New Boundary Support Forum / Prism Deploy & Prism Pack / Tips and Tricks / Installing Security Patches... / Latest Posts

RE: Installing Security Patches...

Tron — Tue, 17 Aug 2004 14:59:00 GMT

Why don't you use Prism Patch Manager?

RE:Installing Security Patches...

New Boundary Support — Mon, 12 Jan 2004 16:08:00 GMT

The Microsoft hotfixes and service packs all support command line switches that allow silent and unattended execution of the update in question.

Here is how we used Prism Deploy to silently push out the Microsoft Security Bulletin MS03-045: Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

After downloading the executable for the patch, we ran the command "Windows2000-KB824141-x86-ENU.exe -x" in a local command shell. This extracted the files which we put in a network share \\server\share\KB824141.

Then in the Prism Deploy Console we created a command task that points to the patch:

\\server\share\KB824141\update\update.exe -u -q

-u is Unattended mode
-q is Quiet mode (no user interaction)

These two switches refer to the update.exe itself, we still needed to edit the Task to allow unattended. To do this we right-clicked on the Task and chose Properties. Then we went to the Task tab and clicked the Account... button. Here we checked the box for 'Allow unattended installation' and changed the Run as to a domain administrator account (i.e. domain\username, password). Click OK a couple of times, and we were back at the Console with a patch update Task that would run unattended on all machines that it was assigned to.

RE:Installing Security Patches...

Guest — Mon, 12 Jan 2004 16:08:00 GMT

Has anyone successfully set up these hotfixes/service packs to run unattended?

RE:Installing Security Patches...

Guest — Mon, 12 Jan 2004 16:08:00 GMT

Glad to share info on this matter:

Here is a rule that I use for WinXp machines you can modify for any of the other patches. I find that the location of registry changes that Microsoft has posted for the KB may not give accurate info as to whether the update installed or not.

Rule Name:2003-09-10 KB824146 - Not Installed
Rule TextOSRevision = OS.Revision.WinXP.SP1) AND (NOT EXISTS <Registry Key> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146")

It install the patch I do the following. Download the .exe patch to your shared folder where you normally keep you deployed packages. I rename the downloaded patch to an easy name for me to remember as Microsoft comes up with different names for everything with no standard. (ie. KB824146.exe) Good idea is to keep the shared folder organized. Then I use the following as a command task to deploy. Keep in mind that some patches do require a reboot to make it a solid patch. PD will show the command as completed. Easy thing is to push out a package that does a pop up window to let the user know it has been patched and asking them to perform a reboot.

Here is the command I used for the above task.

Task Name: HF WinXP KB824146
Command (via unc path): \\Servername\ShareFolderName\KB824146.exe -u -o -n -q -z

I prefer using unc path so my users will not be temped to try installing packages as users love to click on things they find.

Feel free to contact me if you need any more assistance. I've got lots of good rules to share.

RE:Installing Security Patches...

New Boundary Support — Mon, 12 Jan 2004 16:07:00 GMT

The easiest way to determine which machines have which updates, is to create a Configuration Group based on the existence or absence of that update's corresponding registry key. Two good locations to get started are HKLM\SOFTWARE\Microsoft\Updates and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix. For examples see:
http://www2.lanovation.com/cgi-bin/dcforum/dcboard.cgi?az=list&forum=DCForumID20&conf=DCConfID5

The recommended method to rollout Microsoft Service Packs and OS updates using Prism Deploy is to download the patch from Microsoft and build a Prism Deploy Command Task that runs the program. Microsoft supports switches on their updates that allow you to install "quietly" so users don't need to answer any prompts or even see the update when it's happening. Here's a link to a Microsoft KB article that lists some of the switches:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262839

You can also see the supported switches by running the downloaded executable with a "/?" switch. Please note that Microsoft supports different switches depending on the type of update; hotfix versus service pack, for example.

Prism allows you to run the Command Task as a user with sufficient privileges so you don't need to worry about users who don't have enough privileges to their local PC to complete the update. Be sure to use the format domain\username when specifying a user account.

After downloading the Service Pack (e.g., w2ksp4_en.exe) run the exe with the switch -x. You will be prompted for a location to place the extracted files. Enter a network share.

Use this Share as your source for running the Service Pack install, saving minutes on the process because it no longer needs to extract the files before running.

Set up the Command Task to run "\\server\share\i386\update\update.exe"

Here's a list of the Service Pack switches:
-u Unattended mode, no user interaction (status of install is displayed)
-f Force other programs to close when the computer shuts down
-n Do not back up files for uninstall
-o Overwrite OEM files without prompting
-z Do not restart when installation is complete
-q Quiet mode (nothing displayed to users)
-l List installed hotfixes
-s:<dir> Integrate SP files into <dir>
-x (undocumented) extracts files only, prompts for a source

Most customers run -u and/or -q, -f, -o.

Installing Security Patches...

Guest — Mon, 12 Jan 2004 16:07:00 GMT

Hi folks.

what is the common procedure when installing patches from microsoft?

Do you make configuration group and check for the patch or? And how do you deploy it?

Thanks in advanced.
-j