Scan Your Network for Missing Office Updates

Step 4: Determine Which Updates Need to Be Installed
After convert.exe is finished, open results.xml in Excel. For each computer, convert.exe reports every applicable Office update that isn't already installed as well as each update that's been installed or has expired.

We're interested only in unexpired updates that haven't been installed. Click the EXPIRED6 column heading and select False. This filter immediately shortens the list to show just the updates that need to be installed for each computer.

Hide all columns except NAME, NAME3, PATCHID4, URL5, EXPIRED6, and BASELINEREQUIRED. Now, as Figure 1 shows, you have a workable list of the Office updates that are missing on your network. The NAME column specifies the computer name. NAME3 and PATCHID4 are the friendly and short names, respectively, of the update that the computer lacks. The BASELINEREQUIRED column specifies the prerequisite update, if any, that must be installed before you install the update in question. This column is informational only; WSUS makes sure that updates are applied in the correct order. (If you can't use WSUS to deploy updates, you can use OHotFix; see the sidebar "Using OHotFix When WSUS Isn't an Option" for instructions.) Sort on the PATCHID4 column to see a list of the updates that you need to install.

Tips
Using Schtasks is a good way to create a recurring task that runs the inventory tool regularly—every day and at system start-up, for example. Another benefit of executing inventory.exe regularly is that you can run convert.exe at any time and get a good picture of the status of Office updates on your network.

When you add new systems, be sure you create the scheduled task on those systems so that you don't begin to accumulate computers that never update Office. If the scheduled task doesn't run correctly, use the Task Scheduler log file (%systemroot%\SchedLgU.txt) to help diagnose the problem. The most common problems are a bad username or password or an account that lacks the Log on as a batch job right (SeBatchLogonRight) or that doesn't have sufficient permissions (e.g., Power User, Administrator) to install updates.

Finally, make sure you keep the inventory up-to-date so that the scheduled task looks for all applicable updates. To update the inventory manually at any time, simply run

\\mtg1\oinventory\inventory
  /update \\mtg1\oinventory

The /update switch causes inventory.exe to download the latest version of invcif.exe.

Take Charge of Updates
Most computers also house common third-party applications (e.g., WinZip, Adobe Systems products) that you need to keep patched. If a software vendor offers updates for its products in .msi format, chances are you can automatically deploy those updates through Group Policy's Software Installation feature. But the only tools that can help you deploy patches that aren't available in .msi format are Microsoft Systems Management Server (SMS) or Independent Software Vendor (ISV) patch management products such as those from St. Bernard Software or Shavlik Technologies.

The Office Update Inventory Tool can help you get a handle on Office security holes on your network if you're willing to do a bit of simple scripting. Running before- and after-update inventory reports lets you show management your progress and verify that your scheduled tasks have successfully updated Office throughout your network.

Using OHotFix
When WSUS Isn't an Option
If you can't use Windows Server Update Services (WSUS) to update your systems, perhaps because of unavailable server capacity or some other reason, you can use Microsoft's free OHotFix tool to deploy Office updates automatically. You can use OHotFix independently of the Office Update Inventory Tool. You place OHotFix in a shared folder on your network. To the same folder, you download Office updates for any combination of Office applications and versions. Then, when you execute OHotFix, it scans the local computer and installs all the updates you placed in its folder that are applicable to the local computer. Here's how to set up OHotFix.

Create a shared folder on your network. We'll call the folder \\mtg1\ohotfix. Make sure that the Domain Computers group has Read and Execute access to the folder.
Download offinst.exe, the OHotFix installation, from http://www.microsoft.com/ office/orkarchive/XPddl.htm.
Run offinst.exe. When it asks you for a folder, point it to \\mtg1\ohotfix. Offinst.exe installs the three files that make up OHotFix (ohotfix.exe, ohotfixr.dll, and ohotfix.ini) to that folder.
Download appropriate Office updates, which initially come in the form of .exe files. You can access the update libraries for Office 2003, Office XP, and Office 2000 from the Office Admin Update Center (http://office.microsoft.com/en-us/FX011511561033.aspx). To download an update that you want to install with OHotFix, run the update from the command line with the parameters /c /t:target folder. (If you run the update without the parameters, it will assume you want to update only the local system.) For example, to download the March 8, 2005, update for the Outlook 2003 Junk Email Filter (office2003-kb892236-fullfile-enu.exe), open a command-shell window and type
```
  office2003-kb892236-fullfile-enu.exe
    /c /t:\\mtg1\ohotfix
```
This command extracts the actual update for the Junk Email Filter (outlfltr.msp) to the \\mtg1\ohotfix folder.
After extracting the .msp files from all the Office updates you need to install, execute OHotFix from the target computer. The program will install from the shared folder only the .msp files that are applicable to the local computer. You could use the For command, the Schtasks utility, and the computers.txt file as I explain in "Scan Your Network for Missing Office Updates" to create a scheduled task on each computer that needs to install the latest Office updates.

Unless you have hundreds of computers, I wouldn't worry about them all accessing the OHotFix folder at the same time; the Windows server will serve the OHotFix-related files to all your computers out of cache. Of course, some computers might be down when their scheduled task is supposed to run or at the time OHotFix is scheduled to kick off. If you run the Office Updates Inventory Tool, you'll be able to identify such computers because they'll be missing Office updates.

Project Snapshot: How to

PROBLEM: Scan your entire network for updates that Microsoft Office needs.
WHAT YOU NEED: Windows Server 2003, Windows XP, or Win2K; Microsoft Office 2003, Office XP, or Office 2000 SR-1a or later; Microsoft Internet Explorer (IE) 5.0 or later.
DIFFICULTY: 2 out of 5
PROJECT STEPS:

Install the Office Update Inventory Tool.
Scan your domain.
Consolidate the log files.
Determine which updates need to be installed.

End of Article

Previous 1 [2] Next

Copying Scheduled Tasks between machines:
This may not be the best way to distribute software, but it does have its uses.
You can create the task on one machine then copy from \\sourceserver\admin$\tasks\taskname.job to all the other machines. I suggest using the For command as in
FOr /F %i in ('net view') Do copy \\sourceserver\admin$\tasks\taskname.job %i\admin$\tasks

Be sure to also copy any files that might be needed locally.

ilwinguru July 27, 2005 (Article Rating:

)

Hi,

What about multiple Outlook junk email filters? When extracted, for example, updates 902953, 904631, 906173, 907492, they all extract to "OUTLFLTR.msp" and it's impossible to have them all in the same folder.

I have tried deploying multiple OUTLFLTR.msp files by having them in seperate directories, with the 3 ohotfix files in each directory. I use SMS 2003 to create a package that contains all of these updates. When deployed to a client, the process halts after the first update. How do you deploy MULTIPLE office updates when the .msp files extract to the SAME NAME?

test-admin December 16, 2005 (Article Rating:

)

Corrected script. There were some syntax errors.

' BEGIN COMMENT
' cscript GetListofComputers.vbs //nologo > computers.txt
' This script outputs a list of all the computers in your domain.
' The only thing you need to modify is the value of yourDomain.
' Replace LDAP://DC=montereytechgroup,DC=com with the
' LDAP name of your domain.
' END COMMENT
yourDomain="'LDAP://DC=domain,DC=company,DC=com'"
Const ADS_SCOPE_SUBTREE = 2

' BEGIN COMMENT
' Connect to Active Directory.
' END COMMENT
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

' BEGIN COMMENT
' Create a query for all computers in the domain.
' END COMMENT
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select cn from " & _
yourDomain & " where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
'wscript.echo objCommand.CommandText
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

' BEGIN COMMENT
' Loop though all computers in the domain.
' END COMMENT
Do Until objRecordSet.EOF
' BEGIN COMMENT
' Write each computer name out to the file.
' END COMMENT
Wscript.Echo objRecordSet.Fields("cn").Value
objRecordSet.MoveNext
Loop

dmoxley May 03, 2006 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.