Is there a utility that will allow me to bundle Microsoft patches, transfer them to the end user and execute a...
patch installation without a reboot?
There is good news and bad news. The bad news is you can't avoid a reboot once the patch is installed. This is because if a patch installs over a file that is in use, or the package explicitly asks the installer to reboot, the system will need to reboot before the new file can be used. However, if you batch install the patches you can get by with just one reboot after all updates are installed. There are a variety of ways you can control Microsoft patch installations for your end users. Let's take a look at some of them.
In my opinion, the easiest software to use is HFNetChkPro™ from Shavlik Technologies. (Shavlik developed the HFNetChk™ scanning engine that's used by Microsoft's Baseline Security Analyzer.) There is also a Basic Edition, which is aimed at smaller organizations that do not need advanced patch management functions. To learn more about these tools visit http://www.shavlik.com/.
You can also use Microsoft's Windows Server Update Services. This tool allows you to manage the distribution and schedule the installation of updates that are released through Microsoft Update to computers in your network. To learn more about this tool, visit https://www.microsoft.com/technet/security/tools/default.mspx.
If you prefer to use command-line tools you might want to consider using Microsoft's QChain.exe. QChain.exe can chain updates together so that multiple updates can be installed without restarting a computer between each installation. The following sample batch file demonstrates how to use Qchain.exe:
set PATHTOFIXES=some path
%PATHTOFIXES%Q123456_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123321_w2k_sp2_x86.exe -z -m
%PATHTOFIXES%Q123789_w2k_sp2_x86.exe -z -m
The update installer runs with the -z switch to instruct the installer not to restart after the installation, while the -m switch prevents prompts or messages appearing during the installation.
Unfortunately, there are various issues with both devices. For example, the aforementioned batch file doesn't work with programs that don't use the update.exe installation program. These updates use an INF-based installation instead of Update.exe. For more information on how to use these command-line tools, read this article.
To verify, if your computer is completely updated, you should use the Qfecheck.exe tool. To learn more about this device visit http://support.microsoft.com/kb/282784/EN-US/.
Dig Deeper on Microsoft Patch Tuesday and patch management
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.