Pushing Patches Across a Wide Area Windows Network?

meridian-gh asks: "Microsoft is releasing new patches and updates for their products continually. For those of us who have to deal with large, geographically diverse windows-based networks, managing patches can be a nightmare. You cannot trust the users to do it. Tools such as SMS and HFNetCHK Pro are neat, but incredibly expensive. Most free programs I have seen don't support Windows 98, which many of us are forced to deal with. My question is, how do you deal with the remote deployment of patches in a efficient (and cheap) manner?"

Sorry, but Windows is an expensive investment

[bmetzler]

If you are going to pop the money for all those Windows licenses, licenses for SMS, or Zenworks or something isn't going to kill you. Or shouldn't if you budget properly. It's all part of the TCO. If the TCO of Windows is too high, perhaps it's time to look at something with a lower TCO.

-Brent

Re:Sorry, but Windows is an expensive investment

[ConceptJunkie]

I have a hard time sympathizing with management who would willingly use Windows 98, especially in the year 2003. Windows 98 was nothing but pain for me (I ran it on the kids' computer for a couple years). I switched it to XP Home and all my problems went away.

Expense notwithstanding, the first thing I would do is upgrade to a _business_ operating system, i.e., Windows 2000. Windows 98 is oging to be dead soon anyway from what I understand. Microsoft is dead-ending their old software really agressively these days (of course, the same will be true for Windows 2000, which is a shame).

After that, there are tons of solutions available.

I know it's not realistic to expect PHB's to upgrade the OS, but in the next year or two it's going to be mandatory if you want continued support.

Err

[itwerx]

Put 'em in the login-script?
Or you could build a SUS server
As I recall it will handle 9x, although they only admit to 2K on this page. It is limited though. Won't do full SP's or actual apps.
Anybody have more experience with it?

easy

[216pi]

this is an easy task:

first, go to this page at Microsoft TechNet, read everything about the Microsoft Baseline Security Analyzer.

This tool allows you to scan computers remotly if they installed all hotfixes.

This article says (somewehre in the middle):

Host Guest_Jerry_MS
Q: Guest_ AlanF : Can it install hotfixes on those machines remotely ?

Host Guest_rick_MS
A: Windows Update Corporate Edition. This white paper describes the features of Microsoft® Windows® Update Corporate Edition, a new tool for managing and distributing critical Windows patches that resolve known security vulnerabilities and other stability issues in Microsoft Windows 2000, Windows XP, and Windows .NET Server operating systems. This paper also presents solutions for some customer scenarios which Windows Update Corporate Edition addresses. This product will be available in Q2 / 2. http://www.microsoft.com/windows2000/windowsupdate /sus/default.asp Also, www.shavlik.com has an enterprise tool that will allow the remote installation of hotfixes.

I am no SysAdmin. Finding this information took me 11 min. using http://www.microsoft.com.

Startup Scripts

[karearea]

For our Windows 2000 workstations and Laptops we use the startup scripts to install applications and patches.
We have an unattended install for the laptops, when they reboot they are part of the domain and the startup scripts apply. They then run through (without user intervention) do an unattended install of office 97 and outlook 2000, apply several registry patches, update templates and W2k service packs.
Each time a laptop or a workstation starts up on the network the startup scripts run and check for updates. We use KiXtart to check version and apply patches etc.
Of course there are some apps that cause problems, but anything can be hacked (copy, move files, registry patches etc) in some form to do what you want it to.

A good paper on this problem

[iankerickson]

Dave Roth, a Windows consultant and author of several extensions for Win32 perl, wrote a paper on managing a WAN of NT machines, most of which can apply to W98, if you do some testing:

http://www.roth.net/conference/lisant/1999/
and
http://www.roth.net/conference/lisant/1999/NMMS. pp t

There's an old Mac program called RevRDist from Purdue that uses the same strategy. It might give you some good ideas, even if it's not for Windows. Another good site is on this problem in a more abstract way (centered on UNIX):
http://www.infrastructures.org/

The basic trick: use login scripts. Don't think that this won't help you if your LAN can't force people to actually log in to the PCs they use. Where Roth's idea is better is that he uses 1 special login account to install batch scripts scheduled to run everyday at specific times. The batch script runs scripts off a read-only share, so saving new scripts to the share you can do automatic updates on all machines every 24 hours, including updates to the scheduled batch scripts themselves. Your staff only has to "touch" each PC once by loging in as the special account, and there after everything is automatic, depending on your ability to write robust, correct scripts and do proper testing.

As for remotely installing OS patches from a central PC? Are you totally MAD? Any feature you can easily use to remotely change a computer can be used by a hacker or worm to adversely "update" every PC on your LAN. It doesn't matter if the so-called white paper says it's secure. Internet worms are more serious problem these days than ever, so give security serious thought before you deploy, no matter what solution you decide.