Re: OT: Microsoft sucks, part 953

Hmm. My MS guru at work, who still beta-tests for Redmond, told me that the
corp license version we use for the machine image library was WGA-proof. I'm
not expert enough to know if that is true or not. Why would a company with
90 servers be buying onesie licenses, anyway?

I don't know how they buy them. Do they not have product keys, or
MS will allow duplicate product keys up to the number purchased?
A former employer would acquire these a half-dozen at a time by
buying the company that owned them.

The complaint I have is that MS won't let me download the Microsoft
Baseline Security Analyzer onto machines running the older server
OS, even though the tool works on them, and is installed on some of
them. That tool doesn't install patches, it just reports on them.
There may be other useful tools with the same issue.

I often get asked to verify that a particular patch is present on the
system (actually applying the patch to a production machine needs to
be scheduled and get a bunch of approvals). There are several
ways to do this:

Look in Add/Remove Programs for the patch (e.g. KB917344)
Run MBSA 2.0 and look for the security bulletin number (e.g. MS06-023)
Run Windows Update and see if it recommends installing a patch
for the KB number (e.g. KB917344). This sometimes requires
installing stuff to make it work. I don't use it to actually
INSTALL, just to read the list.
Run Windows Update History and see if it includes the patch in question.
This sometimes requires installing stuff to make it work.

Unfortunately these methods often disagree with each other as to
whether the patch is actually installed, and some of these don't
work on all machines. Also the very few NT 4.0 machines rarely
have patches published for them: hopefully we'll get rid of/upgrade
them soon.

You are right about the military/firewall observations, however. We don't
install any MS patches unless we (or our higher command) have sandbox-tested
them with expendable machines, to make sure they don't break our standard
configs or telecom setups. Windows Update is locked out on our company
machines, and casual end users do not have install capability.

Do you have a better way of verifying that a patch is installed,
without having the possible side effect of actually installing one?

Gordon L. Burditt
.

Relevant Pages

  • Re: Event ID 6161 for HP 6840
    ... patch related to an exposure via the print spooler service. ... download which offers the option of a local port. ... >> There were no problems with the install and the printer works find so long ... >> 3) All machines on the network can connect to the printer via Internet ...
    (microsoft.public.windowsxp.print_fax)
  • Automatically patching machine with hotfix KB824146 using mbsafu.
    ... I didn't want to spend as many hours patching machines with KB824146 exploit ... Mbsafu is an automatic remote patching tool that applies Security updates ... Download and install mbsa. ... Setup a network share with full privileges for the account you will patch ...
    (NT-Bugtraq)
  • Re: SunOs patching - How to
    ... I've been reading a lot on how to patch SunOs but I'm ... If this isn't the same on both machines, then a different release of Solaris 8 has been installed. ... Such update releases differ in two ways: A set of current patches is pre-installed, and new features might have been added in new packages. ... If you have the chance to do so, either upgrade or reinstall both machines with latest release of the Solaris version you need, or at least install a current set of patches on both. ...
    (comp.unix.solaris)
  • Re: MacSpeech Dictate Amazon reviews - comments?
    ... But I need to install on two machines: my Mac Pro in the office, ... USE one machine at a time, but I need it on two machines. ... install a license for every account on a machine. ... license is to the hardware and not to the user. ...
    (comp.sys.mac.apps)
  • SUS Client Problems
    ... Q317244 MSXML 4.0 patch ... manually to successfully install it. ... but just isn't recognised by the Windows Update site ... to check machines are up to date before deployment). ...
    (microsoft.public.win2000.windows_update)