Windows Updates deployment

We use UpdateExpert from St. Bernard right now to manage patches for 500 Windows boxes.
I'm looking for alternatives. What is considered the best way to deploy patches these days?

One of our greatest problems is scheduling the updates with our users. It's a major pain.

I think what I would like ideally is to have the user prompted upon logoff if they want to
allow Windows Updates to proceed on their PC.  So they could log out before going home at night.
click ok to Windows Updates and have a fully patched PC ready for them the next morning.
Any one doing it that way?

LVL 15
Who is Participating?
Leon FesterConnect With a Mentor Senior Solutions ArchitectCommented:
Microsoft has a a server application for just that. It's call SUS, it's free and pretty reliable, but only works for Windows OS updates. M$ intends releasing WUS for updating all other applications as well. Visit for more information.

It can be configured via your AD Group policy to automatically update your workstations. Updates to the SUS server can also be automated. During configuration you will specify which language updates to download, otherwise you'll be downloading all the M$ patches.
kneHConnect With a Mentor Commented:
>>So they could log out before going home at night.

Yeah that'll make em happy... that way they can wait for the computer to do stuff when they want to go home.

I'd just force the updates upon them through Group Policy.

That way you know they get done.

Rich RumbleConnect With a Mentor Security SamuraiCommented:
DO NOT allow the users to dictate when they get updates, or even interact with the updates, as mentioned SUS and WSUS(comming soon) are the best products to use to save bandwidth, and make administration a bit easier. This way you don't have all the PC's trying to DL the patches at the same time from the internet. One pc DL's all the patches, and the rest use the LAN connection to get the updates from that pc/sever. If your users are instructed to leave the PC's on at night when the leave, then you have a good oppurtunity to get them patched and rebooted if necessary, while they are away. Do not leave it up to the users to make this type of critical decision.

3rd party software is a waste of money, the automatic updates scheduling in win2k and xp are very reliable, and sus/wsus are also very good. I guess they can be considered 3rd party but you get the idea...
eschaefrConnect With a Mentor Commented:
You might want to check out LanGuard Security Scanner from GFI.  You can scan all pcs on your network or a range.  It will show you what updates are needed, download the patches to a central location and remotely apply the updates.  

I agree with richrumble though, the automatic updates scheduling works very well also.

ITDharamConnect With a Mentor Commented:
While someone has already touched on this, I'll go ahead and post since I am a previous disatisifed owner of Update Expert.

Right now, SUS is the way to go, and WUS is the way to go once it goes gold.

SUS is definately limited in that it doesn't provide any easy way of verifying that everyone is getting patched.  The recommended solution is to setup SUS to deploy patches, and then take advantage of Microsoft Baseline Security Analyzer (also free and actually pretty cool) to verify that updates are being implemented.  It is a lot more work since you have multiple interfaces to use.

Here is what I did, and I am happier with this than Update Expert.  I will immediately upgrade to WUS once it is available.  

I setup SUS, then used group policy to automatically download the updates to each machine.  Every night (early morning) at 3am the updates will be installed.  You can allow the updates to reboot after the particular updates that require them, but to save myself from getting someone pissed off because they left work for the day with open files that aren't saved, I instead leave that part up to the user.  They will get a little balloon message saying that updates were installed, and that a reboot is required.

It isn't as slick as Update Expert would have been if it actually worked the way it was supposed to, but at least I can reliably get updates out to my clients.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.