Q

Managing patch installations

Learn how using batch file utilities can help control Microsoft patch installations.

Is there a utility that will allow me to bundle Microsoft patches, transfer them to the end user and execute a patch installation without a reboot?

There is good news and bad news. The bad news is you can't avoid a reboot once the patch is installed. This is because if a patch installs over a file that is in use, or the package explicitly asks the installer to reboot, the system will need to reboot before the new file can be used. However, if you batch install the patches you can get by with just one reboot after all updates are installed. There are a variety of ways you can control Microsoft patch installations for your end users. Let's take a look at some of them.

In my opinion, the easiest software to use is HFNetChkPro™ from Shavlik Technologies. (Shavlik developed the HFNetChk™ scanning engine that's used by Microsoft's Baseline Security Analyzer.) There is also a Basic Edition, which is aimed at smaller organizations that do not need advanced patch management functions. To learn more about these tools visit http://www.shavlik.com/.

You can also use Microsoft's Windows Server Update Services. This tool allows you to manage the distribution and schedule the installation of updates that are released through Microsoft Update to computers in your network. To learn more about this tool, visit https://www.microsoft.com/technet/security/tools/default.mspx.

If you prefer to use command-line tools you might want to consider using Microsoft's QChain.exe. QChain.exe can chain updates together so that multiple updates can be installed without restarting a computer between each installation. The following sample batch file demonstrates how to use Qchain.exe:

@echo off
setlocal
set PATHTOFIXES=some path
%PATHTOFIXES%Q123456_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123321_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123789_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%qchain.exe

The update installer runs with the -z switch to instruct the installer not to restart after the installation, while the -m switch prevents prompts or messages appearing during the installation.

Unfortunately, there are various issues with both devices. For example, the aforementioned batch file doesn't work with programs that don't use the update.exe installation program. These updates use an INF-based installation instead of Update.exe. For more information on how to use these command-line tools, read this article.

To verify, if your computer is completely updated, you should use the Qfecheck.exe tool. To learn more about this device visit http://support.microsoft.com/kb/282784/EN-US/.

This was first published in August 2005

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close