Patch Management in isolated environment SMS 2003
When you don't have Internet Connection, going through all patches may be a real pain, so, to make the process absolutely hassle free, similar to connected environment when you just hit "download patches for me" button, I tried to create virtual root in IIS and "cheat" by putting patches to local drive and add "windowsupdate.com" to hosts file.
The surprise was, that Windows 2003 Server protects hosts file by simply ignoring "windowsupdate.com" domain, so I had to go with DNS zone.
I created fully automated script, which asks for File Share, where you want to store your local copy of required updates, creates Web site, DNS zone, supplemental database and SQL Job. So, the scenario should look like this:
1. Standard ITMU scanner detects missed updates, and if update is not in "cache" and applicable to at least one client's computer it adds full path to download.lst file, which is located in the same folder (with patches)
2. Technician takes this file (I plan to send it content by e-mail as well) and downloads all patches listed there.
3. Technician brings them and copies back to storage folder
4. SMS Engineer runs regular "Distribute Software Updates wizard" and approves updates and "downloads" them from local IIS, with no need to import them file by file!
5. Clients get new patches.
I attached the installation script, which you should run on site & site DB server, answer questions and, it does all job for you. It requires IIS, DNS, SMS and, sure, SQL.