【REVIEW】 Windows operating system security is a growing attention, from time to time, Microsoft will release a patch to fix the system. However, since many users can not use the patch reinforcement system in a timely manner, which often cause significant losses, it is very important and timely patching.
Windows operating system security is a growing attention, from time to time, Microsoft will release a patch to fix the system. However, since many users can not use the patch reinforcement system in a timely manner, which often cause significant losses, it is very important and timely patching. Now, however, the increasing scale of local area network, network administrators, the manual patch for each client's workload is too great, it is difficult to complete.
Select solution
In addition to the network administrator manually install the patches for each client, but also can be used several ways to solve this complex problem:
1. In the enterprise LAN set up Microsoft's free software upgrade server (Software Update Services, SUS), arranged automatically upgrade the client on a regular basis, but occur in case of emergency situation of some computers are missing.
2. Using Microsoft Systems Management Services in the patch distribution functionality, SMS is very powerful, but it's not free.
3. Using third-party management software such as: IBM's Tivoli and LANDesk's Management Suite and so on.
Simple, convenient, fast and free to pursue our highest level of administrator, my domain user script provided by the method of automatic patching can probably comply with the above request.
Login Script Tips
However, before using the logon script that we need to know the following two questions:
1. How to avoid installing a patch on each restart
Hotfix file with multiple optional parameters. Important ones are-z that do not restart the computer after installation,-m that does not appear during the installation prompts,-q that does not appear during the installation prompts. We can use the following script to-m and-q 2.
How many serial patch up? We will use Microsoft's Qchain.exe procedures. Qchain.exe use very simple syntax is Qchain [logfilename], Logfilename that the log file name, it is recorded before and after multiple patches installed in the registry pending file rename queue key contrast. In fact, Qchain.exe's function is to check the registry pending file rename queue key, install multiple Hotfixes file link and choose the appropriate action, the ultimate guarantee is the latest version of the file is modified. (For details and download see http://support.microsoft.com/kb/815062)
2. How to determine which users have installed the patch
Microsoft's patch has a "KB" number, which is for the convenience of the user for details of the code, such as KB823980 ("wave" of vulnerability), you can search by http://support.microsoft.com/?id=823980 to detail. We also know that when a patch when installed in the system directory (% SystemRoot%) kept the same name in the Log file. From the above we can make use of both the system directory to judge whether the KB823980.log file patch installed or not.
Creating scripts
Well, everything is ready, only to wind! Let us hasten to make a script.
1. In the Server Hotfix build directory will be installed the patch and Qchain.exe into this directory. And I think if Microsoft's "KB" number will be renamed the arrangement of a good patch, shown in Figure 1.
Figure 1 patch file list
2. Set Hotfix folder access permissions set to Full Control Administrators, Authenticated users to read permissions, as shown in Figure 2.
Figure 2 Set Hotfix folder access
3. In the C: WinntSysvolSysvolDomain_nameScripts established under Hotfix.bat script. Please change this article Domain_name you network administrators manage their own server name.
Script as follows:
@ Echo off
echo is detected Windows2000 Update Server, please wait ......
IF not EXIST C: Winnt GOTO END net use Z: \ Server_nameHotfix
Z:
IF EXIST% SystemRoot% KB823980.log ECHO Congratulations! Patch number KB823980 is already installed, check the next one ......
IF not EXIST% SystemRoot% KB823980.log echo sorry! No. not installed KB823980 patch, now being installed, please wait ......
IF not EXIST% SystemRoot% KB823980.log KB823980.exe-z-q
IF EXIST% SystemRoot% KB823182.log ECHO Congratulations! Patch number KB823182 is already installed,
... ...
(Refer to the above steps, the content behind the patch manually add)
echo You have installed all the patches, thanks to use ......
Qchain.exe
C:
net use Z: / Delete / Y
: END
Note: We have shared through the net use command to map the folder to the local.
4. For the user in Active Directory to set user logon script inside Hotfix.bat, shown in Figure 3.
Figure 3, which set in the Active Directory user logon script
Configuration is completed we need to wait until users log on it. If Windows XP users need only IF not EXIST C: Winnt GOTO END in the "Winnt" to "Windows" you can pay attention to it must be a patch for Windows XP, can the above script you can change, but some experiment to do first.