Recently I was working on a rather fustrating and somewhat boring project that involved getting the latest office patches to 12,000 machines. You’d think with SMS, ORK and MBSA that this would be easy, but I found I actually had alot of work ahead of me.
This will be a very long post if I go into great detail so I’m going to try to stay high level. The design I finally settled on works like this:
1) An MBSA OfficeScan occurs where a machine is scanned for Office vunerabilites. The data is placed into WMI and replicates up through SMS as discovery data.
2) A collection of machines is automatically refreshed based on a WQL query that says I want resources where one of these products is installed and one of these patches are applicable.
3) An advertisement for the machines in that collection runs a custom application I wrote called PatchManager.
4) PatchManager begins by triggering the SMS MSI Source agent. If a local DP has the source bits of an installed product code, MSI adds it as an available source list.
5) PatchManager then queries the SMS site database to find out if any other distribution points serve as remote DP for the subnet the client is located on. If one is found it is checked to see if the source files are on it and if so WindowsInstaller is called to add that location as a source location.
6) Next we manually fire an MBSA Office Scan to make sure we have the most current data in WMI.
7) Now we start walking through an INI file looking to see if patches are needed. For each patch we query WMI to see if the patch is needed. If so, we call MSIEXEC to install the patch. If the patch needs source files it goes out to the DPs to get them.
8) After each patch is applied we do another MBSA office scan to get new data in WMI. This is because Microsoft annoyingly doesnt report patches as applicable until prerequisite patches are applied.
Eventually all the patches are applied. The next night the process starts all over again. Because no patches are applicable the machine falls out of the collection and doesn’t receive the advertisement again until a new patch is added to the patch manager.