#151512 - 2005-11-15 12:25 PM
Automagic Windows patching
|
MeneM1978
Lurker
Registered: 2005-11-15
Posts: 2
|
I find this script: Mcafee update script
Enormously useful in keeping our virus scanners up to date. It's even easier then the whole Enterprise management thingie.
Anyway I'd like to know if there are no kix-scripts around that do the same for automagic Windows patching? I could donwload the individual 2k ande XP patches from SoftwarePatch.com
Put them in a directory, and have the scripts install them from there. This way, the user won't get a nasty surprise if microsoft deems an update so important to automaticly reboot the system. Not saving the users work... (Downside of automatic windows updates).
Thx,
Mark
|
|
Top
|
|
|
|
|
#151515 - 2005-11-15 01:56 PM
Re: Automagic Windows patching
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
there are a few UDFs in here, but they are easy to get from the UDF lib
Code:
;************************************ XP HotFix Updates *****************************************
$arrkey = arrEnumKey('HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP3')
$arrdir = FileList($setup+'\Hotfixes\WinXP','.exe',1)
$MaxSize= 500000
if not @error
$reboot = 0
for each $dir in $arrdir
$installed = 0
$parsed = split($dir,'-')[1]
for each $key in $arrkey
if $key = $parsed $installed = 1 endif
next
if not $installed
if (@ras and GETFILESIZE($dir) < $MaxSize) or not @ras
$=sendmessage(@wksta,"A CRTICAL upgrade is now starting. "+
"Your computer will restart on it's own in about 2-3 minutes. Please do not open any programs. "+
"There is no need to click the OK button.")
? color c+/n ' Installing Security Update '+$parsed
shell '%comspec% /c ' + $dir + ' /passive /norestart'
$reboot = 1
endif
endif
next
if $reboot
ShutDown ('', 'Updates have been applied that require your computer to restart', 5, 1, 1)
quit
endif
endif
|
|
Top
|
|
|
|
#151517 - 2005-11-15 02:39 PM
Re: Automagic Windows patching
|
MeneM1978
Lurker
Registered: 2005-11-15
Posts: 2
|
Well, I sure do apreciate the help from you guys. But WSUS is definitely something I do now want to go for. I have no IIS server in my network, no Database servers and don't need one either.
So installing those things just for WSUS is overkill. I only want to keep these windows machines updated easily. Has microsoft made this updating so incredibly difficult it cant even be scripted then?
Thanks,
Mark
|
|
Top
|
|
|
|
|
#151519 - 2005-11-15 02:55 PM
Re: Automagic Windows patching
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Quote:
So installing those things just for WSUS is overkill. I only want to keep these windows machines updated easily. Has microsoft made this updating so incredibly difficult it cant even be scripted then?
Manually maintaining your own repository to push out fixes (to the right machines) is a *lot* of hard work.
Installing IIS and MSDE is pretty trivial by comparison - once you've configured a repository and updated your client machines (via GPO) to look at it the only active participation you have to make is to review and approve the updates.
I cannot stress how much easier it will make your life if you go down the WSUS route.
|
|
Top
|
|
|
|
|
#151521 - 2005-11-15 03:28 PM
Re: Automagic Windows patching
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
have you just ignored my post? I keep 2000 laptops and desktops updated with that (all XP), but the code is only a little different for 2k
Just dump the patch in the folder and at next logon the user will install it (asuming local admin)
|
|
Top
|
|
|
|
|
#151523 - 2005-11-15 04:25 PM
Re: Automagic Windows patching
|
masken
MM club member
Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
|
Quote:
Well, I sure do apreciate the help from you guys. But WSUS is definitely something I do now want to go for. I have no IIS server in my network, no Database servers and don't need one either.
So installing those things just for WSUS is overkill. I only want to keep these windows machines updated easily. Has microsoft made this updating so incredibly difficult it cant even be scripted then?
Thanks,
Mark
I'm really sorry, but I have to say this - you're the one who's trying to complicate things here m8. Why on gods earth would you even want to try to code your own solutions for updating and managing client PC's and applications when there's better solutions available than you will ever realistically be able to create with scripting, for free?
You'll only end up with a poorly managed environment, with lots of unnecessary work, a higher risk for viruses and instability, seemingly because of faulty presumptions about IIS, databases, and complexity? No hard feelings I hope, but you really, really should do your homework better.
Edited by masken (2005-11-15 04:35 PM)
_________________________
The tart is out there
|
|
Top
|
|
|
|
|
#151524 - 2005-11-15 04:41 PM
Re: Automagic Windows patching
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Quote:
have you just ignored my post? I keep 2000 laptops and desktops updated with that (all XP), but the code is only a little different for 2k
Just dump the patch in the folder and at next logon the user will install it (asuming local admin)
No, I didn't ignore your post, however in a mixed OS environment where we want to deliver OS and application patches and updates in a controlled manner WSUS is the weapon of choice.
I assume that you have additional modules for pulling down the updates from MS, delivering them to staging PCs and servers for initial testing and then reporting the success (or failure) of updates as well, but TBH the MS solution is so trivial to implement that if you are just starting to look at implementing a patch roll-out mechanism you'd be hard pressed to find anything that will do a better job at the same price.
|
|
Top
|
|
|
|
|
#151525 - 2005-11-15 06:24 PM
Re: Automagic Windows patching
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11628
Loc: CA
|
Quote:
So installing those things just for WSUS is overkill.
Well then I would have to assume you're running a fairly small shop of computers.
Just turn on Automatic updates and let Microsoft update them over the Internet after hours.
Leave the machines on at night and even if you're only on with a cable modem all your system will complete updates just fine with little to no intervention by you (except to turn it on in the first place and maybe get them the latest version of BITS)
Oh!... and that McAfee script is WAY outdated in terms of current coding methods. Lose all the GOTO stuff.
Edited by NTDOC (2005-11-15 06:26 PM)
|
|
Top
|
|
|
|
|
#151526 - 2005-11-15 08:10 PM
Re: Automagic Windows patching
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
Quote:
I find this script: Mcafee update script
Enormously useful in keeping our virus scanners up to date. It's even easier then the whole Enterprise management thingie.
Anyway I'd like to know if there are no kix-scripts around that do the same for automagic Windows patching? I could donwload the individual 2k ande XP patches from SoftwarePatch.com
Put them in a directory, and have the scripts install them from there. This way, the user won't get a nasty surprise if microsoft deems an update so important to automaticly reboot the system. Not saving the users work... (Downside of automatic windows updates).
Thx,
Mark
see my first post to answer your question
of course, to install patches your users have to be local admin
|
|
Top
|
|
|
|
|
#151530 - 2005-11-16 06:22 AM
Re: Automagic Windows patching
|
sixdoubleo
Starting to like KiXtart
Registered: 2004-02-06
Posts: 118
Loc: California, US
|
I agree with the notion that going with WSUS is the best route...to a point. I manage a 1200-desktop environment of NT4, 2000, and XP machines. It's like 80% XP, 15% 2000, and 5% NT. I am currently looking at WSUS but it has a few fairly major (in my opinion) limitiations. The one thing that I find to be a real issue for me is the way patches are pushed out. It requires you to schedule a specific time that patches are installed.
What if I want patches installed at startup, before the user even logs on? WSUS cannot do that. The best it can do (that *I* see) is to schedule pacthes for install at 2:00am, and then when the user logs on in the morning you tell it to make up the missed install within 1 minute of logon. That is kludgy to me.
Our policy where I work is this:
"No workstation will log onto our enterprise network without being fully patched. Ever. Period."
WSUS cannot enforce that policy. With WSUS in place, a staff member could install a gold-level Windows XP, add the PC to the domain, and this unpatched/vulnerable machine will sit on our network for possibly an entire day before WSUS would deploy. Or am I wrong about this?
What we have been doing since 2003 is using a custom scripting solution. It runs as a service account and does not require the user to be a local admin. A startup script runs on all machines. It runs MBSACLI (currently 2.0) which scans the machine and produces an XML output. The XML gets parsed, and an array of all needed patches is built. A report of this scan is dropped on the network for future reading. Then that array is for-each'ed and each patch is applied from a file share on the network. Error codes are recorded and a report is generated. Missed error codes will generate an email. The machine is rebooted. Next reboot, it gets scanned again (this takes about 10 seconds)....if it passes, the user can log on.
If the machine is still missing one of the same patches (meaning one didn't apply) an email is sent to the help desk, and only an administrator is allowed to login to the machine. (the logon script detects the partial install and immediately logs a normal user off).
If a workstation simply refuses to install a particular patch, one of the support staff can exclude that patch for that workstation via a central INI file that controls the patches. Then somebody can figure out the incompatibility or whatever.
So under normal day-to-day conditions (when no new patches are released), the net impact is that the workstation startup is delayed by about 10 seconds while the MBSACLI scan runs. Not a big deal. We also run an hourly scheduled task. This task checks to see when the last reboot was. If it was more than 12 hours, it will run the MBSACLI scan itself and apply the patches. By changing an INI setting we can have all machines scanned (and consequetly patched) every hour if we wanted.
Patches are downloaded by a scheduled server script simply by parsing the XML inside Microsoft's WSUSSCAN.CAB file and HTTP GET'ing all EXE's applicable to our environment. As each is downloaded, the script looks at the file properties and determines what kind of patch it is (update.exe, etc) and depending on the patch type will generate an INI containing the switches to use (usually "/quiet /norestart", "/q", or "/q:a". Some of the older NT patches will use "-qmz".) I will admit that this step does sometimes require some human intervention...Sometimes we need to manually run a patch with /? to figure out its command line parameters. Once in a while we find a patch that will ONLY work interactively....and we have to look at other ways of deploying.
Is this complicated? Somewhat. Am I the only one who can support it? Unfortunately, yes. I have INI-ized most of the configurable options. Any workstation can be exempted from one or all patches based on any number of conditions, simply by using basic INI settings. There are also AD groups which can be used to apply test patches before general relase, etc. So the support staf can run this thing without my help. But if Microsoft were to change their XML file format or something, it would require a kix coding change.
So while our solution works very well (for now at least) I definitely WISH I could use WSUS for patch management. I just don't feel it offers the kind of enforcement and flexibility we have with our scripted solution. Also, I don't like knowing that with WSUS my patch management system is reliant on an IIS and MSDE backend. Either one of those pieces breaks, and patches don't happen.
At the moment I am looking at a WSUS backend with a much simpler client-side startup script similar to the one linked to above. (on the innotech site I think it was). WSUS is a very nice step in the right direction, but it still needs some more deployment flexibility before I am ready to use it.
Long-winded...but those are my thoughts on the issue of WSUS vs. scripted solution.
Edited by sixdoubleo (2005-11-16 06:42 AM)
|
|
Top
|
|
|
|
|
#151531 - 2005-11-16 08:41 AM
Re: Automagic Windows patching
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11628
Loc: CA
|
Quote:
"No workstation will log onto our enterprise network without being fully patched. Ever. Period."
Hmmm... somehow I doubt that. It's Monday and 1,200 machines logon - all patched. It's now Tuesday and Microsoft/Oracle/WinZip/Citrix have all issued numerous CRITICAL patches that allow any user to easily gain FULL access to an infected system.
I seriously doubt you have any method in place to KNOW and PREVENT all 1,200 systems from logging in.
You might be able to patch them that day or the next day, but that is not the same as your statement.
Sounds like you have it working though how you like in general, but don't forget that Glenn Barnas also posted some advanced scripts to work with WSUS and manage many of the shortcomings using KiXtart.
|
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 601 anonymous users online.
|
|
|
