Quote:

Quote:

"No workstation will log onto our enterprise network without being fully patched. Ever. Period."



Hmmm... somehow I doubt that. It's Monday and 1,200 machines logon - all patched. It's now Tuesday and Microsoft/Oracle/WinZip/Citrix have all issued numerous CRITICAL patches that allow any user to easily gain FULL access to an infected system.

I seriously doubt you have any method in place to KNOW and PREVENT all 1,200 systems from logging in.

You might be able to patch them that day or the next day, but that is not the same as your statement.




Remember I'm using startup, not login. Startup happens before login. If a machine fails the MBSACLI scan, it wont be allowed to logon. It will either apply the right patch(es) to satisfy MBSA, or it will continue looping. (scan, apply patch, reboot, repeat). In fact, early on this was a problem we had where machines would loop forever on a patch that wouldn't apply. I added some logic to detect this and now they will notify if the same patch is trying to install twice. On top of that we have our hourly maint task which will scan/update as well...we currently set that to a 12 hour allowance though.

So yes, they truly can not log in unless they are patched. (with Microsoft patches)

Quote:


Sounds like you have it working though how you like in general, but don't forget that Glenn Barnas also posted some advanced scripts to work with WSUS and manage many of the shortcomings using KiXtart.




Yep...that's the code I was referring to when I said I was looking at a WSUS backend/scripted front end. I think using some code to control the update agent you would get the best of both worlds.