Given the various worms, viruses, and exploits that target Microsoft Office components, keeping Office patched is almost as important as patching Windows is to your network's security. Together, Microsoft Baseline Security Analyzer (MBSA) and Windows Server Update Services (WSUS) do a good job of automating the process of managing Windows patches, but MBSA can scan only the local computer for missing Office patches.
Microsoft's Office Update Inventory Tool 2.1 gives you a way to scan your entire network for missing Office 2000 Service Release 1a (SR-1a) and later patches. This free tool can generate a report of missing Office updates for a group of computers. Although each computer must execute the tool locally, the inventory tool, unlike MBSA, can consolidate the scan results of all your computers into one actionable report.
Office Update Inventory Tool
The Office Update Inventory Tool comprises two executables: inventory.exe and convert.exe. Inventory.exe scans the local computer for Office applications and determines which applications are present, what updates are applicable to each application, and which of those updates have been installed. The Inventory component then creates a log file containing this information, names the file after the computer, and stores it in the specified output folder.
After running inventory.exe on each computer and directing all the log files to the same folder on the network, you run convert.exe once. Convert.exe collects all the log files and produces a consolidated report, which you can then use to asses the patch status of Office on your network.
How do you get the inventory tool to run on all computers on your network without logging on to each system and manually running the tool? Your options depend on the size of your network and how cooperative your users are. If you can depend on your users to cooperate, you can simply email everyone a link to the inventory tool. But for most networks, you'll want to automate the inventory process.
Obtaining an Inventory
To automate the Office Update Inventory Tool, you can include it in a startup or logon script that you configure through Group Policy. (To configure a startup or logon script, open any Group Policy Object—GPO—and navigate to Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) or User Configuration\Windows Settings\Scripts (Logon/Logoff), respectively.) Alternatively, you can create a scheduled task. All three options have advantages. I like startup scripts because they run under the authority of the local system, so there's no question about whether the inventory program will be able to complete. However, startup scripts execute only when the computer reboots, and most servers—and even many workstations—don't reboot regularly.
Logon scripts run each time the user logs on, but they run under the authority of the current user, who might not have the authority to run the inventory tool depending on how you configure security on workstations. Additionally, most servers can go for long periods without someone logging on at the console, which could delay scanning for or deploying important security patches.
I prefer the scheduled task approach because you can control when the task is executed and specify an account that has sufficient authority to install software. The Schtasks utility lets you create a scheduled task on remote systems from the command line. However, Schtasks isn't available under Windows 2000—if you run Win2K, you'll need to use the At command instead.
Step 1: Install the Office Update Inventory Tool
First, you need to download and install the Office Update Inventory Tool.
- Create a shared folder to hold the inventory tool. I'll call the folder \\mtg1\oinventory.
- Download invcm.exe and invcif.exe, the two self-extracting executables that make up the inventory tool, from http://www.microsoft.com/office/orkarchive/2003ddl.htm.
- Run invcm.exe. When prompted, specify \\mtg1\oinventory as the location for extracting the files. After running invcm.exe, you'll find the inventory tool's executables (convert.exe, inventory.exe, and oudetect.dll) in \\mtg1\oinventory.
- Run invcif.exe and direct it to extract its files to \\mtg1\oinventory. In oinventory, you'll see a new subfolder called cifs and a few new files, which constitute the database of all available Office updates. Whenever Microsoft releases an update for Office, the company also releases a new version of invcif.exe. Note that the database doesn't include the actual updates—it just contains identity information that lets the inventory tool detect whether an update has been installed on the computer that's being scanned.
- Create a subfolder in \\mtg1\oinventory called invout. We'll direct the inventory tool to use this folder for outputting its log files.
Step 2: Scan Your Domain
To scan a single computer, you can now simply log on to the computer and run the following command from the Run dialog box or a command-shell window:
\\mtg1\oinventory\inventory.exe
/s \\mtg1\oinventory\cifs /o \\mtg1\oinventory\invout
You must type this command—and others provided in this article—all on one line.
To schedule a scan of a computer, you'd use the Schtasks command. For example, to schedule \\wkstn11 to run the inventory tool once at midnight on April 3, 2005, under the authority of an account named batchwork whose password is ksdkui#, you'd enter
schtasks /create
/tn "Office Update Scan"
/tr"\\mtg1\oinventory\inventory.exe
/s \\mtg1\oinventory\cifs /o \mtg1\oinventory\invout"
/sc once /st 00:00:00
/sd 04/03/2005 /s wkstn11
/u batchwork /p "ksdkui#"
Schtasks can create a task on only one computer at a time, but you can use the For command to call Schtasks once for each computer in your domain. Here's how.
- First you need a file that lists all the computers in your domain. GetListOfComputers.vbs, which Listing 1 shows, outputs the name of each computer in your domain. To download GetListOfComputers.vbs, go to http://www.windowsitpro.com, enter 46623 in the InstantDoc ID text box, and click the 46623.zip link.
- Run the command
cscript GetListOfComputers.vbs
//nologo > computers.txt
to produce a file called computers.txt that contains the name of every computer in your domain.
- Now, use the For command to read the list and call Schtasks for each computer. The command
for /f %x in (computers.txt)
do schtasks /create
/tn "Office inventory"
/tr "\\mtg1\oinventory\inventory.exe
/s \\mtg1\oinventory\cifs /o \\mtg1\oinventory\invout"
/sc once /st 00:00:00
/sd 08/03/2005 /s %x
/u batchwork /p "ksdkui#"
calls Schtasks once (/sc once) at midnight (/st 00:00:00) on August 3, 2005 (/sd 08/03/2005), for each computer listed in computers.txt. The /s switch specifies the computer on which Schtasks is called, and %x is the current computer name from the computers.txt file. The command runs under the user profile batchwork (/u batchwork) and uses the password ksdkui# (/p "ksdkui#").
For Win2K, you need to use the At command instead, as I mentioned earlier:
for /f %x in (computers.txt)
do at \\%x 00:00
/next:8/3/2005
"\\mtg1\oinventory\inventory.exe
/s \\mtg1\oinventory\cifs /o \\mtg1\oinventory\invout"
Step 3: Consolidate the Log Files
Run convert.exe manually to consolidate all the individual log files into one .xml file that you can analyze within Microsoft Excel. The command
\\mtg1\oinventory\convert
/d \\mtg1\oinventory\invout
/o \\mtg1\oinventory\results.xml
/xml \\mtg1\oinventory\patchdata.xml
consolidates the log files into a file named results.xml.
Previous
)
)
Register
This may not be the best way to distribute software, but it does have its uses.
You can create the task on one machine then copy from \\sourceserver\admin$\tasks\taskname.job to all the other machines. I suggest using the For command as in
FOr /F %i in ('net view') Do copy \\sourceserver\admin$\tasks\taskname.job %i\admin$\tasks
Be sure to also copy any files that might be needed locally.
ilwinguru July 27, 2005 (Article Rating: