This is correct. From what I've seen, it checks the patch repository to
ensure you have the patches downloaded, then copies the patches to the box
(as well as qchain.exe) creates a batch file to install all patches and
reboot, and schedules it with scheduler. The first time we updated a
server, it kacked because we didn't have the scheduler service running.

Jordan

-----Original Message-----
From: Davis, Matt [mailto:matt.daviscountryfinancial.com]
Sent: Thursday, May 02, 2002 1:47 PM
To: 'Tech Support Mailbox'
Cc: FOCUS-MS (E-mail)
Subject: RE: Rolling out patches

I actually believe that HFNETCHKPro patches the servers in much the same
way... it checks to see if task scheduler is running, and whether or not you
can write to the server's hard drive...

M.

Matt Davis, MCSA
Intermediate Client/Server Analyst
Client/Server Business Support
mailto:matt.daviscountryfinancial.com

-----Original Message-----
From: Tech Support Mailbox [mailto:supportnowldef.org]
Sent: Thursday, May 02, 2002 12:14 PM
To: 'H C'
Cc: 'focus-mssecurityfocus.com'
Subject: RE: Rolling out patches

My solution isn't quite what you're looking for, but I'll post it anyway,
since it may work for others, and it may be a partial solution for you.

To give you a sense of why I used my approach, let me begin by saying that I
am the lone IT person in an organization with 60 workstations and zero
money. Too big to go workstation-by-workstation, too small to justify SMS
or even HFNetChkPro. If this isn't your situation, then you're probably
better off using AD application publishing, SMS, or HFNetChkPro.
 
My situation is that I have Win2K Pro clients in an NT4.0 domain, so I don't
have AD to send my patches to the clients. I experimented with a number of
approaches which had various drawbacks (Win2K Telnet Server, login scripts,
etc.). I finally decided on a three-step process:
1) Compile a list of all computers that need a patch in a text file.
2) Copy the patch to the local hard drives of every computer that needs it.
3) Use Scheduled Tasks to run the task as Administrator.
(Steps 2 and 3 must be run as Administrator)

Assuming I name the file from Step 1 "win2k.txt", I find that these two
lines works for Step 2:
For /f %i in (win2k.txt) do copy \\patchpath\patchname.exe \\%i\c$\dell\
Obviously, you can copy it to any folder you are certain all your
workstations have - c:\dell is just my preference.

Step 3, assuming the time is now 12:30, looks like:
For /f %i in (win2k.txt) do at \\%i 12:32 /interactive c:\dell\patchname.exe
/q /r:n

Of course, there's no error handling here (e.g., what happens if someone
reboots their computer between step 1 and step 3), but it works for me.
Also note that when using these lines in a batch file, you must substitute
%%i for %i, and .\win2k.txt for win2k.txt.

Step 1 is a little trickier than Steps 2 and 3 - I've been tweaking my
method, but I'm still not happy. I've been experimenting with the reskit
tool REG, and also GETVER (a freeware clone of FILEVER, also in the reskit,
but unlike REG, it's not free to download). I currently use the login
script to record a system's OS, Service Pack level, and the status of
whatever patch I want to use, and then I use FIND to compile my list of
systems I want to patch. I leave it running the day after my patch
deployment to see whether it worked.

Things that could be done to improve on this:
Incorporating Wake-On-LAN to ensure that every system is on
More feedback on failed installations (for instance, incorporating
error-checking on the existence of patched files after the patch is
deployed)
Figuring out how to do the VB equivalent of "ScheduleTime = Now + 1" in a
batch file (or moving to VBScript)
And much more.

I hope this is useful to someone - feel free to contact me with suggestions
for improvements or questions.

Jon

-----Original Message-----
From: H C [mailto:keydet89yahoo.com]
Sent: Tuesday, April 30, 2002 4:13 PM
To: focus-mssecurityfocus.com
Subject: Rolling out patches

Following on the coat-tails of the MBSA posts, I
wanted to pose another question to the readership at
large...

What is your favorite tool(s)/technique(s) for rolling
out patches/hotfixes in a mixed (NT and 2K)
environment? How do the tools like the MBSA and
Shavlik's HFNetChkPro perform following the updates?

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness http://health.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]