Packaging Microsoft Patches using Novell Application Launcher

Objective:

• Target and deliver MS patches using the Novell Application Launcher without elevating user rights.
• Target patches to only to workstations that require the patch.
• Disable the patch after delivery on target workstation.

Requirements:

• Network location to store the Microsoft patches.
• Workstation Objects should have Read and File Scan file rights or the directory should have PUBLIC as a trustee.
• Basic understanding of Novell Application objects.

Microsoft releases security patches the second Tuesday of every month. Information on these patches can be found on the Microsoft Technet Website in the form of security bulletins. Each bulletin contains information about the product affected, download locations, verification methods and details any patches that the new release is replacing.

Evaluate and Download Patches

Clearly visible at the start of each bulletin is information that you can use to evaluate the importance of the patch and whether or not the patch applies to your environment. If the patch is applicable to the environment, download the patch to V:\Patches\MSxx-xxx where xx-xxx represents the security bulletin number and V:\ represents a Novell network location. With some patches there may only be one or two downloads, however some patches have many more (MS06-014, for example, actually contained 5 separate downloads for one patch that translated into 7 separate NAL objects).

Click to enlarge.

Creating the MS Patch NAL

After downloading the patch, create a new simple application object

Click to enlarge.

Name the application object according to the MS Security Bulletin

Click to enlarge.

Some Security Bulletins will require several NAL objects to accommodate all the affected software. Take for example MS06-014, this patch has 7 NAL objects in order to cover the range of affected software and OS platforms. (ZEN 6.5 and ZEN 7 have the ability to create Boolean requirements. Only 5 NAL objects would have been required)

MS06-014 - MDAC25SP3 - 2KSP4

MS06-014 - MDAC27SP1 - 2KSP4

MS06-014 - MDAC27SP1 - XPSP1

MS06-014 - MDAC28 - 2KSP4

MS06-014 - MDAC28 - XPSP1

MS06-014 - MDAC28SP1 - 2KSP4

MS06-014 - MDAC28SP1 - XPSP2

When you encounter a patch like this, name the NAL object using an appropriate descriptive name by incorporating the software affected and OS platform. (See examples above)

Use the UNC to the patch when defining the Path to the executable file. Secured System User or Unsecured System user run is separate memory space and user context, as a result they can not access the users network mapped drives.

Click to enlarge.

Add the requirements for the patch. In this case the patch is applicable to Windows XP only. As such we will define requirements of an OS Version that is greater than or equal to 5.1 and less than 5.2. We will also add a registry requirement. This registry requirement will check for the existence of the patch registry key. If the key does not exist, then the patch will be installed, otherwise it will not be installed. This prevents the patch form attempting to install over and over again. The registry key can be found in the MS Security Bulletin in the Security Update Information section.

Click to enlarge.

Note: Please see the Useful Information section at the end of this document for additional registry keys and file version numbers that can be used to refine the requirements of the MS Patch object.

Do not associate the patch with anything at this point.

Click to enlarge.

Click the "Display details after creation" and finish creating the application object.

Click to enlarge.

Modifying NAL object

Identification –> Icon tab:

• Uncheck the "Disconnectable" checkbox – This will prevent laptops from trying to run the patch when not connected to the network.
• Check the "Wait on Force Run" checkbox – This will force the patches to install one at a time. The patches use the MSI installer and only one instance of the MSIEXEC can be run at a time with the patches.
• Set the force run order to the MS Security Bulletin Number – This will determine the order in which the patches are run.

Click to enlarge.

Identification –> Description tab:

Paste the information from the top of the security bulletin into the description field. This will allow us to quickly identify the patch and version information. If a newer version of the patch executable is released from MS at a later date, the description information should also be updated to reflect the new version number and patch information.

Click to enlarge.

Distribution Options –> Options tab:

The patch should be set to never reboot. This will eliminate the need to reboot after deploying every patch.

Click to enlarge.

In our environment, the user is responsible for rebooting their computer.

Run Options –> Application tab:

Add the appropriate command line parameters to install the patch with out a user display and to also prevent a reboot.

Click to enlarge.

More MS patches command line options can be obtained by running the patch executable with the /? command line.

Click to enlarge.

Run Options –> Environment tab:

Set the application object to "Run as unsecured system user"

Click to enlarge.

We use the unsecured system user so that if there is an error with the application object on a user's machine, an error message will be displayed to the user. If the application object is set to run as a secure system user, and an error occurs, the user will not be notified. The patch will also remain resident in memory and attempt to run the next time a user logs in.

By setting the patch object to run as a secured system user or unsecured system user the WORKSTATION OBJECT must have read and file scan rights to the patches directory. The patch is installing as the workstation and not the user in this instance.

Retiring Patches

Microsoft frequently replaces older patches with new releases. This information can be found in the "Security Update Replacement" line item at the top of the bulletin or in the "Frequently asked questions (FAQ) related to this security update" under the "What updates does this release replace?"

What updates does this release replace? This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.

Bulletin ID	Windows 98	Windows 2000	Windows XP with Microsoft Data Access Components all versions (except for version 2.8) installed	Windows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed	Windows Server 2003
MS04-003	Replaced	Replaced	Not Replaced	Replaced	Not Replaced

Make note of each patch that is being replaced and the platform being replaced. In this case, the patch MS06-007 replaces MS04-003. Delete any applicable patch executables from the V:\ drive and any NAL objects.

In this case, most platforms are replaced. There are occasions when only specific OS or particular application version patches are replaced. This is usually the case with IE patches.

Testing the patches
The patches should be tested to ensure proper installation prior to force running the patch against the general user population. The test should include PC's that both do and do not meet the requirements of the patch. While not every configuration can be tested prior to roll out, a reasonable effort should be made to ensure proper functionality of the patch install.

Deploying the patches:
Once the patches have been created and tested, it is time to force run the patches in the user environment. Patches are associated to the root context for each geographic location and can be associated with the users or workstation objects, however the patches will run as the workstation.

Useful Information

Listed below are some useful registry keys and file version numbers that can be used to further refine the requirements of the MS Patch Object.

Determine the OS:

Release Version Windows 95 retail, OEM4.00.950Windows 95 retail SP14.00.950AOEM Service Release 24.00.1111* (4.00.950B)OEM Service Release 2.14.03.1212-1214* (4.00.950B)OEM Service Release 2.54.03.1214* (4.00.950C)Windows 98 retail, OEM4.10.1998Windows 98, Security CD 4.10.1998AWindows 98 Second Edition4.10.2222AWindows 98 SE Security CD 4.10.2222BWindows Me4.90.3000Windows Me Security CD4.90.3000AWindows NT 3.1 Workstation     3.1Windows NT 3.5 Workstation3.5Windows NT 3.51 Workstation  3.51Windows NT 4.0 Workstation4.0Windows 2000 Professional5.0Windows XP5.1Windows Server 20035.2Windows XP (x64)5.2Windows Vista6.0

Determine service pack level of the OS:

Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\Windows
Name: CSDVersion
Type: REG_DWORD
Value: 0x100 SP1
Value: 0x200 SP2
Value: 0x300 SP3
Value: 0x400 SP4
Value: 0x500 SP5
Value: 0x600 SP6

Determine MDAC Version:
(http://support.microsoft.com/kb/301202)

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DataAccess
Name: Version
Type: REG_SZ

Determine Version of Internet Explorer
(http://support.microsoft.com/kb/164539)

File Location: C:\Program Files\Internet Explorer\iexplore.exe

- OR -

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Internet Explorer
Name: Version
Type: REG_SZ

Version Product4.40.308 Internet Explorer 1.0 (Plus! for Windows 95)4.40.520 Internet Explorer 2.04.70.1155Internet Explorer 3.04.70.1158Internet Explorer 3.0 (Windows 95 OSR2)4.70.1215 Internet Explorer 3.014.70.1300Internet Explorer 3.02 and 3.02a4.71.544Internet Explorer 4.0 Platform Preview 1.0 (PP1)4.71.1008.3Internet Explorer 4.0 Platform Preview 2.0 (PP2)4.71.1712.6Internet Explorer 4.04.72.2106.8Internet Explorer 4.014.72.3110.8Internet Explorer 4.01 Service Pack 1 (Windows 98)4.72.3612.1713Internet Explorer 4.01 Service Pack 25.00.0518.10 Internet Explorer 5 Developer Preview (Beta 1)5.00.0910.1309 Internet Explorer 5 Beta (Beta 2)5.00.2014.0216Internet Explorer 55.00.2314.1003Internet Explorer 5 (Office 2000)5.00.2614.3500Internet Explorer 5 (Windows 98 Second Edition)5.00.2516.1900Internet Explorer 5.01 (Windows 2000 Beta 3, build 5.00.2031)5.00.2919.800 Internet Explorer 5.01 (Windows 2000 RC1, build 5.00.2072)5.00.2919.3800Internet Explorer 5.01 (Windows 2000 RC2, build 5.00.2128)5.00.2919.6307Internet Explorer 5.01 (Office 2000 SR-1)5.00.2920.0000Internet Explorer 5.01 (Windows 2000, build 5.00.2195)5.00.3103.1000Internet Explorer 5.01 SP1 (Windows 2000 SP1)5.00.3105.0106Internet Explorer 5.01 SP1 (Windows 95/98 and Windows NT 4.0)5.00.3314.2101Internet Explorer 5.01 SP2 (Windows 95/98 and Windows NT 4.0)5.00.3315.1000Internet Explorer 5.01 SP2 (Windows 2000 SP2)5.00.3502.1000Internet Explorer 5.01 SP3 (Windows 2000 SP3 only)5.00.3700.1000Internet Explorer 5.01 SP4 (Windows 2000 SP4 only)5.50.3825.1300 Internet Explorer 5.5 Developer Preview (Beta)5.50.4030.2400Internet Explorer 5.5 & Internet Tools Beta5.50.4134.0100Internet Explorer 5.5 for Windows Me (4.90.3000)5.50.4134.0600 Internet Explorer 5.55.50.4308.2900Internet Explorer 5.5 Advanced Security Privacy Beta5.50.4522.1800Internet Explorer 5.5 Service Pack 15.50.4807.2300Internet Explorer 5.5 Service Pack 26.00.2462.0000Internet Explorer 6 Public Preview (Beta)6.00.2479.0006Internet Explorer 6 Public Preview (Beta) Refresh6.00.2600.0000     Internet Explorer 6 (Windows XP)6.00.2800.1106Internet Explorer 6 Service Pack 1 (Windows XP SP1}6.00.2900.2180 Internet Explorer 6 for Windows XP SP26.00.3663.0000Internet Explorer 6 for Microsoft Windows Server 2003 RC16.00.3718.0000Internet Explorer 6 for Windows Server 2003 RC26.00.3790.0000Internet Explorer 6 for Windows Server 2003 (released)

Determine Version of Windows Media Player
(http://support.microsoft.com/kb/190990)

File Location: C:\Program Files\Windows Media Player\wmplayer.exe

Version number Version of Windows Media Player (WMP)5.1.51.421WMP 5.2 Beta5.1.52.701 WMP 5.26.02.902 WMP 6.06.1.5.130 WMP 6.0 Internet Explorer 5 RC0 Beta6.1.7.217WMP 6.06.2.5.410 WMP 6.2 Beta6.4.5.809WMP 6.46.4.6.*WMP 6.4 for Windows 2000 Betas6.4.7.1028WMP 6.4 with multi-bit rate (MBR) updates for Internet Explorer6.4.7.1112WMP 6.4 with MBR updates (minor error messaging updates from 6.4.7.1028)6.4.9.*WMP 6.4 for Windows 2000 only7.0.0.1954WMP 77.0.0.1958 WMP 7 Update7.0.0.1956 WMP 7 with Setup updates7.0.0.1440 WMP 7 for Windows Millennium Edition (Me)7.01.00.3055 WMP 7.18.00.00.4477WMP 8 for Windows XP9.00.00.2980 WMP 9 Series for Windows XP, Windows 98 Second Edition, Windows Me, and Windows 20009.00.00.2991 WMP 9 Series for Windows Server 200310.00.00.3646     WMP 10

Check for Microsoft .NET Framework Install

Microsoft .NET v1.1 Registry Key
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\.NETFramework\Policy\v1.1

Microsoft .NET v2.0 Registry Key
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\.NETFramework\Policy\v2.0

PDF Version of this article.