Sorry if this is the wrong place for this question. If so, please point me to the correct location.
I have successfully built and captured a Hybrid image containing Windows 7, Office 2010, Java, Adobe Reader and Flash player.
I patch the Microsoft Product during the deployment and these will be maintained going forward using WSUS. No problems there.
But what about the Java and Adobe products. The image contains the latest versions, but these apps have frequent updates addressing vulnerabilities and I would like to keep the workstations as up to date as possible. Obviously, I can update my image but I don't want to have to re-deploy an image every time a patch is released
The users do not have administrative rights so they can't update the apps themselves. I guess I could use Group Policies to update the apps, but should they be installed in this way in the first place rather then using MDT, or is there a way of using MDT to do this.
How should these types of applications be deployed and what is the best way of keeping them up to date?
Using a hybrid image is best practice, and typically you want to include applications that will outlast the lifecycle of the image. I too have Adobe Reader in my image and update this according to the image lifecycle. As for Java, that's a different story. Since Java is updated more frequently, and typically has multiple security patches, I would use whatever product you are currently using for System Management, like LANDesk, SCCM, GPO, etc. I would never include an application like Java into the image.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
- Edited by Frank Trout Saturday, July 20, 2013 2:52 PM edit
I include everything I need on every machine in my images (as well as things needed on 95% of machines). You just need to ensure that you have a plan / process in place to a) update the image on a scheduled basis to keep these types of components relatively "fresh", b) ensure that your Deployment Task Sequence has the needed updates between what was last in the image and is current version (this prevents needing to install the full app during Deployment and instead applies only the smaller "patch" to update that app) and c) have a method to update machines already imaged. This could be through LANDesk, SCCM, Group Policy (login script), whatever, just make sure it gets done to reduce risk and that you have some mechanism to validate and audit such compliance. If you are using SCCM, SCUP is a great way to include and manage these kinds of 3rd party updates while still using a system that already does your patching.