Steve Pruitt at myITforum.com

We all want to patch every computer easily, using SMS. We can't always do that, though. Some PCs have products that need patches but aren't supported by ITMU, and we don't wantto use SUSFP for a few machines. Other PCs may have client health issues or other problems. It'd be nice to get these machines patched right away, and go back to cure any problems later.

There are many variations possible on the procedure details. The basic idea, if you're not familiar with psexec is that it lets you run a command or program on a remote PC as though it's being run from a command prompt on that PC. We identified PCs that needed manual patching from Bindview scans that serve as a cross-check on the SMS process. We could also use SMS reports of patch failures, machines with client health issues, and products that aren't supported by ITMU to identify such machines.

• Download the required patch from the MS Bulletin, for the particular product (Office 2000, etc).
• Open a command window, using an account that has admin rights on the target computer
• Run command:
  psexec -c \\computername <path>KB123456.exe /quiet /norestart /overwriteoem
• Substitute path and filename of the patch and the proper command line switches for a silent install with no reboot, so you can use this during the day when the most machines are available
• Switch -c says to copy the file to the machine. If doing multiple machines, as in the following steps, also use -d so it doesn't wait for the program to complete. If doing just a few, I like to omit the -d so I can see the return code from each.

• Download the appropriate updates that I'm going to patch manually from the MS Bulletins into folders organized however you prefer (bulletin, product, etc). Bulletin works best for me, but it's not critical.
• Prepare lists of machines that need each update, preferably in a spreadsheet to allow easy manipulation.
• Repeat the following steps for each patch. Don't do multiple patches at once, because some PCs may need more than one. Trying to run two patches simultaneously causes problems.
• Within each update sort the list of machines by products that use different patch executables.
• Open multiple command prompt windows using your admin account. On my PC I've found I can do ten at once without problems. I probably could do more, but that's generally adequate.
• Create one text file for each command window, dividing the computers between these equally. Each text file is simply a list of computer names, one per line. If you have machines with different products that all need a particular update (such as Office 2000, Office XP, Office 2003), separate them so each text file has one product. The important part is that all machines in one list get one patch binary. I name them list1.txt, list2.txt, etc and put them all in the root of my PC to make the command line simple.
• Prepare the basic commands in Notepad:
  cd <path to patch files>
  for /f %i in (c:\list1.txt) do psexec -c -d \\%i KB123456.exe /quiet /norestart /overwriteoem
• Copy the CD command, paste into each window and press Enter
• Copy the second command, paste into the first window, press Enter
• Edit the second command in Notepad to list2.txt. Change the patch file if appropriate for different products.
• Copy and paste into the second window and execute.
• Repeat for each. If some lists use different patches, update the command as appropriate.