Re: Laptop patch management

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 03/20/04 

Date: Sat, 20 Mar 2004 15:52:57 -0000

Here's one possible solution.

Windows Server 2003 has a thing called Network Access Quarantine, which is
basically runs a script on the client to determine if they gain full access
to the VPN. I believe that you would be able to allow them access only to
your SUS server on a certain port (80 seems a good choice). You could then
write a script which used MBSACLI (the command-line version of Microsoft
Baseline Security Analyzer), along with the switches to make it check
against your SUS server. By outputting the resulting file to disk and
checking for the string "Patch NOT found", you can determine whether or not
your users have all the patches required.

http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

I've never tried this, but I think it's all feasible.

Oli

"NK" <anonymous@discussions.microsoft.com> wrote in message
news:5ECB681F-716A-406D-873C-FAB7BE832D7F@microsoft.com...
> Hello,
> I apologize for the long message, but I am sure many admins struggle with
this issue. I am having some difficulties with laptop patch management. I
was hoping that we could discuss best practices/methods to improve the
situation. My patch management process for desktops and laptops is
substantially different. My desktop users obtain patches using SUS. They
have only user privileges. Patches are installed on a schedule specified by
group policy and they are forced to comply with this schedule. Laptop users,
on the other hand, have far fewer restrictions. They have domain accounts
that are members of the local admin group on their machines. They are
supposed to use Windows Update to install patches but many of them don't.
They VPN in on an irregular schedule. I would really like to have a method
to force them to install patches.
>
> As local admin, the user can disable or ignore the AutoUpdate client. If I
were to take away their administrative privileges and make them Power Users
instead, is there any method available of forcing them to download updates
on a schedule from WindowsUpdate.com? Through group policy is it possible to
configure the autoupdate client to seek updates from WindowsUpdate.com and
install patches on a schedule? If I were to configure the AU client on the
console as admin and then give them the laptop, would they be forced to
install the patches when logged in as Power Users?
>
> I look forward to your suggestions and comments.
>
> Thanks!
> NK

Relevant Pages

  • RE: MS Software Update Service
    ... and approve the patches before releasing them to your clients. ... Automatic Update client) ... Doesn't patch SQL Server, Exchange, Office, etc. ... distributed through Active Directory software installation, ...
    (Focus-Microsoft)
  • Re: Error 3197 but there are no memo fields
    ... I know it will be a battle, but client should know that nowadays you can't expect to have a functioning app without being current on patches. ... I've got the Error 3197 problem ("The Microsoft Jet database engine stopped the process because you and another user are attempting to change the same data at the same time.") in a client database. ... I took a copy of the backend, did compact/repair, opened each table and searched for corrupt fields, even sorted on each field in each table, which usually turns up a problem if there's corruption, and found nothing. ...
    (comp.databases.ms-access)
  • Re: Office Installation Not Syncing to AIP
    ... Specifically two patches that are applied to it are the ... Here are the cached client patches. ... Move to the method previously discussed where the AIP stays at baseline ... get successfully locked down and clients install random patches then the ...
    (microsoft.public.officeupdate)
  • Re: Q824143 -- how to get patch?!?
    ... There are 2 sorts of patches. ... client or clients that are have an issue. ... They are available from product support if the engineer while working with ... the client identifies that this fix will fix the specific problem the client ...
    (microsoft.public.security)
  • Re: Deploying Microsoft patches
    ... How can you apply different patches to w2k and win xp ... I just set up SUS and deploy it through group policy. ... > a DC as a client. ... The Gartner Group just put Neoteris in the ...
    (Security-Basics)