Patch Installation

This is regarding windows patch management, someone could help me.

I have many windows 2000 and windows xp clients in my environment. During the initial installation of the clients, i used to install the uptodate patches that available until the time of client installation. but now, most of them not updated for long time. Now, if i want to update all of them, whats the best way?

Should i apply all the patches from beginning to now? (windows may skip the patch that is already installed?)
or should i search in all systems which are installed or not installed?

Thanks for any advice

Who is Participating?
DennisPostConnect With a Mentor Commented:
How to configure and use Windows 2000 Automatic Updates:

How to schedule Automatic Updates:

Here's a forum about it.

As far as the exact behaviour of how patches react if you reinstall them, I don't know. I can tell you that I have done it
many many times before and did not experienced any difficulties. The only time it might become a problem is if  patch2 updates patch1 and then you reinstall patch1.
I found this MS article about hotfixes:
If you are really worried about unforseen things happening, then run automatic updates on all machines before creating the batch file. (Remeber you don't even really need to).

What you heard about don't patch if it's not needed is true to a degree. "If it's not broken, don't try to fix it".
But most updates via Automatic Updates are security fixes.  You may not know it's broken until it's too late.
There are a lot of optional updates. These can cause trouble if you don't actually need them. Automatic Update doesn't
download these optional updates automatically. I fact Microsoft recommends that you don't install them unless your situation is exactly as described in the KB about the patch, otherwise wait for the fully tested service pack to come out.
This is also why people use WSUS. Then they can test every patch that comes out. If it doesn't cause problems then
they can deploy it to the enterprise. This is over the top for a small company like mine.

Hope this answers your question. :-)
Dear Basheerpt,
You may use WSUS to deploy patches and automate the patch deployment. If you want to apply patches individually then you can go to site , With that you can update patches

To know more about wsus check the link

BasheerptAuthor Commented:
I may be downloaded all the patches from security bulletin website. how to install them offline without checking what is already installed  and not?
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

I was looking at SUS & WSUS to keep everything up to date.
In the end I just turn on Automatic Updates. (Users don't need to be an Administrator)

I also created a batch file:
\\<server>\Hotfixes\xp-kb885250.exe -z -u
\\<server>\Hotfixes\xp-kb887472.exe -z -U
\\<server>\Hotfixes\xp-kb888113.exe -z -U
\\<server>\Hotfixes\xp-kb888302.exe -z -U
\\<server>\Hotfixes\xp-kb890046.exe -z -U

Check out this site for more information:

This is a simple batch. If you have lots of workstations then you might want to improve it a bit.
BasheerptAuthor Commented:
Thanks Dennis,

How do I turn on the Automatic Update and point the clients to get updates from lacal server as mentioned in the batchfile? Sorry, its an instant reply, i didnt read the KBs you recommended, i will read now

You don't.
You could just enable Automatic Updates on each machine or via GPO. All updates will be downloaded and installed.

If you already have a whole bunch of hotfixes ready, then create the batch file and run it on each machine.
I only created the batchfile because it takes a very long time to download then install all the hotfixes.
With the batch file you don't have to download all the hotfixes for each machine, once only then the machines
will read it from a central location.
Also if I have to setup a new machine then all I have to do is run the batch and it's as up to date as my batch is.

Alternatively you could do as inbarasan suggested.
On each machine goto and run the updates from there.
Personally I wouldn't do this because as each update comes out, you'll have to do it again on each machine. (Very tedious).

We only have 20 workstations here so my way was easiest for me. If you've got a larger environment then WSUS is probably the way to go.

But check out the site inbarasan gave you and decide for yourself.

BasheerptAuthor Commented:
Thanks for this nice information Dennis.

My Scenario is little different as follows:

1. There are mixed of Windows XP and Windows 2000, so i may have to create separate GPO for each of them and put those relevant computers where applicable.

2. I already have installed some of the patches, if i install the whole bunch of patch in my batch file, how it will treated? overwrite the existing or skipping?

I somewhere read that, if your computer run smoothly, dont patch anything!! (someone posted from real experience, unofficial comment.:-)

BasheerptAuthor Commented:
Dennis, Thanks a lot. You are so informative! all of my workstations doesnt have the Internet, so I cannot think of running AU on all systems. I will go through the articles u suggested and I hope i would find an acceptable solution for my scenario.

I appreciate your help and i am happy to give you the point..:-)
Thanks and goodluck to you!
Remeber if you ever get stuck on anything, post it here!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.