I can respond to the AUS/SUS questions: We are using the AUS at the client level. Granted, this is not ideal as it will cause each individual client to connect 'to Microsoft' and get updates, but it's a heck of a lot better than running around to each machine individually (been there, done that). Installing an SUS server would be nice, as this eliminates a lot of unnecessary internet traffic, and gives you the control to approve/decline which updates your clients receive - but an SMS server would be better yet, as it would keep a rolling inventory about which client are/aren't patched with what. So back to SUS... We are using an Active Directory GPO to force the AUS configuration to the client. Big tip here: get the updated *.ADM template from Microsoft in order to get all of the options available for AUS (minus writing your own GPO template). It can be found here: Read: http://support.microsoft.com/?kbid=328010 Download: http://www.microsoft.com/downloads/details.aspx?FamilyId=D26A0AEA-D274-42E6- 8025-8C667B4C94E9&displaylang=en How we have it configured: Clients automatically download updates and attempt install at 3AM, every day. If a user is logged in, they are prompted to install the updates <yes/no> with a 5 minute countdown timer. If no action is taken after 5 minutes, it defaults to <yes>. After updates are installed, the user is prompted to reboot their computer <yes/no> - there is NOT a default at this screen. This way the user will not lose any unsaved work. If there is not a user logged in, the computer automatically installs and reboots. If the computer is not on at the scheduled install time: the process begins 5 minutes after the machine is powered on, and resumes the cycle as explained above. Hope this helps. Also, I see you've mentioned GFI's LanGuard below. Have you tried eEyes' 'Retina'? It feels like a pretty well rounded product and would be good for auditing your network. Regards, Tony -----Original Message----- From: John Valenti [mailto:[log in to unmask]] Sent: Thursday, September 18, 2003 4:41 PM To: [log in to unmask] Subject: Some notes on automated patching FYI I've been patching our department's computers (~75) manually. I know there are packages available to automate this, but it didn't seem worth the time and effort to deploy another application. The last two months have changed my feelings, here are some of my findings: (1) Microsoft SUS. This runs on top of IIS, so I rejected it as making the problem bigger. (yes, I'm an anti-Microsoft bigot) (2) Shavlik HFNetchk. They have a free download (LT version) that will patch up to 11 computers. The Pro version seems to cost $1458 for 75 clients. I haven't checked on educational discounts yet. A nice feature of the LT version is that it will scan unlimited computers for patch status. http://www.shavlik.com/ (3) GFI Languard Network Security Scanner. http://www.gfi.com/lannetscan/ I haven't tried this one yet, since they strongly suggest reading the 127 page manual before installing. Cost is $495 for 100 IP addresses, but they have a clause about "free for non-commercial use". (4) Hacking up something with utility programs... I found a program called soon.exe at Microsoft. It lets you schedule a job on a remote computer. It turned out to be buggy, but I found a similar freeware utility called atnow.com. I ended up running a batch file like this: atnow \\belmanda "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q atnow \\holbrookeli "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q atnow \\kossekoffice "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q I'm moderately happy with this. I ended up with a few computers that didn't take the patch, but I can use HFNetchk to find those pretty easily. Some questions for the list: (1) What methods have you come up with for automated patching? (2) Is there an open source program to do "WakeOnLan"? (3) Most of the patches need a reboot. Have you worked out an agreement with faculty about remotely rebooting their computers? -John