how to update 100 machines at once

[marqucha]

got a question for u all familiar with server 2000
i work as an intern in my school animation dept. we have about 110 computers. my job is to make sure all the computer have the current microsoft update as well as anti virus updates. is there any way i can do this from the server, rather than doing it from each machine locally.
( the students do not log on to the local machine but to the server)

 

[Matthias99]

Dammit!

 

[Matthias99]

How about setting up a logon script that does it? I know my company used to do something like that to make sure people had hotfixes for certain viruses when they logged on.

 

[Genx87]

I am sure there are corporate versions of AV that will allow you to keep client machines upto date. SMS will allow you to broadcast updates,hotfixes, and application installations to all or single computers from the server.

 

[mboy]

THIS is what u need.

 

[marqucha]

do u know where i can learn about logon on scripts

 

[azev]

SUS is a great product to do the MS hofix update. Depending on your antivirus software, if you're using a corporate versions of antivirus, they normally have a way to push updates to clients, atleast I know for sure Norton/Mcafee has a way to do this.

 

[xchangx]

Yeah SUS is free and from Microsoft. That pushes updates to computers.

Some AV corporate software has a server version that pushes virus definitions to clients computers.

 

[buleyb]

Link for MS SUS

For the search-challenged...

 

[zTargeTz]

Originally posted by: azev
SUS is a great product to do the MS hofix update. Depending on your antivirus software, if you're using a corporate versions of antivirus, they normally have a way to push updates to clients, atleast I know for sure Norton/Mcafee has a way to do this.

Dont you have to have an SMS server up and running to use SUS?

edit: aslo, be aware this only works with win2k and higher operating systems (no NT support here..)

 

[SaigonK]

You dont have to have SMS running to use SUS, it is stand alone. I have one setup myself, I have to say it doesnt work like advertised. It took quite awhile to see it work properly.
Also, GFI Languard isnt very good at detecting missed patches. It often misses tons of them on machines I scan.

You could buy Zenworks from Novell fairly cheaply, or even Triactive.

 

[zTargeTz]

Originally posted by: SaigonK
You dont have to have SMS running to use SUS, it is stand alone. I have one setup myself, I have to say it doesnt work like advertised. It took quite awhile to see it work properly.
Also, GFI Languard isnt very good at detecting missed patches. It often misses tons of them on machines I scan.

You could buy Zenworks from Novell fairly cheaply, or even Triactive.

We have SMS and are VERY unhappy with it, sounds like SUS is the same way

what was the issues with SUS that you had to work through? I have 550 clients and TRUST ME, i need SOMETHING! lol, its a pain to log into them individualy and update

 

[SaigonK]

It seemed as though we could not tell if it updated form the web or from the SUS server.

You have to use the Automatic update client, which means if you have it turned off or not installed you are going to have to touch every machine. Also you need to import the reigtry settings for SUS to work, which means either a logon script or touching every system.

 

[Hoober]

Originally posted by: Targeted

Originally posted by: SaigonK
You dont have to have SMS running to use SUS, it is stand alone. I have one setup myself, I have to say it doesnt work like advertised. It took quite awhile to see it work properly.
Also, GFI Languard isnt very good at detecting missed patches. It often misses tons of them on machines I scan.

You could buy Zenworks from Novell fairly cheaply, or even Triactive.

We have SMS and are VERY unhappy with it, sounds like SUS is the same way

what was the issues with SUS that you had to work through? I have 550 clients and TRUST ME, i need SOMETHING! lol, its a pain to log into them individualy and update

If you're unhappy with SMS you may want to look into Altiris Deployment Server. Text

I removed our company's SMS server two years ago in favor of Altiris's solution and we haven't looked back.

As far as SUS... if you implement group policy, and as long as your machines are 2000 SP3 or 4 or XP Pro you don't have to touch each one. We use a local SUS server to update all of our machines (over 2000) and all it took was implementing a new GP object with the correct SUS settings. It's really not that difficult. Unless, of course, you aren't on a domain and your machines aren't 2000 SP3 or 4 or XP Pro.

 

[Zuke]

If all you're doing is pushing out operating system patches to a windows 2000 or XP network, then SUS is the way to go. In my opinion it's a snap to set up and work. It works through a web interface and allows the administrator control as to which updates you push out. Just don't run any other web services on the SUS server.

Basically, you install SUS on a server, download all the updates, set the server to update itself from Microsoft on a regular basis (I set ours for every night) and then periodically check the SUSadmin page to approve updates. At the same time, like Hoober said, through Group Policy you force all your machines to use the Windows Update Client on a regular schedule. Also, through Group Policy you point the Windows Update Client to the server you have running SUS and it all does it's magic. And yes, all the clients need to at least be running win2k SP3. If they aren't already running the service pack, you can push that out through GP as well. In a win2k domain, there really isn't any excuse to say "I'm not able to keep our operating systems up-to-date."

If you're wanting a solution to push out software other than operating system patches and MS Office, then I'll also second Hoober's suggestion of Altiris. It's pretty slick.

 

[zTargeTz]

we are about 80% migrated from a mixed environment (nt 2k & xp) to a fully Win2k+ environment (not running AD yet though) I'll take a closer look at SUS today, maybe give it a trial run. Should help a lot with the majority of my client computers.
thanks for the info

 

[marqucha]

the users who log on to the school machines dont have any install privilages would this effect SUS when it updates windows

 

[zTargeTz]

thats the great thing about SUS, it installs reguardless of the users rights
I've installed the SUS server and aproved all the sec updates, now im working on the group policys, i'll let you know how it turns out as i porgress

 

[marqucha]

sweet

 

[zTargeTz]

server portion of SUS was easy to set up

I'm NOT running AD, so it looks like i have to set registry settings to configure Automatic Updates.

re: Deployguide_sp1.doc

Struggling through that now.. looks like i'll need to run a logon script to get this pushed out

edit: seems how i am clueless on writing logon scripts, im going to check out Script Logic and see if that will help me out

 

[zTargeTz]

well i gave it a shot, tryed to run this on an XP machine

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"RescheduleWaitTime"=dword:00000005
"NoAutoRebootWithLoggedOnUsers"=dword:00000000
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000003
"ScheduledInstallTime"=dword:0000013
"UseWUServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://<ip of sus server>"
"WUStatusServer"="http://<ip of sus server>"

no dice, will continue to workon it

 

[Zuke]

So all your machines are windows 2000+ but you aren't running any servers with windows 2000 server? Why not? Don't you have any file-server needs?

What about when you need to roll out new computers or re-image current ones? How do you do that?

Or are you using NT4 for domain controllers?

Methinks win2k server (or 2003 server) on a primary domain controller with Active Directory will help a ton with administration of the network. (plus a backup domain controller and a dns server)

 

[zTargeTz]

Originally posted by: Zuke
So all your machines are windows 2000+ but you aren't running a machine with windows 2000 server? Why not? Don't you have any file-server needs?

What about when you need to roll out new computers or re-image current ones? How do you do that?

My domain is 80%+ windows2k (or better), domain controller (PDC) is still NT so i have to work with registry edits ( i guess?) to configure auto update on all the clients, at least thats what i got out of the .doc file i linked to earlyer

we are slowly cleaning out all the old NT stations, but untill we are done re imaging them im stuck with this situation (we have quite a few windows 2000 server & windows 2003 server set ups, but none are the PDC)

 

[Zuke]

Yikes, my sympathies to you. AD makes things so much easier.

Can't help you on the reg file either, the one you posted looks pretty good to me. <sigh>

When you do get the registry file working, you might want to put that, plus the Automatic Updates client on a usb jumpdrive to take around to installations with sp2 or lower. (I assume you can just push out a registry script to windows2k sp3+ clients)

 

[zTargeTz]

Originally posted by: Zuke
Yikes, my sympathies to you. AD makes things so much easier.

Can't help you on the reg file either, the one you posted looks pretty good to me. <sigh>

When you do get the registry file working, you might want to put that, plus the Automatic Updates client on a usb jumpdrive to take around to installations with sp2 or lower. (I assume you can just push out a registry script to windows2k sp3+ clients)

Luckly everything that is windows 2000, is currently at SP3 or 4 (mostly at 4) so as soon as i nail this down and slap it in a logon script i'll be good to go, going to spend tomrrow working on it,
the weird thing is the paths that im modifying registry at keys doesnt exist.. running the .reg file i posted just creates them.. so im not sure if an actual program is pointed there or what.. ahh well. i'll keep pounding on it