Re: Laptop patch management
From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: Sat, 20 Mar 2004 15:52:57 -0000
Here's one possible solution.
Windows Server 2003 has a thing called Network Access Quarantine, which is
basically runs a script on the client to determine if they gain full access
to the VPN. I believe that you would be able to allow them access only to
your SUS server on a certain port (80 seems a good choice). You could then
write a script which used MBSACLI (the command-line version of Microsoft
Baseline Security Analyzer), along with the switches to make it check
against your SUS server. By outputting the resulting file to disk and
checking for the string "Patch NOT found", you can determine whether or not
your users have all the patches required.
I've never tried this, but I think it's all feasible.
"NK" <email@example.com> wrote in message
> I apologize for the long message, but I am sure many admins struggle with
this issue. I am having some difficulties with laptop patch management. I
was hoping that we could discuss best practices/methods to improve the
situation. My patch management process for desktops and laptops is
substantially different. My desktop users obtain patches using SUS. They
have only user privileges. Patches are installed on a schedule specified by
group policy and they are forced to comply with this schedule. Laptop users,
on the other hand, have far fewer restrictions. They have domain accounts
that are members of the local admin group on their machines. They are
supposed to use Windows Update to install patches but many of them don't.
They VPN in on an irregular schedule. I would really like to have a method
to force them to install patches.
> As local admin, the user can disable or ignore the AutoUpdate client. If I
were to take away their administrative privileges and make them Power Users
instead, is there any method available of forcing them to download updates
on a schedule from WindowsUpdate.com? Through group policy is it possible to
configure the autoupdate client to seek updates from WindowsUpdate.com and
install patches on a schedule? If I were to configure the AU client on the
console as admin and then give them the laptop, would they be forced to
install the patches when logged in as Power Users?
> I look forward to your suggestions and comments.