Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pushing Patches Across a Wide Area Windows Network?

Posted by Cliff on from the dealing-with-the-vendor-imposed-patching-cycle dept.

meridian-gh asks: "Microsoft is releasing new patches and updates for their products continually. For those of us who have to deal with large, geographically diverse windows-based networks, managing patches can be a nightmare. You cannot trust the users to do it. Tools such as SMS and HFNetCHK Pro are neat, but incredibly expensive. Most free programs I have seen don't support Windows 98, which many of us are forced to deal with. My question is, how do you deal with the remote deployment of patches in a efficient (and cheap) manner?"

13 of 70 comments (clear)

  1. Sorry, but Windows is an expensive investment by bmetzler · · Score: 4, Insightful

    If you are going to pop the money for all those Windows licenses, licenses for SMS, or Zenworks or something isn't going to kill you. Or shouldn't if you budget properly. It's all part of the TCO. If the TCO of Windows is too high, perhaps it's time to look at something with a lower TCO.

    -Brent

    1. Re:Sorry, but Windows is an expensive investment by ConceptJunkie · · Score: 4, Insightful

      I have a hard time sympathizing with management who would willingly use Windows 98, especially in the year 2003. Windows 98 was nothing but pain for me (I ran it on the kids' computer for a couple years). I switched it to XP Home and all my problems went away.

      Expense notwithstanding, the first thing I would do is upgrade to a _business_ operating system, i.e., Windows 2000. Windows 98 is oging to be dead soon anyway from what I understand. Microsoft is dead-ending their old software really agressively these days (of course, the same will be true for Windows 2000, which is a shame).

      After that, there are tons of solutions available.

      I know it's not realistic to expect PHB's to upgrade the OS, but in the next year or two it's going to be mandatory if you want continued support.

      --
      You are in a maze of twisty little passages, all alike.
    2. Re:Sorry, but Windows is an expensive investment by Blkdeath · · Score: 3, Informative
      I have a hard time sympathizing with management who would willingly use Windows 98, especially in the year 2003. Windows 98 was nothing but pain for me (I ran it on the kids' computer for a couple years). I switched it to XP Home and all my problems went away.

      Speaking as someone who's dealt with a very wide variety of hardware and software combinations (it being the nature of my job), I can tell you that this is not a unified solution. Newer does not equal better by any means. We have several customers who've insisted on taking the plunge and upgrading to (formatting and re-installing; not upgrading the installed components) Windows ME, Windows 2000, or Windows XP (home or pro) and hav actually CAUSED themselves problems, rather than solve them. Many of them have reverted to Windows 98 to solve their problems because it 'worked' moreso than the "professional" operating systems (ME notwithstanding).

      To make this post doubly effective, I'll also respond to your parent poster; the article submitter stated specifically that he was interested in a solution that would avail him automated updates for Windows 98 systems - something I, myself, have also been looking for. SMS does NOT support anything but Windows 2000 or Windows XP - period. SMS is NOT an option. Were this not explicitly stated in the article I'd agree with the Insightful mods, but sadly I'm afraid it's more aptly classified as redundant.

      For the record, I'm also interested in an automated solution to upgrading client computers ranging from Windows'98 through to Windows XP Professional (we don't support anything older than Windows'98) without having to significantly alter the users' computer. The notion of using our own in-house Windows Update server is potentially viable, except I understand that Windows would then look to that server for future updates. Moreover, I haven't found a decent method by which to automate this process even a little bit; including the ability to download, in raw form, all updates to all Windows versions.

      The setup I'm interested in is analagous to the article submitter, except I'm not dealing with a single geographically diverse network, I'm dealing with a geographically diverse cross-section of business and residential customers. Many of whom do not have access to broadband Internet access, so a solution that is portable by means of CD-R would be preferable.

      Presently our solution is to (transparently) proxy the machines while on our work benches in order to decrease the time required to download all updates. Some updates (IE6, some criticals) are proxy-friendly, but many simply will not cache, and therefore must be repeatedly re-downloaded from Microsoft. As I pointed out earlier, Microsoft's "Automatic Update" feature, while an apt solution to the apathetic mass customer base, causes problems for a setup like ours. For approximately three full business days after Microsoft's release of their recent VM security update, we simply could not access the Windows Update site with any degree of reliability. It took upwards of an hour to two hours just to download the ActiveX controls and scan for updates; applying them was another story entirely (timeouts, re-tries galore). When I was on location at customer premeses, this made updating their computers all but completely impossible. (If I'd attemped to bill them for an additional four hours to sit and stare blankly at their monitors in turn, I'd never see payment of that invoice!)

      I look forward to reading the remainder of the responses and see if anybody else has come up with anything viable. Microsoft, of course, reccomends either direct use of windowsupdate.microsoft.com or SMS. No help there.

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

  2. Err by itwerx · · Score: 5, Informative

    Put 'em in the login-script?
    Or you could build a SUS server
    As I recall it will handle 9x, although they only admit to 2K on this page. It is limited though. Won't do full SP's or actual apps.
    Anybody have more experience with it?

  3. easy by 216pi · · Score: 4, Informative

    this is an easy task:

    first, go to this page at Microsoft TechNet, read everything about the Microsoft Baseline Security Analyzer.

    This tool allows you to scan computers remotly if they installed all hotfixes.

    This article says (somewehre in the middle):

    Host Guest_Jerry_MS
    Q: Guest_ AlanF : Can it install hotfixes on those machines remotely ?

    Host Guest_rick_MS
    A: Windows Update Corporate Edition. This white paper describes the features of Microsoft® Windows® Update Corporate Edition, a new tool for managing and distributing critical Windows patches that resolve known security vulnerabilities and other stability issues in Microsoft Windows 2000, Windows XP, and Windows .NET Server operating systems. This paper also presents solutions for some customer scenarios which Windows Update Corporate Edition addresses. This product will be available in Q2 / 2. http://www.microsoft.com/windows2000/windowsupdate /sus/default.asp Also, www.shavlik.com has an enterprise tool that will allow the remote installation of hotfixes.

    I am no SysAdmin. Finding this information took me 11 min. using http://www.microsoft.com.

    1. Re:easy by VisorGuy · · Score: 3, Informative

      "I am no SysAdmin."

      You obviously didn't read his question closely either because he said they are mostly concerned with performing these updates on Windows 98.

      From the article:

      Host Guest_Jerry_MS
      Q: Guest_ Viper : Am I correct to assume that the MBSA is designed for 2000/XP OS? It did not come up with much information or problems with Win 98/ME systems that we have on our network. I know for a fact that 98 isn't that secure What is up with this?

      Host Guest_rick_MS
      A: Supported platforms: Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP. MBSA does not scan win98/ME systems.

      --
      This user account is inactive account replaced by the PDA
  4. Startup Scripts by karearea · · Score: 4, Interesting

    For our Windows 2000 workstations and Laptops we use the startup scripts to install applications and patches.
    We have an unattended install for the laptops, when they reboot they are part of the domain and the startup scripts apply. They then run through (without user intervention) do an unattended install of office 97 and outlook 2000, apply several registry patches, update templates and W2k service packs.
    Each time a laptop or a workstation starts up on the network the startup scripts run and check for updates. We use KiXtart to check version and apply patches etc.
    Of course there are some apps that cause problems, but anything can be hacked (copy, move files, registry patches etc) in some form to do what you want it to.

  5. and do what? by DrSkwid · · Score: 3, Funny

    without tcp/ip it's probably gonna be tricky

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  6. Easy solution for Windows by Axiom · · Score: 3, Funny

    For patching IE/Outlook, simply use some widespread and well-known WAN patching tools: Melissa, I Love You, Klez to name a few.

  7. the place i work for apparently does this: by XO · · Score: 3, Interesting

    Each location has a Xenix based server, with anywhere from 2 to 20 or so Windows '95-'98 clients (each of the Windows boxes are identically configured). The Xenix based server occasionally communicates with the home office, and downloads updates.

    Each Windows machine has it's own FTPd running on it, and when there's an update, the Xenix machine ftp's the update to the Windows box, gives it an autoexec.bat that will make the update happen, then forces the machine to reboot.

    --
    "Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
  8. A good paper on this problem by iankerickson · · Score: 4, Informative

    Dave Roth, a Windows consultant and author of several extensions for Win32 perl, wrote a paper on managing a WAN of NT machines, most of which can apply to W98, if you do some testing:

    http://www.roth.net/conference/lisant/1999/
    and
    http://www.roth.net/conference/lisant/1999/NMMS. pp t

    There's an old Mac program called RevRDist from Purdue that uses the same strategy. It might give you some good ideas, even if it's not for Windows. Another good site is on this problem in a more abstract way (centered on UNIX):
    http://www.infrastructures.org/

    The basic trick: use login scripts. Don't think that this won't help you if your LAN can't force people to actually log in to the PCs they use. Where Roth's idea is better is that he uses 1 special login account to install batch scripts scheduled to run everyday at specific times. The batch script runs scripts off a read-only share, so saving new scripts to the share you can do automatic updates on all machines every 24 hours, including updates to the scheduled batch scripts themselves. Your staff only has to "touch" each PC once by loging in as the special account, and there after everything is automatic, depending on your ability to write robust, correct scripts and do proper testing.

    As for remotely installing OS patches from a central PC? Are you totally MAD? Any feature you can easily use to remotely change a computer can be used by a hacker or worm to adversely "update" every PC on your LAN. It doesn't matter if the so-called white paper says it's secure. Internet worms are more serious problem these days than ever, so give security serious thought before you deploy, no matter what solution you decide.

    --
    Democracy. Whiskey. Sexy. Pick any two.
  9. Re:Wrong problem... by styrotech · · Score: 3, Insightful

    It's kind of like asking: My Hyundai Excell keeps breaking down and it won't haul 6 tons of gravel - what can I do to make it work?

    The real sloution, ditch the Hyundai and get a Terex

    That truck looks waaay overkill for 6 tons of gravel - and it wouldn't help at all if you needed to haul it on a public road.

    Seems a bit like recommending Solaris, Irix or AIX as a general purpose desktop OS.

  10. CD image by TheSHAD0W · · Score: 3, Insightful

    First off -- you should be running two tiers of systems; one where a default set of applications are installed, and users' installs aren't guaranteed to stick; and one where a user assumes responsibility of his own machine and has to figure out his own problems.

    Now your job is greatly simplified. Use a utility that overwrites the boot partition on a machine with the image stored on a CD. (Let users store their data files in a second partition.) Update the OS to the current level, and make an image CD using it. Then get a flunky to go to each machine and re-image it. (Do this after hours when the place is empty.)

    Presto. You're updated.