Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MS OS Patch Management via ITCM 4.2

Status
Not open for further replies.
danfitz999

danfitz999

Vendor
Jun 4, 2003
2
0
0
US
Have you been successful automating OS Patch management on Windows desktops? I am trying to develop a strategy to address the following requirements:

1) Reading the Microsoft patch data base- This would allow an admin. to see what patches are available and determine which are needed.

2) Analyzing the patches themselves- This would allow an admin. to see exactly what is in the patch (new/modified .DLLs, registry changes, etc.) and determine if it would break anything else if they applied it.

3) Who has what patch? / What patches have been applied?- I know we can see what software is on the box but can we see down to the patch level? Is there anything in the operating system itself that could help with this? Is the use of software signatures the best strategy?

Thanks for any help.
-Dan

Daniel T. Fitzgerald
Metacom Technologies
302-983-0439
 
Sort by date Sort by votes
Issue #1
Not sure how to address this programmatically. I don't believe MS allows that level of access to the product/patch DB. The patches could be downloaded to a server and the signature file updated after the patch has been through QA.

Issue #2
I would hope that the admins would be doing this anyway. While in my experience MS patches are fairly reliable, they do sometimes break things. Some sort of QA/QC process is a MUST. The downloaded patches should be thoroughly tested against the available machine builds BEFORE the signature file is updated.

Issue #3
IMO, the signature file would be the best mechanism for this, at least for tracking purposes.

Scenario:

Admin dowloads patch(es) from MS and applies to server or workstation builds. We assume for the sake of argument that it does not break anything. In this case, the admin can create the software package or stage the binary in the software repository. He/she then updates the sig file.

Inventory scans the hosts on the network and compares the applicable file versions and dates to the ones in the sig file. If a newer patch version or missing patch is found, a script can be run to schedule a distribution of the software package to that host.

Any way you slice it, I just don't see a "zero administraion" solution for this. At some level there's going to have to be some maintenance involved.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

chiraganand
  • Locked
  • Question
Does anyone know how to get notified about long running jobs in TWS via script
Replies
0
Views
62
chiraganand
chiraganand
roholly
  • Locked
  • Question
Tivoli SWD 4.2.3 JSPE
Replies
0
Views
47
roholly
roholly
lotlab
  • Locked
  • Question
Patch TWS 170
Replies
0
Views
38
lotlab
lotlab
saggaf
  • Locked
  • Question
User Notification Window for ITCM 4.2
Replies
0
Views
14
saggaf
saggaf
martin333
  • Locked
  • Question
IBM Software distribution - MS Office 2000 problem
Replies
1
Views
38
Stiddy
Stiddy

Part and Inventory Search

Sponsor

Back
Top