I ended up implementing MS SUS about six to nine months ago. We don't use MS IIS for any other web hosting, so I was very leery of setting it up, however, as long as the patches are up to date on the server, I haven't seen any problems. I just saw a notification yesterday that MS SUS will also now allow network installs of service packs. I had used a Group Policy Object with Win2K SP3 and that took a long time to get every computer updated, some never did get updated. I am going to try SUS this time around (SP4) and see what happens. I have the group policy set (with the same admin template that Tony Cooke mentioned) with basically the same settings. The machines are set to download approved updates daily. I have one group of machines (six total) that this does not work on (users can't be bothered with pop up window to reboot when running an experiment), so I have not made this my default domain policy, but rather have a Organizational Unit in Active Directory with the policy. The only administrative work I have is to check what new updates were downloaded automatically by my SUS server (again, daily) that I should approve or not approve for my workstations (check or no check and click "Approve"). I also have to make sure that any new computer added to Active Directory gets placed in the OU to get the auto update GPO. I use Altiris Deployment Solution and Altiris Inventory Solution to see who has and doesn't have an update. If you don't have these tools, hfnetchk, the free version, will tell you. I looked at the same products as John, and I also have Altiris Deployment Solution, but that wasn't "great" either. Most packages (save HfNetChk - which does this for you in the latest version, but didn't used to) you had to manually download the .exe, setup the switches in .bat file, and then schedule for computers. This was very troublesome on the 350 Windows boxes I manage. This could definitely become a full time job for someone. Of course, a lot has changed in the past six to nine months, and I'm sure there are more robust packages now. I think, patch management tools will get better very fast, but they will also be expensive. Right now, SUS is free, and it has been working for me. In the last few rounds of virus problems, I had under 10 machines with problems (note, I have over 350 computers I'm patching). As far as faculty and remotely rebooting their computers... We told them if we didn't they could lose their data/work/settings. It only takes one victim before the others will come running to get their machine patched. I hope I've helped and not confused anyone even more. A bit of rambling I'm afraid. Katie Clark National Superconducting Cyclotron Laboratory Michigan State University 517.333.6338 -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of John Valenti Sent: Thursday, September 18, 2003 4:41 PM To: [log in to unmask] Subject: Some notes on automated patching FYI I've been patching our department's computers (~75) manually. I know there are packages available to automate this, but it didn't seem worth the time and effort to deploy another application. The last two months have changed my feelings, here are some of my findings: (1) Microsoft SUS. This runs on top of IIS, so I rejected it as making the problem bigger. (yes, I'm an anti-Microsoft bigot) (2) Shavlik HFNetchk. They have a free download (LT version) that will patch up to 11 computers. The Pro version seems to cost $1458 for 75 clients. I haven't checked on educational discounts yet. A nice feature of the LT version is that it will scan unlimited computers for patch status. http://www.shavlik.com/ (3) GFI Languard Network Security Scanner. http://www.gfi.com/lannetscan/ I haven't tried this one yet, since they strongly suggest reading the 127 page manual before installing. Cost is $495 for 100 IP addresses, but they have a clause about "free for non-commercial use". (4) Hacking up something with utility programs... I found a program called soon.exe at Microsoft. It lets you schedule a job on a remote computer. It turned out to be buggy, but I found a similar freeware utility called atnow.com. I ended up running a batch file like this: atnow \\belmanda "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q atnow \\holbrookeli "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q atnow \\kossekoffice "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q I'm moderately happy with this. I ended up with a few computers that didn't take the patch, but I can use HFNetchk to find those pretty easily. Some questions for the list: (1) What methods have you come up with for automated patching? (2) Is there an open source program to do "WakeOnLan"? (3) Most of the patches need a reboot. Have you worked out an agreement with faculty about remotely rebooting their computers? -John