Is there a utility that will allow me to bundle Microsoft patches, transfer them to the end user and execute a...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
patch installation without a reboot?
There is good news and bad news. The bad news is you can't avoid a reboot once the patch is installed. This is because if a patch installs over a file that is in use, or the package explicitly asks the installer to reboot, the system will need to reboot before the new file can be used. However, if you batch install the patches you can get by with just one reboot after all updates are installed. There are a variety of ways you can control Microsoft patch installations for your end users. Let's take a look at some of them.
In my opinion, the easiest software to use is HFNetChkPro™ from Shavlik Technologies. (Shavlik developed the HFNetChk™ scanning engine that's used by Microsoft's Baseline Security Analyzer.) There is also a Basic Edition, which is aimed at smaller organizations that do not need advanced patch management functions. To learn more about these tools visit http://www.shavlik.com/.
You can also use Microsoft's Windows Server Update Services. This tool allows you to manage the distribution and schedule the installation of updates that are released through Microsoft Update to computers in your network. To learn more about this tool, visit https://www.microsoft.com/technet/security/tools/default.mspx.
If you prefer to use command-line tools you might want to consider using Microsoft's QChain.exe. QChain.exe can chain updates together so that multiple updates can be installed without restarting a computer between each installation. The following sample batch file demonstrates how to use Qchain.exe:
set PATHTOFIXES=some path
%PATHTOFIXES%Q123456_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123321_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123789_w2k_sp2_x86.exe -z -m
The update installer runs with the -z switch to instruct the installer not to restart after the installation, while the -m switch prevents prompts or messages appearing during the installation.
Unfortunately, there are various issues with both devices. For example, the aforementioned batch file doesn't work with programs that don't use the update.exe installation program. These updates use an INF-based installation instead of Update.exe. For more information on how to use these command-line tools, read this article.
To verify, if your computer is completely updated, you should use the Qfecheck.exe tool. To learn more about this device visit http://support.microsoft.com/kb/282784/EN-US/.
Dig Deeper on Security patch management and Windows Patch Tuesday news
Related Q&A from Michael Cobb
According to recent research, mobile certificate usage is riddled with security issues. Expert Michael Cobb explains how to best control and secure ...continue reading
Mozilla's Project Shumway was designed to replace the security-troubled Flash Player, so should it be on an enterprise's radar? Expert Michael Cobb ...continue reading
Geofencing technology creates a virtual fence on employee devices, adding a crucial extra layer of security. But do privacy concerns negate the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.