Solution 1 : Scheduled task with automatic execution

Advantages and disadvantages

Advantages :

• The update deploys as soon as the GPO synchronizes

Disadvantages:

• The update can be done while the target is heavily used,

• Difficulty of tracking (the GPO goes down between 90 and 120min).

Why not use Invoke-gpupdate? Because if your 300 workstations come at the same time to type the same file you risk the bottleneck, also you will have to activate WinRM and add the authorization in your firewalls.

Make the GPO

• Launch Group Policy Management

• Go to Forest > Domains >domain.lab > Group Policy Objects

You never create a GPO in the OU where you will assign it later. When it is created, it has the default group "authenticated users" which means that it will have an OU and all the members (not only wich you want) of the OU for the assignment.

• Right click > New GPO

• Create GPO "C_EMERGENCY_UPDATE"

C for Computer, The rest to quickly understand the role of the GPO.

• Select your GPO et edit it.

• Click on the name and select "Properties"

• Check "Disable User Configuration settings"

• In the Comment tab, enter the current date, the KB number to deploy and the ticket number and your username

This GPO will be reusable, by adding this information to each deployment, we can have a history of use, consult tickets to see problems encountered previously, etc.

• Go to Preferences > Control Panel Settings > Scheduled Task

• In the right panel, right click and select New > Immediate Task (At least Windows 7)

• Fill in the General tab

In the lab, I use the Administrator account, but any account with local administrator rights and read/execute in the shared directory is enough.

• Fill in the Actions tab

• Fill in the Conditions tab

• Fill in the Settings tab

• Fill in the Common tab

• Save and exit the GPO.

• Assign the GPO to the OU containing the workstations to be patched.

• Wait for the GPO to descend (between 90 and 120 minutes)