Updating Windows computers

Introduction

Unsafe computer systems pose a threat to all systems inside the network. That is why complying with the security rules by D4 (IT security) is of utmost importance. Especially software updates should be installed as soon as possible. By adhering to the procedures described below you contribute to keeping the computer environment safe.

Please note: After longer downtimes the windows updater might have to run several times because updates can build on each other.

Help

Please contact your windows group administrators for on-site support.

The windows computer is located INSIDE the DESY internal network

Recommended procedure

  1. Keep the computer switched on and logout all users
  2. Login the next day after 6 am
     

Background information

In the following you will find additional information about the procedure described above and its underlying concepts.

Windows updates

Once a month Windows, Office and Adobe Flash/Reader/Acrobat are updated. Updates are usually deployed on the third Wednesday of every month.

If the computer is running and connected to the internal network, updates are downloaded before 6 am and installed automatically at 6 am.  Ideally, all users should be logged off because then the computer is rebooted automatically. If users are logged in, the necessary reboot has to be confirmed manually by the user first. The reboot and the integration of updates can take a while and the computer cannot be used in the meantime.

In case the computer was switched off during the scheduled update time, the updates are downloaded in the background once the computer is turned on. Once the download is completed the user is prompted to install the updates. If the user does not react on that request, the update is postponed and automatically scheduled for the next day at 6 am.

Therefore it is recommended to keep the computer switched on overnight the day before the upcoming updates. The exact day of the monthly updates is announced usually one day prior by email.

DSM/NetInstall-based application updates

Software that has been installed via DSM/NetInstall (like Java, Firefox, Thunderbird) is updated automatically when a user logs in to the computer.

Virus scanner updates

Occasionally, updates extending beyond the daily virus signature updates need to be installed. To trigger the installation the computer needs to be connected to the internal DESY network for a longer period of time. A reboot is only necessary in some cases.

The windows computer is located OUTSIDE the DESY internal network

Recommended procedure

  1. Connect the computer at least once a month – ideally after the third Wednesday of every month with the DESY network (via VPN)
  2. Download and install Windows updates, DSM application updates and virus scanner updates manually (see instructions below)
     

In most cases the use of VPN is required when operating windows computer outside the DESY network.

Background information

In the following you will find additional information about the procedure described above and its underlying concepts.

Illustration 1

Windows updates

Shortly after connecting to the DESY network the central DESY Windows Update Server is contacted to check for updates. The necessary updates are downloaded in the background. Once the download is finished the user is prompted to install the updates. 

The updates can also be started manually over Control panel -> “Windows update” (ill. 1) to avoid long connection times via VPN just for installing updates.

Updating software manually in the DSM software shop

DSM/NetInstall-based application updates

Since the VPN connection is established after logging in updates are not installed automatically. DSM Software updates can be started manually. Open the DSM software shop, select the package that needs updating and choose the “update”-button.

Virus scanner updates

Virus signature updates are downloaded from the McAfee servers as soon an internet connection is established. Additional updates can only be installed by connecting to the DESY internal virus scanner management server.

The McAfee-agent (“M”-Icon in the taskbar) receives updates and new virus scanner policies automatically after connecting to the internal DESY network (over VPN). This process cannot be started manually.

The installation can be started over the McAfee agent icon in the taskbar:

Context menu after right-click on the virus scanner icon in the taskbar