Patch deployment without SUS/SMS?

[Gerry Hickman]

I had a good look at SUS today, and will probably use it eventually, but
right now I can't; (web servers are being moved into DMZs etc).

What I'd quite like to be able to do is use a script to apply the
patches to the client machines. I can set up the patches on a file
share, then "run" them with silent install options after everyone is
logged out, but how exactly?

I'm thinking either a schedule on every local machine that would run a
"hidden" script with admin rights at a set time (very messy), or some
kind of WMI thing where a single script on a server could instantiate
itself on the clients (it would have domain admin rights). There's also
a reskit tool that allows a command to start a process on a remote
machine. I can't use logon scripts. and anyway they'd only have user
rights.

 

[Rudy Seoa]

I had a good look at SUS today, and will probably use it eventually, but
right now I can't; (web servers are being moved into DMZs etc).

What I'd quite like to be able to do is use a script to apply the
patches to the client machines. I can set up the patches on a file
share, then "run" them with silent install options after everyone is
logged out, but how exactly?

I'm thinking either a schedule on every local machine that would run a
"hidden" script with admin rights at a set time (very messy), or some
kind of WMI thing where a single script on a server could instantiate
itself on the clients (it would have domain admin rights). There's also
a reskit tool that allows a command to start a process on a remote
machine. I can't use logon scripts. and anyway they'd only have user
rights.

Before I implemented SUS for my site, my updating scripts used psexec
from www.sysinternals.com.

I still use this system for installing service packs and slient installs
of other apps (All the things that SUS doesn't do)

 

[TonyEdwards]

I use a startup and shutdown script via GPO which runs as
system.

 

[biragwang]

I use a startup script to scan my clients, identify missing hot-
fixes, silently install necessary hotfixes, and log whatever
parts of the process I want. I push that startup script out via
GPO and regulate its behavior with admin template settings.
It's been in deployment for nearly a month now and has
exceeded my performance expectations. If a system, such
as a laptop, has not been on my network lately to receive
patches, then connects to my network while in a vulnerable
state, the missing hotfixes are immediately applied. And
since I wrote the script, I can generate logs however I wish.
I can easily know what systems received what patches and
when. And since it's a startup script, it runs under system
context.