i have problems finding a proper way for patching our company notebooks during their vpn sessions.
Our remote clients are all windows7 enterprise notebooks with underprivileged system accounts.
Because of company policy only patched clients are allowed the full access role at the startpoint of an vpn session. .
If the client becomes out of compliance because of an missing patch during an vpn session he remains in the "full access" role and has only to download the patches from company wsus.
For internal lan connected workstation we use the update mechanism in the way that downloaded patches gets only installed during the shutdownprocess
Because we do not want to interrupt users with an possible necessary and user unapproved reboot after an installed patch.
For the remote connected clients we tought about an similar way.
.) At the begin of each vpn session, HC on the role mapping level is checking for missing patches.
.) If one is missing the client becomes mapped to a validation role.
.) In this role wsam starts and runs a startscript on the client -> wuauclt.exe /detectnow .
,) Clients gets connected to wsus and download the missing patches.
The problem at this point:
The patches are only downloaded, but not installed -> an reboot would install the patches, but wuauclt gives no return value. this mean i can not detect the point when the patchdownload is finished to initiate an reboot -> which would start the install process.
i know that some other tools exist which could download and install and even reboot the client but because wsam runs as an underprivileged system account i can not use them.
if i set an global wsusrule to download and install patches, i run in the problem that mobile clients within the companylan could be restarted without user approval because an automatic installed patch update needs an reboot.
Maybe someone of you guys solved an similar problem or just has an tip for me.
Every help is realy welcome.
Thanks in advance and kind regards.
Well right or wrong, the way we have our deployed is that the WSAM client is set to allow traffic to the WSUS server, so when the end user logs into the IVE, WSAM launches, and then we have the group policy of the machine set to point to WSUS, WSUS is set to install all patches at a given time daily, if the patch is critical, and the time that is setup for install has passed, the patch is installed immedietly. yes in that case it could cause a reboot, but thats how we are doing it.
that means you just put all the windowsupdate to all the client, before testing them?
we've had some cases over the years where updates caused different application to malfunction. there was even one update that made hostchecker or network connect (dont remember exactly) unusable. so this patch was not safe to get deployed to the clients.
if you have had such a case once, you think about just putting updates to all machines, before testing all important applications after adding new patches first!
>that means you just put all the windowsupdate to all the client, before testing them?
No, we deploy only tested patches.
We have a "Test" OU that has the same GPO applied to it as the others, but only a few users that sit in it as the testers. but, we have had only one issue in the 7 years we have been using the IVE, and that was related to the dual core processors way back when.
Hi, thanks for your answers.
Do you use the shavlik stuff to check for correct patch versions.
I ask, because i just have bad experience with the shavlik one and unprivileged user.