Laptop patch management

[Guest]

Hello
I apologize for the long message, but I am sure many admins struggle with this issue. I am having some difficulties with laptop patch management. I was hoping that we could discuss best practices/methods to improve the situation. My patch management process for desktops and laptops is substantially different. My desktop users obtain patches using SUS. They have only user privileges. Patches are installed on a schedule specified by group policy and they are forced to comply with this schedule. Laptop users, on the other hand, have far fewer restrictions. They have domain accounts that are members of the local admin group on their machines. They are supposed to use Windows Update to install patches but many of them don't. They VPN in on an irregular schedule. I would really like to have a method to force them to install patches.

As local admin, the user can disable or ignore the AutoUpdate client. If I were to take away their administrative privileges and make them Power Users instead, is there any method available of forcing them to download updates on a schedule from WindowsUpdate.com? Through group policy is it possible to configure the autoupdate client to seek updates from WindowsUpdate.com and install patches on a schedule? If I were to configure the AU client on the console as admin and then give them the laptop, would they be forced to install the patches when logged in as Power Users

I look forward to your suggestions and comments

Thanks
NK

 

[Steven L Umbach]

There is a newsgroup dedicated to SUS where you may want to post -
Microsoft.public.softwareupdatesvcs, but it is my understanding that if you do not
configure an internal intranet SUS server that the computer will go to Windows Update
instead. You could create an OU for the vpn laptops and put them in that OU with a
GPO configured to do scheduled updates and not configure an intranet server. Since
this is a computer policy, it will work regardless if the user is a local
administrator or not UNLESS they remove their machine from the domain which you
should make clear to them that is not allowed and be sure to not let regular domain
users add their machines to the domain by removing authenticated users from the "add
workstations to the domain" user right in the Domain Controllers Security Policy. If
your laptop users do not need to be local administrators, it still makes sense to
remove them from the local administrators group. --- Steve

Hello,
I apologize for the long message, but I am sure many admins struggle with this

issue. I am having some difficulties with laptop patch management. I was hoping that
we could discuss best practices/methods to improve the situation. My patch management
process for desktops and laptops is substantially different. My desktop users obtain
patches using SUS. They have only user privileges. Patches are installed on a
schedule specified by group policy and they are forced to comply with this schedule.
Laptop users, on the other hand, have far fewer restrictions. They have domain
accounts that are members of the local admin group on their machines. They are
supposed to use Windows Update to install patches but many of them don't. They VPN in
on an irregular schedule. I would really like to have a method to force them to
install patches.

As local admin, the user can disable or ignore the AutoUpdate client. If I were to

take away their administrative privileges and make them Power Users instead, is there
any method available of forcing them to download updates on a schedule from
WindowsUpdate.com? Through group policy is it possible to configure the autoupdate
client to seek updates from WindowsUpdate.com and install patches on a schedule? If I
were to configure the AU client on the console as admin and then give them the
laptop, would they be forced to install the patches when logged in as Power Users?

 

[Oli Restorick [MVP]]

Here's one possible solution.

Windows Server 2003 has a thing called Network Access Quarantine, which is
basically runs a script on the client to determine if they gain full access
to the VPN. I believe that you would be able to allow them access only to
your SUS server on a certain port (80 seems a good choice). You could then
write a script which used MBSACLI (the command-line version of Microsoft
Baseline Security Analyzer), along with the switches to make it check
against your SUS server. By outputting the resulting file to disk and
checking for the string "Patch NOT found", you can determine whether or not
your users have all the patches required.

http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

I've never tried this, but I think it's all feasible.

Oli

Hello,
I apologize for the long message, but I am sure many admins struggle with

this issue. I am having some difficulties with laptop patch management. I
was hoping that we could discuss best practices/methods to improve the
situation. My patch management process for desktops and laptops is
substantially different. My desktop users obtain patches using SUS. They
have only user privileges. Patches are installed on a schedule specified by
group policy and they are forced to comply with this schedule. Laptop users,
on the other hand, have far fewer restrictions. They have domain accounts
that are members of the local admin group on their machines. They are
supposed to use Windows Update to install patches but many of them don't.
They VPN in on an irregular schedule. I would really like to have a method
to force them to install patches.

As local admin, the user can disable or ignore the AutoUpdate client. If I

were to take away their administrative privileges and make them Power Users
instead, is there any method available of forcing them to download updates
on a schedule from WindowsUpdate.com? Through group policy is it possible to
configure the autoupdate client to seek updates from WindowsUpdate.com and
install patches on a schedule? If I were to configure the AU client on the
console as admin and then give them the laptop, would they be forced to
install the patches when logged in as Power Users?

 

[Andrew Mitchell]

Here's one possible solution.

Windows Server 2003 has a thing called Network Access Quarantine,

Is this available yet? I didn't think it was going to arrive until the next
service pack (but I may be mistaken)

Andy.

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Andrew Mitchell

Is this available yet? I didn't think it was going to arrive until the next
service pack (but I may be mistaken)

Yes, and details can be found at the link Oli provided.