Windows Updates deployment

Posted on 2005-05-02
Last Modified: 2010-04-11
We use UpdateExpert from St. Bernard right now to manage patches for 500 Windows boxes.
I'm looking for alternatives. What is considered the best way to deploy patches these days?

One of our greatest problems is scheduling the updates with our users. It's a major pain.

I think what I would like ideally is to have the user prompted upon logoff if they want to
allow Windows Updates to proceed on their PC.  So they could log out before going home at night.
click ok to Windows Updates and have a fully patched PC ready for them the next morning.
Any one doing it that way?

Question by:veedar
    LVL 26

    Accepted Solution

    Microsoft has a a server application for just that. It's call SUS, it's free and pretty reliable, but only works for Windows OS updates. M$ intends releasing WUS for updating all other applications as well. Visit for more information.

    It can be configured via your AD Group policy to automatically update your workstations. Updates to the SUS server can also be automated. During configuration you will specify which language updates to download, otherwise you'll be downloading all the M$ patches.
    LVL 12

    Assisted Solution

    >>So they could log out before going home at night.

    Yeah that'll make em happy... that way they can wait for the computer to do stuff when they want to go home.

    I'd just force the updates upon them through Group Policy.

    That way you know they get done.

    LVL 38

    Assisted Solution

    by:Rich Rumble
    DO NOT allow the users to dictate when they get updates, or even interact with the updates, as mentioned SUS and WSUS(comming soon) are the best products to use to save bandwidth, and make administration a bit easier. This way you don't have all the PC's trying to DL the patches at the same time from the internet. One pc DL's all the patches, and the rest use the LAN connection to get the updates from that pc/sever. If your users are instructed to leave the PC's on at night when the leave, then you have a good oppurtunity to get them patched and rebooted if necessary, while they are away. Do not leave it up to the users to make this type of critical decision.

    3rd party software is a waste of money, the automatic updates scheduling in win2k and xp are very reliable, and sus/wsus are also very good. I guess they can be considered 3rd party but you get the idea...

    Assisted Solution

    You might want to check out LanGuard Security Scanner from GFI.  You can scan all pcs on your network or a range.  It will show you what updates are needed, download the patches to a central location and remotely apply the updates.  

    I agree with richrumble though, the automatic updates scheduling works very well also.

    LVL 8

    Assisted Solution

    While someone has already touched on this, I'll go ahead and post since I am a previous disatisifed owner of Update Expert.

    Right now, SUS is the way to go, and WUS is the way to go once it goes gold.

    SUS is definately limited in that it doesn't provide any easy way of verifying that everyone is getting patched.  The recommended solution is to setup SUS to deploy patches, and then take advantage of Microsoft Baseline Security Analyzer (also free and actually pretty cool) to verify that updates are being implemented.  It is a lot more work since you have multiple interfaces to use.

    Here is what I did, and I am happier with this than Update Expert.  I will immediately upgrade to WUS once it is available.  

    I setup SUS, then used group policy to automatically download the updates to each machine.  Every night (early morning) at 3am the updates will be installed.  You can allow the updates to reboot after the particular updates that require them, but to save myself from getting someone pissed off because they left work for the day with open files that aren't saved, I instead leave that part up to the user.  They will get a little balloon message saying that updates were installed, and that a reboot is required.

    It isn't as slick as Update Expert would have been if it actually worked the way it was supposed to, but at least I can reliably get updates out to my clients.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now