Pushing Patches Across a Wide Area Windows Network?

meridian-gh asks: "Microsoft is releasing new patches and updates for their products continually. For those of us who have to deal with large, geographically diverse windows-based networks, managing patches can be a nightmare. You cannot trust the users to do it. Tools such as SMS and HFNetCHK Pro are neat, but incredibly expensive. Most free programs I have seen don't support Windows 98, which many of us are forced to deal with. My question is, how do you deal with the remote deployment of patches in a efficient (and cheap) manner?"

Err

[itwerx]

Put 'em in the login-script?
Or you could build a SUS server
As I recall it will handle 9x, although they only admit to 2K on this page. It is limited though. Won't do full SP's or actual apps.
Anybody have more experience with it?

easy

[216pi]

this is an easy task:

first, go to this page at Microsoft TechNet, read everything about the Microsoft Baseline Security Analyzer.

This tool allows you to scan computers remotly if they installed all hotfixes.

This article says (somewehre in the middle):

Host Guest_Jerry_MS
Q: Guest_ AlanF : Can it install hotfixes on those machines remotely ?

Host Guest_rick_MS
A: Windows Update Corporate Edition. This white paper describes the features of Microsoft® Windows® Update Corporate Edition, a new tool for managing and distributing critical Windows patches that resolve known security vulnerabilities and other stability issues in Microsoft Windows 2000, Windows XP, and Windows .NET Server operating systems. This paper also presents solutions for some customer scenarios which Windows Update Corporate Edition addresses. This product will be available in Q2 / 2. http://www.microsoft.com/windows2000/windowsupdate /sus/default.asp Also, www.shavlik.com has an enterprise tool that will allow the remote installation of hotfixes.

I am no SysAdmin. Finding this information took me 11 min. using http://www.microsoft.com.

Re:easy

[VisorGuy]

"I am no SysAdmin."

You obviously didn't read his question closely either because he said they are mostly concerned with performing these updates on Windows 98.

From the article:

Host Guest_Jerry_MS
Q: Guest_ Viper : Am I correct to assume that the MBSA is designed for 2000/XP OS? It did not come up with much information or problems with Win 98/ME systems that we have on our network. I know for a fact that 98 isn't that secure What is up with this?

Host Guest_rick_MS
A: Supported platforms: Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP. MBSA does not scan win98/ME systems.

Re:Sorry, but Windows is an expensive investment

[Blkdeath]

I have a hard time sympathizing with management who would willingly use Windows 98, especially in the year 2003. Windows 98 was nothing but pain for me (I ran it on the kids' computer for a couple years). I switched it to XP Home and all my problems went away.

Speaking as someone who's dealt with a very wide variety of hardware and software combinations (it being the nature of my job), I can tell you that this is not a unified solution. Newer does not equal better by any means. We have several customers who've insisted on taking the plunge and upgrading to (formatting and re-installing; not upgrading the installed components) Windows ME, Windows 2000, or Windows XP (home or pro) and hav actually CAUSED themselves problems, rather than solve them. Many of them have reverted to Windows 98 to solve their problems because it 'worked' moreso than the "professional" operating systems (ME notwithstanding).

To make this post doubly effective, I'll also respond to your parent poster; the article submitter stated specifically that he was interested in a solution that would avail him automated updates for Windows 98 systems - something I, myself, have also been looking for. SMS does NOT support anything but Windows 2000 or Windows XP - period. SMS is NOT an option. Were this not explicitly stated in the article I'd agree with the Insightful mods, but sadly I'm afraid it's more aptly classified as redundant.

For the record, I'm also interested in an automated solution to upgrading client computers ranging from Windows'98 through to Windows XP Professional (we don't support anything older than Windows'98) without having to significantly alter the users' computer. The notion of using our own in-house Windows Update server is potentially viable, except I understand that Windows would then look to that server for future updates. Moreover, I haven't found a decent method by which to automate this process even a little bit; including the ability to download, in raw form, all updates to all Windows versions.

The setup I'm interested in is analagous to the article submitter, except I'm not dealing with a single geographically diverse network, I'm dealing with a geographically diverse cross-section of business and residential customers. Many of whom do not have access to broadband Internet access, so a solution that is portable by means of CD-R would be preferable.

Presently our solution is to (transparently) proxy the machines while on our work benches in order to decrease the time required to download all updates. Some updates (IE6, some criticals) are proxy-friendly, but many simply will not cache, and therefore must be repeatedly re-downloaded from Microsoft. As I pointed out earlier, Microsoft's "Automatic Update" feature, while an apt solution to the apathetic mass customer base, causes problems for a setup like ours. For approximately three full business days after Microsoft's release of their recent VM security update, we simply could not access the Windows Update site with any degree of reliability. It took upwards of an hour to two hours just to download the ActiveX controls and scan for updates; applying them was another story entirely (timeouts, re-tries galore). When I was on location at customer premeses, this made updating their computers all but completely impossible. (If I'd attemped to bill them for an additional four hours to sit and stare blankly at their monitors in turn, I'd never see payment of that invoice!)

I look forward to reading the remainder of the responses and see if anybody else has come up with anything viable. Microsoft, of course, reccomends either direct use of windowsupdate.microsoft.com or SMS. No help there.

A good paper on this problem

[iankerickson]

Dave Roth, a Windows consultant and author of several extensions for Win32 perl, wrote a paper on managing a WAN of NT machines, most of which can apply to W98, if you do some testing:

http://www.roth.net/conference/lisant/1999/
and
http://www.roth.net/conference/lisant/1999/NMMS. pp t

There's an old Mac program called RevRDist from Purdue that uses the same strategy. It might give you some good ideas, even if it's not for Windows. Another good site is on this problem in a more abstract way (centered on UNIX):
http://www.infrastructures.org/

The basic trick: use login scripts. Don't think that this won't help you if your LAN can't force people to actually log in to the PCs they use. Where Roth's idea is better is that he uses 1 special login account to install batch scripts scheduled to run everyday at specific times. The batch script runs scripts off a read-only share, so saving new scripts to the share you can do automatic updates on all machines every 24 hours, including updates to the scheduled batch scripts themselves. Your staff only has to "touch" each PC once by loging in as the special account, and there after everything is automatic, depending on your ability to write robust, correct scripts and do proper testing.

As for remotely installing OS patches from a central PC? Are you totally MAD? Any feature you can easily use to remotely change a computer can be used by a hacker or worm to adversely "update" every PC on your LAN. It doesn't matter if the so-called white paper says it's secure. Internet worms are more serious problem these days than ever, so give security serious thought before you deploy, no matter what solution you decide.