Great article. Altiris' new patch management 6.0 is a great tool to not only deploy patches on a policy bases, much like you can with group policy in a w2k domain, but also manage Pre w2k machines as well. It will automatically order the installs of multiple patches to ensure that the correct dll is in place. If you reimage you machine the hot fixs get automatically installed. You are in total control of the hotfixes you want deployed within you network. Best of all you don't have to hunt through pages and pages of bulletins to figure out which executables you need for a particular OS or software install relative to the bulletin release.

Kevan5/17/2004 3:52:16 PM

If you are going to be serious about security, you have to put down your "it takes too much time" banner and replace it with the "security is never finished" banner. Yes, the process of patching MS products can be arduous, especially if you ignore their advisories and try to patch a gold installation after it had been infected. My suggestion: subscribe to the Security Advisory list MS puts out, stay on top of the patches, and quit your whining.

michaelphillipstump 10/5/2001 6:24:09 AM

If you think tracking down a patch via the security bullentins and knowledge base articles is hard, try finding a specific patch on
http://corporate.windowsupdate.microsoft.com

Many searches turn up multiple patches, so the process becomes "guess which patch is the correct one" and "attempt to verify the guess". Does anyone know how to correlate the identification numbers on the coporate site with a security bullentin?

Ronnie Heath 10/4/2001 9:41:22 AM

Why doesn't Microsoft generate a version of HFNetchk which, instead of their current output, generate a html output including on on side the hard URLs of the fixes and on the other hard URLs of the description, requirements etc. That would be something worth paying their software for.

Frank Neirynck 10/4/2001 9:13:08 AM

I have found the Hfnetchk very easy to use an include in scripts. Honestly, if Hfnetchk check reports 16 to 17 fixes that need to be applied, you cannot have been doing your job all that well in the first place. No wonder these worms spread so fast - there are too many lazy administrators out there not checking and installing patches as they are released. Both Code Red and Nimda used attacks that were documented and patched anywhere between 3 to 10 months ago.

Kevin10/4/2001 2:44:01 AM

I played with St.Barnards UpdateExpert and at this stage I do not care how much it costs, I am sure it will pay for itself in the time it will save updating all the hotfixes I have to do. It seems like a great piece of software.

Trevor10/3/2001 11:11:41 PM

One other suggestion. MSI, MSI, MSI. _ALL_ hotfixes should be released in an MSI based format as well so that they can be deployed via Group Policy.

Also, your Post A Comment box should be resizeable - on my screen, this text box is 50% wider than the window, and yet there's no way to resize the window or even scroll it (save by typing in this edit box, which causes the window to jump around strangely). Web developers that make pop up windows non-resizeable and who get rid of the scroll bars should be relieved of their duties - it frequently results in an unusable site for anyone whose font settings deviate even slightly from the defaults (such as using Large Fonts).

Toby Everett 10/3/2001 5:28:18 PM

HFNetchk is OK but does not go quite far enough. I find the results to be only the very start of a long process. It should have been able to generate a script file that you could use with QCHain. Then "all" you would need to do is verify the script, locate all of the appropriate patches, and then run qchain. Supplying a URL for each patch would have been nice also. I think MS really missed it with HFNetchk.

Blair9/28/2001 3:38:22 PM

Well said, Paula! All of these suggestions are good ideas. It would be nice to make Windows Update work properly with all of these hotfixes. This is the most simple solution to the problem that I can think of. Works great for workstations, and you don't have to worry about having to use QChain or any other tool like that.

Having a more efficient hotfix tool would help, as well. If the hotfix app did everything that they needed in order to update machines, then you wouldn't need a second method of installation, and would be able to easily chain them together.

It would also be nice, just like Office files do this, that when you go to the properties of the file, that it would have a summary of the hotfix information in the properties dialog box. You don't know how many times I have downloaded a hotfix, saved it, then remembered it a week later and have no idea what it is for. Having a more well defined file name direct from Microsoft would help out a lot, as another comment mentioned.

Torolf Haug 9/27/2001 8:22:24 AM

I, personally find the Qxxx beginning very easy to use. In WindowsNT/W2k you can set a registry setting,
HKCU\\Software\\Microsoft\\Command Processor\\CompletionChar to 9 to get command line completion with the TAB key.... means you just copy the Qxxxx from HfNetChk to the cmd line, then hit TAB and it'll run the hotfix you've downloaded.

Also, if you run hfnetchk with no cmd line args it goes and downloads the xml off microsoft's site, so I'm not entirely sure what point 1 means in this article.

... they're my two 'MS sympathizing' points. ... now what I'd like to see.

- I've read the XML file of microsoft's. It lists both the filename, and a link TO the file for download for each patch. This isn't a direct link most of the time, you still need to go with a web browser and click "I agree" etc. etc. ... but it saves searching for each Qxxxx. I'd like to see HfNetChk spit this out for you.

- The 2 standards for hotfixes is really stupid. (I recon')... even if both standards are kept, it would be nice to see MS allow the same command line args for the MSDAIPP installer.

- Some documentation from MS about what access you need on the remote PC to do a scan. I believe you need C$ and ADMIN$ shares existing, and access to them, and the remote registry service. Am I correct?

- I would love to see an automated "Download and Install" ... I mentioned this to MS support, and got the reply "coming in Windows XP" ... so there ya go :)

Just my 2c.

Will Lotto 9/27/2001 2:37:34 AM