Hi all, i have problems finding a proper way for patching our company notebooks during their vpn sessions. Our remote clients are all windows7 enterprise notebooks with underprivileged system accounts. Because of company policy only patched clients are allowed the full access role at the startpoint of an vpn session. . If the client becomes out of compliance because of an missing patch during an vpn session he remains in the "full access" role and has only to download the patches from company wsus. For internal lan connected workstation we use the update mechanism in the way that downloaded patches gets only installed during the shutdownprocess Because we do not want to interrupt users with an possible necessary and user unapproved reboot after an installed patch. For the remote connected clients we tought about an similar way. .) At the begin of each vpn session, HC on the role mapping level is checking for missing patches. .) If one is missing the client becomes mapped to a validation role. .) In this role wsam starts and runs a startscript on the client -> wuauclt.exe /detectnow . ,) Clients gets connected to wsus and download the missing patches. The problem at this point: The patches are only downloaded, but not installed -> an reboot would install the patches, but wuauclt gives no return value. this mean i can not detect the point when the patchdownload is finished to initiate an reboot -> which would start the install process. i know that some other tools exist which could download and install and even reboot the client but because wsam runs as an underprivileged system account i can not use them. if i set an global wsusrule to download and install patches, i run in the problem that mobile clients within the companylan could be restarted without user approval because an automatic installed patch update needs an reboot. Maybe someone of you guys solved an similar problem or just has an tip for me. Every help is realy welcome. Thanks in advance and kind regards. gerry
... View more