel.

Before you install updates, check with the vendor of any other applications that you use to see if there are any known problems with a Windows update. If so, there may be a solution for the problem and you can avoid unnecessary testing. Do the following to check for compatibility issues:

•	Check the user documentation.
•	Browse the vendor?? Web site. Generally, compatibility issues are listed in the Support area.
•	Call the customer support number and ask about any known problems with service packs or Windows updates.

•

To create a restore point on your test computer (Windows XP only)

1.	Log on to your test computer as Administrator.
2.	Click Start, and then click Help and Support.
3.	Under Pick a Task, click Undo changes to your computer with System Restore.
4.	Click Create a restore point, and then click Next.
5.	In the Restore point description box, type Before Windows Updates, and then click Create.
6.	After the restore point is created, click Close.

Next, download any available critical updates and service packs from Microsoft Windows Update Services. You must do this on a test computer running each operating system version on your network. For example, if you have Windows XP and Windows 2000, you need a Windows XP test computer and a Windows 2000 test computer.

Note: Some updates cannot be removed. The update description will tell you which updates cannot be removed.

•

To update your test computer

1.	Log on to your test computer as Administrator.
2.	Go to Microsoft Windows Update Services on the Microsoft Web site at http://update.microsoft.com/windowsupdate.
3.	On the Windows Update page, click Scan for Updates.
4.	Examine the critical updates and service packs that are available. If there are not any critical updates or service packs to install, you can stop here. You can test a critical update or service pack when it becomes available. Otherwise, continue with this procedure. Note: You can receive notification of Windows updates by subscribing to Microsoft Security Update e-mail alerts using the "Get Notified Right Away of Important Security Updates" Web page on the Microsoft Web site at http://www.microsoft.com/security/default.mspx.
5.	Click Critical Updates and Service Packs. All of the critical updates and service packs available are automatically selected.
6.	Click Review and install updates.
7.	Review and record the number of each update in case you have to manually uninstall it later.
8.	Click Install Now.
9.	Click Accept on any License Agreement window that may appear.
10.	After installation, a dialog box may appear prompting you to restart your computer. Click OK to restart your computer now. Otherwise, close your browser.

Now you can test your important business applications on your test computer with the newly installed updates.

•

To perform your application tests

1.	Start the applications on the test computer.
2.	Use those applications to perform typical tasks.
3.	Perform typical functions (for example, print, browse, connect to a shared folder, and so on).
4.	If possible, perform typical business functions for a day on the test computer.

If your applications worked as expected, approve the updates. If not, you must remove the updates. For computers running Windows XP, you can use the system restore point that you created earlier or you can remove the updates manually. For computers running Windows 2000 or Windows Server 2003, you must remove the updates manually.

•

To remove the updates by using System Restore (Windows XP only)

1.	Log on to your test computer as Administrator.
2.	Click Start, and then click Help and Support.
3.	Under Pick a Task, click Undo changes to your computer with System Restore.
4.	Verify that Restore my computer to an earlier time is selected, and then click Next.
5.	On the calendar, select the date that you created the Before Windows Updates restore point.
6.	In the list to the right of the calendar, select the Before Windows Updates, and then click Next.
7.	Confirm the restore point selection, and then click Next. Your computer performs a system restore and then restarts.
8.	Log on to the computer, and on the Restoration Complete page, click OK.

•

To remove the updates manually (Windows 2000, Windows Server 2003, or Windows XP)

1.	Click Start, and then click Control Panel.
2.	Click Add or Remove Programs.
3.	Scroll down the list of currently installed programs and find the updates that you installed previously.
4.	Select an update to be removed, and then click Remove.
5.	In the Removal Wizard dialog box, click Next.
6.	Click Finish, and then restart your computer (if necessary).
7.	Repeat as necessary to remove all the updates.

After all the updates have been removed, verify that your test computer and applications are functioning correctly.

If you have not already done so, contact the vendor of the application that experienced problems with the Windows updates to see if there is a known problem and if there is a solution.

If there are not any known solutions, you must determine exactly which update caused the problem with your application and avoid installing that update.

•

To determine which update caused the problem

1.	Install the updates one at a time.
2.	Perform your test.
3.	If the test passes, continue with the next update. If it fails, uninstall the update.
4.	Repeat this procedure for the remaining updates.

After testing is complete, write down the Windows updates that passed your test. These will be the updates that you approve.

Top of page