FARONICS DEEP FREEZE ENTERPRISE - PATCH MANAGEMENT 6-26-2009 Manual
TECHNICAL WHITEPAPER
Last modified: June 26, 2009
www.faronics.com
© 1999 - 2009 Faronics Corporation. All rights reserved. Faronics, Deep Freeze,
Faronics Core Console, Faronics Anti-Executable, Faronics Device Filter, Faronics
Power Save, Faronics Insight, Faronics System Profiler, and WINSelect are
trademarks and/or registered trademarks of Faronics Corporation. All other
company and product names are trademarks of their respective owners.
Faronics
Toll Free Tel: 800-943-6422
Toll Free Fax: 800-943-6488
International Tel: +1 604-637-3333
International Fax: +1 604-637-8188
Deep Freeze Enterprise - Patch Management
Summary of DEEP FREEZE ENTERPRISE - PATCH MANAGEMENT 6-26-2009
Page 1
Technical whitepaper last modified: june 26, 2009 www.Faronics.Com © 1999 - 2009 faronics corporation. All rights reserved. Faronics, deep freeze, faronics core console, faronics anti-executable, faronics device filter, faronics power save, faronics insight, faronics system profiler, and winselect a...
Page 2
Enterprise 2 contents introduction ....................................................................................................................................... 3 scheduled patch maintenance ......................................................................................................
Page 3
3 enterprise introduction a major concern for all systems administrators is maintaining the security of their computers. With new exploits and vulnerabilities being found all the time, a proper patch management strategy is critical to ensure the health and security of computer deployment. Deep freez...
Page 4
Enterprise 4 schedulingwindowsupdatesinadeepfreezemaintenanceperiod the first method involves setting up a maintenance period using the deep freeze configuration administrator. An option is selected so deep freeze will run windows updates after the computer goes into maintenance mode. Complete the f...
Page 5
5 enterprise if there is an sus or wsus server, this can be specified using the following steps: 1. Click the maintenance tab. 2. Check use sus/wsus server and enter the ip address of fully qualified domain name of the server. The screen should look similar to the following: the client computer with...
Page 6
Enterprise 6 • reschedule automatic updates scheduled installations: disabled • no auto-restart for scheduled automatic updates installations: disabled this policy will ensure that windows updates are installed during the maintenance period and that any updates that are downloaded (but not installed...
Page 7
7 enterprise schedulingantivirusupdates there are several different methods available to run antivirus updates depending on the antivirus solutions being used. The following are links to white papers for several of the most common solutions. These white papers explain several methods that can be use...
Page 8
Enterprise 8 logonpatchmaintenance this option allows the administrator to install updates to the client computer when a certain user logs on. In an active directory environment, a logon script can be executed to update the client computer. Using deep freeze command line control (dfc), deep freeze c...
Page 9
9 enterprise because the computer boots several times, the script needs to check a value to see what phase of the script is currently running. Because the computer will be frozen at times, a value cannot be stored in the frozen partition. This means the value must be stored either on the network or ...
Page 10
Enterprise 10 3. Enter the following text to create the main routine: ‘ ********** main ********** ‘ calls all of the other routines... If updaterunning = true then runpatch removemarker bootfrozen else if updatecomplete = false then if userpatchprompt = true then insertmarker if frozen = true then ...
Page 11
11 enterprise 5. Enter the following text to create the updatecomplete function: ‘ ********** update complete? ********** ‘ checks for completed marker file. If it exists, the update has already run. Function updatecomplete set objfs = createobject(“scripting.Filesystemobject”) set objfolder = objfs...
Page 12
Enterprise 12 7. Enter the following text to create the runpatch routine: ‘ ********** run patch ********** ‘ the code to run the patches would occur here. Sub runpatch ‘ enter code to execute the patch(es) msgbox “patch has been applied” insertcompletemarker end sub the runpatch routine is used to ...
Page 13
13 enterprise 10. Enter the following text to create the bootthawed routine: ‘ ********** boot thawed ********** sub bootthawed set objshell = createobject(“wscript.Shell”) objshell.Run(“dfc password /bootthawed”) end sub the bootthawed routine is used to set computers in a thawed state. The passwor...
Page 14
Enterprise 14 14. Enter the following text to cleanup the script objects: ‘ ********** cleanup ********** set objnet = nothing set objfile = nothing set objre = nothing set objfolder = nothing set objts = nothing set objfs = nothing set objtextfile = nothing set objfso = nothing this code cleans up ...
Page 15
15 enterprise creatingthegrouppolicy before the policies are created, ensure the server has been updated to use the group policy management console. The following documentation assumes this patch has been downloaded and installed on the server. The utility can be found by searching microsoft’s web s...
Page 16
Enterprise 16 modifyingthegrouppolicy now that the gpo has been created, it needs to be modified. In this case, the user logon script is modified using the following steps: 1. Right-click on dflogonpatchmanagement and select edit. The group policy object editor opens. 2. Browse to the logon/logoff s...
Page 17
17 enterprise realtimepatchmaintenance this method involves patching a computer in real time. It is best used when the computers are not in use. Sometimes a patch needs to be manually applied to a group of computers and scheduling the task may not be an option. This method involves disabling deep fr...
Page 18
Enterprise 18 appendixa:deepfreezeandsus/wsusfaq does the run windows updates feature require an administrator to be logged into the computer? The feature works while any type of user is logged in, or if the computer isn’t logged in at all. It uses the windows update service running under the local ...
Page 19
19 enterprise appendixb:deepfreezeupdatescript the entire script explained in the logon patch maintenance section has been included here. It can be downloaded from the following address: http://www.Faronics.Com/faronics/documents/dfent_ adupdatescript.Zip ‘ ******************************************...
Page 20
Enterprise 20 end if end if ‘ ********** update running? ********** ‘ check for marker file. If exists, the update is running. Return true. Function updaterunning set objfs = createobject(“scripting.Filesystemobject”) set objfolder = objfs.Getfolder(struncpath) set objre = new regexp objre.Pattern =...
Page 21
21 enterprise ‘ ********** run patch ********** ‘ the code to run the patches would occur here. Sub runpatch ‘ enter code to execute the patch(es) ‘ the next two lines would run a program by the name of update.Exe ‘ set objshell = createobject(“wscript.Shell”) ‘ objshell.Run(“update.Exe”) msgbox “pa...
Page 22
Enterprise 22 ‘ ********** remove marker ********** ‘ remove the marker file to indicate the patch is complete sub removemarker set objfso = createobject(“scripting.Filesystemobject”) objfso.Deletefile(struncpath & strmarkerfile) end sub ‘ ********** insert update complete marker ********** ‘ this i...
Page 23
23 enterprise appendixc:commonupdatescenarios the following section presents some update scenarios and possible solutions to these scenarios. Scenario1:updatingclientsinadynamicupdateenvironment requirement: the policy in the organization is to update the computers as soon as possible with the lates...