PNRT
asked on
Download a file from microsoft that contains all hotfixes and updates
Hi Experts
I'm trying to find out if there is a file that can be downloaded from Microsoft that contains all current hotfixes and updates
I would like to take a list of those installed on my networks PC's and compare them with the latest Microsoft version using a VB.Net app
Many of our PC's do not have internet access
Many thanks
I'm trying to find out if there is a file that can be downloaded from Microsoft that contains all current hotfixes and updates
I would like to take a list of those installed on my networks PC's and compare them with the latest Microsoft version using a VB.Net app
Many of our PC's do not have internet access
Many thanks
bas2754
I don't think there is any such item yet available, however I believe in October Microsoft will be rolling updates out as a full update package once a month that can just be installed on top of whatever OS (7 and up) you are using. In other words, no more individual updates.
If you have a heap of machines on a site that you need to keep updated in a controlled, centrally manage manner, then Microsoft's answer is to install a WSUS server. This will download, manage and monitor updates for all your machines.
There is a monthly convenience roll-up for windows 7,8, 8.1 & 10, Server 2008 R2, 2012 (Not sure on 2012 R2) which is exactly for this purpose (Offline systems)
Read all about it here
Latest Win 7/2008 R2 version info here (Need to download it from Windows Catalog, which you can also import into WSUS to patch local)
Read all about it here
Latest Win 7/2008 R2 version info here (Need to download it from Windows Catalog, which you can also import into WSUS to patch local)
ASKER
Hi all
Maclean seems to be the closest to what I was looking for.
Do you know if it is possible to extract a list of the updates included in each download?
That was the actual thing I was trying to get. An up to date list of all updates and hotfixes
for each OS, not necessarily the software itself. Perhaps there's somewhere else I can
get the list from?
Many Thanks for the replies
Maclean seems to be the closest to what I was looking for.
Do you know if it is possible to extract a list of the updates included in each download?
That was the actual thing I was trying to get. An up to date list of all updates and hotfixes
for each OS, not necessarily the software itself. Perhaps there's somewhere else I can
get the list from?
Many Thanks for the replies
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the reply Maclean, much appreciated
Initially it was the list of everything that I was looking for. But with your great explanation
of "how would you know what updates were applicable to each machine", it rather makes a
nonsense of what I was trying to do.
Without putting a WSUS Server at every branch, that would also not be an option as they cannot connect to Head Office where a WSUS Server would normally be. My worry is, email vulnerability, users and their USB drives, and the idiots that find a way of connection to the internet via their phones. I don't really want to rely just on AV software.
I was trying to think of a sort of homegrown solution that I could adapt but for the offline machines, it looks like I will have to upload the catalog to each machine and have it update that way? What a mission!
Many thanks again for the advice.
Initially it was the list of everything that I was looking for. But with your great explanation
of "how would you know what updates were applicable to each machine", it rather makes a
nonsense of what I was trying to do.
Without putting a WSUS Server at every branch, that would also not be an option as they cannot connect to Head Office where a WSUS Server would normally be. My worry is, email vulnerability, users and their USB drives, and the idiots that find a way of connection to the internet via their phones. I don't really want to rely just on AV software.
I was trying to think of a sort of homegrown solution that I could adapt but for the offline machines, it looks like I will have to upload the catalog to each machine and have it update that way? What a mission!
Many thanks again for the advice.
If you use Windows 10 internally, you can have 1 system download & distribute updates from what I understand from Microsoft. I have not tested this, but everything points towards this option.
The Convenience Patch would be a not too cumbersome solution to implement I think. It can be a tad large in size, but download the pre-requisites (Ironically to do the "All patches patch" you need to download some patches first which I personally find funny in a geeky way) and then add those together with the convenience roll-up on a share.
Tricky bit from here would be a script which looks whether the pre-requisites are already deployed, and if yes, go ahead with the convenience rollup. If not, deploy patches, then deploy the convenience patch. Less rigorous way is to just deploy them all (Convenience patch last). In theory the WUSA engine should just ignore the patch if already deployed and attempted again. Just takes more time as it searches using the WUSA engine whether the update is applicable yes/no.
I do believe you could run Belarc Advisor or as mentioned the MS Security Analyzer on each PC to get a list of missing updates. But to me that sounds like a painful task to go through PC by PC, and once you have that list, the administrative overhead to make some plan from there would be not worth the hassle for me if I was tasked with this. Happy to hear my suggestion helped you. Good luck getting things sorted.
The Convenience Patch would be a not too cumbersome solution to implement I think. It can be a tad large in size, but download the pre-requisites (Ironically to do the "All patches patch" you need to download some patches first which I personally find funny in a geeky way) and then add those together with the convenience roll-up on a share.
Tricky bit from here would be a script which looks whether the pre-requisites are already deployed, and if yes, go ahead with the convenience rollup. If not, deploy patches, then deploy the convenience patch. Less rigorous way is to just deploy them all (Convenience patch last). In theory the WUSA engine should just ignore the patch if already deployed and attempted again. Just takes more time as it searches using the WUSA engine whether the update is applicable yes/no.
I do believe you could run Belarc Advisor or as mentioned the MS Security Analyzer on each PC to get a list of missing updates. But to me that sounds like a painful task to go through PC by PC, and once you have that list, the administrative overhead to make some plan from there would be not worth the hassle for me if I was tasked with this. Happy to hear my suggestion helped you. Good luck getting things sorted.
ASKER
Many Thanks again Maclean
In fact I was trying replicate something exactly like Belarc Advisor that I could run in my own app to make everything less tedious. Looks like I'm stuck with though.
Many thanks again for taking the time to come back.
In fact I was trying replicate something exactly like Belarc Advisor that I could run in my own app to make everything less tedious. Looks like I'm stuck with though.
Many thanks again for taking the time to come back.
Look, if its USB and Modems (Hotspotting via phone = modem really) that worry you, then lock it down.
That would be the easier step. But you still need to patch machines at some stage for the "Worst case" scenario. (In my opinion)
This however would kill the immediate threat probably.
You can restrict Hardware via GPO using Technet instructions (There might be better blogs than this one)
Or use a 3rd party product to manage it for you. One of our clients enjoys this product. I'm a GPO man myself.
Anyhow, I'll leave you in thoughts and get cracking at my own tasks. Monday morning. Coffee time before my incidents & request queue's gets loaded up by the team here.
That would be the easier step. But you still need to patch machines at some stage for the "Worst case" scenario. (In my opinion)
This however would kill the immediate threat probably.
You can restrict Hardware via GPO using Technet instructions (There might be better blogs than this one)
Or use a 3rd party product to manage it for you. One of our clients enjoys this product. I'm a GPO man myself.
Anyhow, I'll leave you in thoughts and get cracking at my own tasks. Monday morning. Coffee time before my incidents & request queue's gets loaded up by the team here.