Is there a utility that will allow me to bundle Microsoft patches, transfer them to the end user and execute a...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
patch installation without a reboot?
There is good news and bad news. The bad news is you can't avoid a reboot once the patch is installed. This is because if a patch installs over a file that is in use, or the package explicitly asks the installer to reboot, the system will need to reboot before the new file can be used. However, if you batch install the patches you can get by with just one reboot after all updates are installed. There are a variety of ways you can control Microsoft patch installations for your end users. Let's take a look at some of them.
In my opinion, the easiest software to use is HFNetChkPro™ from Shavlik Technologies. (Shavlik developed the HFNetChk™ scanning engine that's used by Microsoft's Baseline Security Analyzer.) There is also a Basic Edition, which is aimed at smaller organizations that do not need advanced patch management functions. To learn more about these tools visit http://www.shavlik.com/.
You can also use Microsoft's Windows Server Update Services. This tool allows you to manage the distribution and schedule the installation of updates that are released through Microsoft Update to computers in your network. To learn more about this tool, visit https://www.microsoft.com/technet/security/tools/default.mspx.
If you prefer to use command-line tools you might want to consider using Microsoft's QChain.exe. QChain.exe can chain updates together so that multiple updates can be installed without restarting a computer between each installation. The following sample batch file demonstrates how to use Qchain.exe:
set PATHTOFIXES=some path
%PATHTOFIXES%Q123456_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123321_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123789_w2k_sp2_x86.exe -z -m
The update installer runs with the -z switch to instruct the installer not to restart after the installation, while the -m switch prevents prompts or messages appearing during the installation.
Unfortunately, there are various issues with both devices. For example, the aforementioned batch file doesn't work with programs that don't use the update.exe installation program. These updates use an INF-based installation instead of Update.exe. For more information on how to use these command-line tools, read this article.
To verify, if your computer is completely updated, you should use the Qfecheck.exe tool. To learn more about this device visit http://support.microsoft.com/kb/282784/EN-US/.
Dig Deeper on Security patch management and Windows Patch Tuesday news
Related Q&A from Michael Cobb
Address bar spoofing attacks can be detrimental to an organization. Expert Michael Cobb details several vulnerabilities and explains how to defend ...continue reading
Facebook added OpenPGP encryption to its messaging services to help improve messaging safety. Expert Michael Cobb explains the benefits of the ...continue reading
The updated Chrome extension policy allows users and developers to only install extensions from the Chrome Web Store. Learn how this affects security...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.