Deploy a security patch through group policy?

  • Thread starter Thread starter Paul
  • Start date Start date
P

Paul

We have Windows 2000 server with XP workstations. I need
to update my XP workstations with a microsoft security
patch. Do i have to visit each workstation to do this, or
can i deploy it through group policy? I f anyone could
point me to some helpful reading on this subject i would
be grateful

Thanks
 
-----Original Message-----
First of all let me tell you that I have done alot of
research on patch managment. You can deploy patches with
group policy but you can't be certain that the patch took
effect on every client.

Let me explain what I mean. If you use group policy to
deploy patches, then the client will look to see if a
patch defined in your policy has been installed on a
client by looking at the Add/Remove Programs section of
the registry. If the patch is not listed then your group
policy would push the patch down at boot up. This sounds
good so far.

The problem lies in the fact that Group Policy can't
verify that the patch is actually working or effective.
Example, sometimes after you install on patch other
patches are no longer effective and have to be
reinstalled. Group policy doesnt verify the file (.dll)
versions you are running or check the registry to verify
that that the registry modifications that the patch was
supposed to make were actually made.

I highly recommend you search google for the following
patch mgmt product and get more of an education before
using Group Policy to un effectively deploy patches.
PatchLink, Update Expert, HFNetChk Pro, BigFix.

The tools offered out there today automatically 1)audit
your systems to see what patches you actually need, 2)
downloads them, and schedules patch installs during
downtime (at night) when now one is on their pc. You can
sleep easy because they check file versions, registry
entries and checksums to verify patches installed are
actually effective.

Plus you never have to leave your office- you can manage
all clients and servers from one location.




.
I agree with you wholeheartedly. I use RIS to deploy the
OS. I also use $OEM$ with CMDLINES.txt and QCHAIN to
include the various patches. I typically use the -m -q -n
switches with the -n switch making the patch NOT
necessarily show up in Add/Remove Programs ( so that the
user can not "accidentally" uninstall it to make room for
the blasted music that he/she wants to download! I know! I
know! The user should not be able to because he/she
should not be a member of the local Administrators
group...that does not always work due to "political"
reasons ).

You would be suprised ( well, not really ) to find out how
many of your patches are not really "current". I use
QFECHECK ( part of the "Utilities" that I place on each WS
along with GPOTools, GPRESULT and a few others ) to verify
that the patches have been installed. However, that does
require visiting each computer. Sorta defeats the
purpose. I do this at the time of installation. I have a
system down so that any patches that are "not current" -
usually due to the installation of some application or a
conflict with another patch - are reapplied via a batch
file.

Cary
 
Back
Top