- Target and deliver MS patches using the Novell Application Launcher without elevating user rights.
- Target patches to only to workstations that require the patch.
- Disable the patch after delivery on target workstation.
- Network location to store the Microsoft patches.
- Workstation Objects should have Read and File Scan file rights or the directory should have PUBLIC as a trustee.
- Basic understanding of Novell Application objects.
Microsoft releases security patches the second Tuesday of every month. Information on these patches can be found on the Microsoft Technet Website in the form of security bulletins. Each bulletin contains information about the product affected, download locations, verification methods and details any patches that the new release is replacing.
Evaluate and Download Patches
Clearly visible at the start of each bulletin is information that you can use to evaluate the importance of the patch and whether or not the patch applies to your environment. If the patch is applicable to the environment, download the patch to V:\Patches\MSxx-xxx where xx-xxx represents the security bulletin number and V:\ represents a Novell network location. With some patches there may only be one or two downloads, however some patches have many more (MS06-014, for example, actually contained 5 separate downloads for one patch that translated into 7 separate NAL objects).
Creating the MS Patch NAL
After downloading the patch, create a new simple application object
Name the application object according to the MS Security Bulletin
Some Security Bulletins will require several NAL objects to accommodate all the affected software. Take for example MS06-014, this patch has 7 NAL objects in order to cover the range of affected software and OS platforms. (ZEN 6.5 and ZEN 7 have the ability to create Boolean requirements. Only 5 NAL objects would have been required)
- MS06-014 – MDAC25SP3 – 2KSP4
- MS06-014 – MDAC27SP1 – 2KSP4
- MS06-014 – MDAC27SP1 – XPSP1
- MS06-014 – MDAC28 – 2KSP4
- MS06-014 – MDAC28 – XPSP1
- MS06-014 – MDAC28SP1 – 2KSP4
- MS06-014 – MDAC28SP1 – XPSP2
When you encounter a patch like this, name the NAL object using an appropriate descriptive name by incorporating the software affected and OS platform. (See examples above)
Use the UNC to the patch when defining the Path to the executable file. Secured System User or Unsecured System user run is separate memory space and user context, as a result they can not access the users network mapped drives.
Add the requirements for the patch. In this case the patch is applicable to Windows XP only. As such we will define requirements of an OS Version that is greater than or equal to 5.1 and less than 5.2. We will also add a registry requirement. This registry requirement will check for the existence of the patch registry key. If the key does not exist, then the patch will be installed, otherwise it will not be installed. This prevents the patch form attempting to install over and over again. The registry key can be found in the MS Security Bulletin in the Security Update Information section.
Note: Please see the Useful Information section at the end of this document for additional registry keys and file version numbers that can be used to refine the requirements of the MS Patch object.
Do not associate the patch with anything at this point.
Click the “Display details after creation” and finish creating the application object.
Modifying NAL object
Identification –> Icon tab:
- Uncheck the “Disconnectable” checkbox – This will prevent laptops from trying to run the patch when not connected to the network.
- Check the “Wait on Force Run” checkbox – This will force the patches to install one at a time. The patches use the MSI installer and only one instance of the MSIEXEC can be run at a time with the patches.
- Set the force run order to the MS Security Bulletin Number – This will determine the order in which the patches are run.
Identification –> Description tab:
Paste the information from the top of the security bulletin into the description field. This will allow us to quickly identify the patch and version information. If a newer version of the patch executable is released from MS at a later date, the description information should also be updated to reflect the new version number and patch information.
Distribution Options –> Options tab:
The patch should be set to never reboot. This will eliminate the need to reboot after deploying every patch.
In our environment, the user is responsible for rebooting their computer.
Run Options –> Application tab:
Add the appropriate command line parameters to install the patch with out a user display and to also prevent a reboot.
More MS patches command line options can be obtained by running the patch executable with the /? command line.
Run Options –> Environment tab:
Set the application object to “Run as unsecured system user”
We use the unsecured system user so that if there is an error with the application object on a user’s machine, an error message will be displayed to the user. If the application object is set to run as a secure system user, and an error occurs, the user will not be notified. The patch will also remain resident in memory and attempt to run the next time a user logs in.
By setting the patch object to run as a secured system user or unsecured system user the WORKSTATION OBJECT must have read and file scan rights to the patches directory. The patch is installing as the workstation and not the user in this instance.
Microsoft frequently replaces older patches with new releases. This information can be found in the “Security Update Replacement” line item at the top of the bulletin or in the “Frequently asked questions (FAQ) related to this security update” under the “What updates does this release replace?”
What updates does this release replace?
This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.
|Bulletin ID||Windows 98||Windows 2000||Windows XP with Microsoft Data Access Components all versions (except for version 2.8) installed||Windows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed||Windows Server 2003|
|MS04-003||Replaced||Replaced||Not Replaced||Replaced||Not Replaced|
Make note of each patch that is being replaced and the platform being replaced. In this case, the patch MS06-007 replaces MS04-003. Delete any applicable patch executables from the V:\ drive and any NAL objects.
In this case, most platforms are replaced. There are occasions when only specific OS or particular application version patches are replaced. This is usually the case with IE patches.
Testing the patches
The patches should be tested to ensure proper installation prior to force running the patch against the general user population. The test should include PC’s that both do and do not meet the requirements of the patch. While not every configuration can be tested prior to roll out, a reasonable effort should be made to ensure proper functionality of the patch install.
Deploying the patches:
Once the patches have been created and tested, it is time to force run the patches in the user environment. Patches are associated to the root context for each geographic location and can be associated with the users or workstation objects, however the patches will run as the workstation.
Listed below are some useful registry keys and file version numbers that can be used to further refine the requirements of the MS Patch Object.
Determine the OS:
Determine service pack level of the OS:
Value: 0x100 SP1
Value: 0x200 SP2
Value: 0x300 SP3
Value: 0x400 SP4
Value: 0x500 SP5
Value: 0x600 SP6
Determine MDAC Version:
Determine Version of Internet Explorer
File Location: C:\Program Files\Internet Explorer\iexplore.exe
– OR –
Key: Software\Microsoft\Internet Explorer
Determine Version of Windows Media Player
File Location: C:\Program Files\Windows Media Player\wmplayer.exe
Check for Microsoft .NET Framework Install
Microsoft .NET v1.1 Registry Key
Microsoft .NET v2.0 Registry Key
PDF Version of this article.