@sixdoubleo, I think you're mixing too many things together. But yes, there are in som cases need for something else than WSUS.
But in your case though, it seems like internal policies should be revised than building custom, hard to maintain solutions to go around the problem instead of solving it.
First of all, why can non-controlled PC's be added to the domain at all? If anyone has these credentials in your domain, patching will do nothing for security in your domain anyhow.
Secondly, how do do you handle installations? Isn't there standard images for example? Have you considered image-based installations using RIS or similar solutions for example?
Then, if WSUS still doesn't meet your needs, you might want to look at other solutions, like SMS server or completing WSUS with scripts. For example, if you want patches at startup, all you really need to do is make sure that the PC's are up and running at the time that you want to patch them. Translated, a policy that says that the personell whould leave their PC on when they go home. WOL-waking during non-business hours could be another alternative. You could also script an automatic shutdown when you've checked that it's patched.
Also, don't forget to consider the days of risk. Ie, the number of days a machine stays unpatched. For each patch for every OS that you maintain, there's a risk that you have to put a manual hand on it in order to get the workstations patched. This increases the days of risk substantially. Many times, just because of this factor, an automated solution that makes sure the workstations DOES get patched automatically might be better, even though it might not endorse all the policies the company has set up internally. Ie, it could be better to revise the policies instead.
I know that in coming generations, might even be in service packs, network quarantine functions with IPSec will be improved substantially.
Edited by masken (2005-11-16 10:10 AM)
_________________________
The tart is out there
