Novell is now a part of Micro Focus

Packaging Microsoft Patches using Novell Application Launcher

Novell Cool Solutions: AppNote
By Pete Demers

Digg This - Slashdot This

Posted: 14 Nov 2006


  • Target and deliver MS patches using the Novell Application Launcher without elevating user rights.
  • Target patches to only to workstations that require the patch.
  • Disable the patch after delivery on target workstation.


  • Network location to store the Microsoft patches.
  • Workstation Objects should have Read and File Scan file rights or the directory should have PUBLIC as a trustee.
  • Basic understanding of Novell Application objects.

Microsoft releases security patches the second Tuesday of every month. Information on these patches can be found on the Microsoft Technet Website in the form of security bulletins. Each bulletin contains information about the product affected, download locations, verification methods and details any patches that the new release is replacing.

Evaluate and Download Patches

Clearly visible at the start of each bulletin is information that you can use to evaluate the importance of the patch and whether or not the patch applies to your environment. If the patch is applicable to the environment, download the patch to V:\Patches\MSxx-xxx where xx-xxx represents the security bulletin number and V:\ represents a Novell network location. With some patches there may only be one or two downloads, however some patches have many more (MS06-014, for example, actually contained 5 separate downloads for one patch that translated into 7 separate NAL objects).

Creating the MS Patch NAL

After downloading the patch, create a new simple application object

Name the application object according to the MS Security Bulletin

Some Security Bulletins will require several NAL objects to accommodate all the affected software. Take for example MS06-014, this patch has 7 NAL objects in order to cover the range of affected software and OS platforms. (ZEN 6.5 and ZEN 7 have the ability to create Boolean requirements. Only 5 NAL objects would have been required)

MS06-014 - MDAC25SP3 - 2KSP4
MS06-014 - MDAC27SP1 - 2KSP4
MS06-014 - MDAC27SP1 - XPSP1
MS06-014 - MDAC28 - 2KSP4
MS06-014 - MDAC28 - XPSP1
MS06-014 - MDAC28SP1 - 2KSP4
MS06-014 - MDAC28SP1 - XPSP2

When you encounter a patch like this, name the NAL object using an appropriate descriptive name by incorporating the software affected and OS platform. (See examples above)

Use the UNC to the patch when defining the Path to the executable file. Secured System User or Unsecured System user run is separate memory space and user context, as a result they can not access the users network mapped drives.

Add the requirements for the patch. In this case the patch is applicable to Windows XP only. As such we will define requirements of an OS Version that is greater than or equal to 5.1 and less than 5.2. We will also add a registry requirement. This registry requirement will check for the existence of the patch registry key. If the key does not exist, then the patch will be installed, otherwise it will not be installed. This prevents the patch form attempting to install over and over again. The registry key can be found in the MS Security Bulletin in the Security Update Information section.

Note: Please see the Useful Information section at the end of this document for additional registry keys and file version numbers that can be used to refine the requirements of the MS Patch object.

Do not associate the patch with anything at this point.

Click the "Display details after creation" and finish creating the application object.

Modifying NAL object

Identification –> Icon tab:

  • Uncheck the "Disconnectable" checkbox – This will prevent laptops from trying to run the patch when not connected to the network.
  • Check the "Wait on Force Run" checkbox – This will force the patches to install one at a time. The patches use the MSI installer and only one instance of the MSIEXEC can be run at a time with the patches.
  • Set the force run order to the MS Security Bulletin Number – This will determine the order in which the patches are run.

Identification –> Description tab:

Paste the information from the top of the security bulletin into the description field. This will allow us to quickly identify the patch and version information. If a newer version of the patch executable is released from MS at a later date, the description information should also be updated to reflect the new version number and patch information.

Distribution Options –> Options tab:

The patch should be set to never reboot. This will eliminate the need to reboot after deploying every patch.

In our environment, the user is responsible for rebooting their computer.

Run Options –> Application tab:

Add the appropriate command line parameters to install the patch with out a user display and to also prevent a reboot.

More MS patches command line options can be obtained by running the patch executable with the /? command line.

Run Options –> Environment tab:

Set the application object to "Run as unsecured system user"

We use the unsecured system user so that if there is an error with the application object on a user's machine, an error message will be displayed to the user. If the application object is set to run as a secure system user, and an error occurs, the user will not be notified. The patch will also remain resident in memory and attempt to run the next time a user logs in.

By setting the patch object to run as a secured system user or unsecured system user the WORKSTATION OBJECT must have read and file scan rights to the patches directory. The patch is installing as the workstation and not the user in this instance.

Retiring Patches

Microsoft frequently replaces older patches with new releases. This information can be found in the "Security Update Replacement" line item at the top of the bulletin or in the "Frequently asked questions (FAQ) related to this security update" under the "What updates does this release replace?"

What updates does this release replace?
This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.

Bulletin ID Windows 98 Windows 2000 Windows XP with Microsoft Data Access Components all versions (except for version 2.8) installed Windows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed Windows Server 2003
MS04-003   Replaced   Replaced   Not Replaced   Replaced   Not Replaced

Make note of each patch that is being replaced and the platform being replaced. In this case, the patch MS06-007 replaces MS04-003. Delete any applicable patch executables from the V:\ drive and any NAL objects.

In this case, most platforms are replaced. There are occasions when only specific OS or particular application version patches are replaced. This is usually the case with IE patches.

Testing the patches
The patches should be tested to ensure proper installation prior to force running the patch against the general user population. The test should include PC's that both do and do not meet the requirements of the patch. While not every configuration can be tested prior to roll out, a reasonable effort should be made to ensure proper functionality of the patch install.

Deploying the patches:
Once the patches have been created and tested, it is time to force run the patches in the user environment. Patches are associated to the root context for each geographic location and can be associated with the users or workstation objects, however the patches will run as the workstation.

Useful Information

Listed below are some useful registry keys and file version numbers that can be used to further refine the requirements of the MS Patch Object.

Determine the OS:

Windows 95 retail, OEM 4.00.950
Windows 95 retail SP1 4.00.950A
OEM Service Release 2 4.00.1111* (4.00.950B)
OEM Service Release 2.1 4.03.1212-1214* (4.00.950B)
OEM Service Release 2.5 4.03.1214* (4.00.950C)
Windows 98 retail, OEM 4.10.1998
Windows 98, Security CD 4.10.1998A
Windows 98 Second Edition 4.10.2222A
Windows 98 SE Security CD 4.10.2222B
Windows Me 4.90.3000
Windows Me Security CD 4.90.3000A
Windows NT 3.1 Workstation     3.1
Windows NT 3.5 Workstation 3.5
Windows NT 3.51 Workstation   3.51
Windows NT 4.0 Workstation 4.0
Windows 2000 Professional 5.0
Windows XP 5.1
Windows Server 2003 5.2
Windows XP (x64) 5.2
Windows Vista 6.0

Determine service pack level of the OS:

Key: System\CurrentControlSet\Control\Windows
Name: CSDVersion
Value: 0x100 SP1
Value: 0x200 SP2
Value: 0x300 SP3
Value: 0x400 SP4
Value: 0x500 SP5
Value: 0x600 SP6

Determine MDAC Version:

Key: Software\Microsoft\DataAccess
Name: Version
Type: REG_SZ

Determine Version of Internet Explorer

File Location: C:\Program Files\Internet Explorer\iexplore.exe

- OR -

Key: Software\Microsoft\Internet Explorer
Name: Version
Type: REG_SZ

4.40.308 Internet Explorer 1.0 (Plus! for Windows 95)
4.40.520 Internet Explorer 2.0
4.70.1155 Internet Explorer 3.0
4.70.1158 Internet Explorer 3.0 (Windows 95 OSR2)
4.70.1215 Internet Explorer 3.01
4.70.1300 Internet Explorer 3.02 and 3.02a
4.71.544 Internet Explorer 4.0 Platform Preview 1.0 (PP1)
4.71.1008.3 Internet Explorer 4.0 Platform Preview 2.0 (PP2)
4.71.1712.6 Internet Explorer 4.0
4.72.2106.8 Internet Explorer 4.01
4.72.3110.8 Internet Explorer 4.01 Service Pack 1 (Windows 98)
4.72.3612.1713 Internet Explorer 4.01 Service Pack 2
5.00.0518.10 Internet Explorer 5 Developer Preview (Beta 1)
5.00.0910.1309 Internet Explorer 5 Beta (Beta 2)
5.00.2014.0216 Internet Explorer 5
5.00.2314.1003 Internet Explorer 5 (Office 2000)
5.00.2614.3500 Internet Explorer 5 (Windows 98 Second Edition)
5.00.2516.1900 Internet Explorer 5.01 (Windows 2000 Beta 3, build 5.00.2031)
5.00.2919.800 Internet Explorer 5.01 (Windows 2000 RC1, build 5.00.2072)
5.00.2919.3800 Internet Explorer 5.01 (Windows 2000 RC2, build 5.00.2128)
5.00.2919.6307 Internet Explorer 5.01 (Office 2000 SR-1)
5.00.2920.0000 Internet Explorer 5.01 (Windows 2000, build 5.00.2195)
5.00.3103.1000 Internet Explorer 5.01 SP1 (Windows 2000 SP1)
5.00.3105.0106 Internet Explorer 5.01 SP1 (Windows 95/98 and Windows NT 4.0)
5.00.3314.2101 Internet Explorer 5.01 SP2 (Windows 95/98 and Windows NT 4.0)
5.00.3315.1000 Internet Explorer 5.01 SP2 (Windows 2000 SP2)
5.00.3502.1000 Internet Explorer 5.01 SP3 (Windows 2000 SP3 only)
5.00.3700.1000 Internet Explorer 5.01 SP4 (Windows 2000 SP4 only)
5.50.3825.1300 Internet Explorer 5.5 Developer Preview (Beta)
5.50.4030.2400 Internet Explorer 5.5 & Internet Tools Beta
5.50.4134.0100 Internet Explorer 5.5 for Windows Me (4.90.3000)
5.50.4134.0600 Internet Explorer 5.5
5.50.4308.2900 Internet Explorer 5.5 Advanced Security Privacy Beta
5.50.4522.1800 Internet Explorer 5.5 Service Pack 1
5.50.4807.2300 Internet Explorer 5.5 Service Pack 2
6.00.2462.0000 Internet Explorer 6 Public Preview (Beta)
6.00.2479.0006 Internet Explorer 6 Public Preview (Beta) Refresh
6.00.2600.0000     Internet Explorer 6 (Windows XP)
6.00.2800.1106 Internet Explorer 6 Service Pack 1 (Windows XP SP1}
6.00.2900.2180 Internet Explorer 6 for Windows XP SP2
6.00.3663.0000 Internet Explorer 6 for Microsoft Windows Server 2003 RC1
6.00.3718.0000 Internet Explorer 6 for Windows Server 2003 RC2
6.00.3790.0000 Internet Explorer 6 for Windows Server 2003 (released)

Determine Version of Windows Media Player

File Location: C:\Program Files\Windows Media Player\wmplayer.exe

Version number
Version of Windows Media Player (WMP) WMP 5.2 Beta WMP 5.2
6.02.902 WMP 6.0 WMP 6.0 Internet Explorer 5 RC0 Beta WMP 6.0 WMP 6.2 Beta WMP 6.4
6.4.6.* WMP 6.4 for Windows 2000 Betas WMP 6.4 with multi-bit rate (MBR) updates for Internet Explorer WMP 6.4 with MBR updates (minor error messaging updates from
6.4.9.* WMP 6.4 for Windows 2000 only WMP 7 WMP 7 Update WMP 7 with Setup updates WMP 7 for Windows Millennium Edition (Me) WMP 7.1 WMP 8 for Windows XP WMP 9 Series for Windows XP, Windows 98 Second Edition, Windows Me, and Windows 2000 WMP 9 Series for Windows Server 2003     WMP 10

Check for Microsoft .NET Framework Install

Microsoft .NET v1.1 Registry Key
Key: Software\Microsoft\.NETFramework\Policy\v1.1

Microsoft .NET v2.0 Registry Key
Key: Software\Microsoft\.NETFramework\Policy\v2.0

PDF Version of this article.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates