The only way to have a truly effective patch management solution is to gain centralized control over the patch management process. One of the challenges standing in the way of achieving this type of control is the fact that many software vendors deploy proprietary patch installers on the user’s desktops. If an organization is ever to fully gain control over the patch management process, the desktop level patch installers must be replaced by a centralized solution. Unfortunately, this can prove to be more difficult than you might expect.

 

If an organization wants to get rid of desktop level patch installers then there are two things that must be done. First, the organization must remove any existing patch installers from the user’s desktops. Second, the organization must take steps to prevent any future desktop level patch installers from being deployed.

 

Cleaning Up Desktop Level Patch Installers

Cleaning up desktop level patch installers can be a very challenging process. In order for you to be able to remove a desktop level patch installer, the installer must exist separately from the application that it is intended to update. Often times if you look in the Programs section of the Control Panel, you will see separate entries for an application and its update mechanism (the patch installer). Assuming that an application and its patch installer are divided into separate components then you can use the Control Panel to simply uninstall the patch installer for the application. Of course this manual removal method is impractical in all but the smallest environments. That being the case, I recommend using a PowerShell script to remove the patch installers. Microsoft provides a very good article on how to do so at: http://blogs.technet.com/b/heyscriptingguy/archive/2011/12/14/use-powershell-to-find-and-uninstall-software.aspx

 

Preventing Patch Installer Deployment

There are a couple of different methods that you can use to prevent desktop patch installers from being deployed. One method involves packaging applications yourself. If you simply deploy applications to the desktop in the usual manner than you will most likely end up deploying the patch installers for those applications as well.

 

As an alternative, you might consider using an application repackaging tool. Such tools typically allow you to deploy an application onto a lab computer, make customizations to the application (such as uninstalling the patch installer that was deployed by default), and then repackaging the application. This approach makes it possible to deploy an application without deploying its patch installer.

 

Conclusion

Depending on the resources that you have available, removing and preventing the installation of desktop patch installers might not always be practical using the methods that I have described. If budgetary or technical limitations stand in your way then you might choose to prevent patch installers from running rather than trying to remove them. Microsoft provides a tool in Windows Server 2008 R2 and Windows Server 2012 called AppLocker. AppLocker allows you to create policies that control what software is and is not allowed to run on desktop PCs.