Managing self-updating Windows software in GPO-deployed packages

Solution 1:

We disable auto-updates for all software we deploy. Our users all get limited user access, so they would be unable to install the updates. Many users found the update prompts to be annoying/confusing anyhow.

Often times you can probe the MSI, with SuperOrca or the like, for information about disabling the applications auto-update feature -- A good place to start is the PROPERTY table. Applying a specially-crafted MST during deployment can nullify the auto-update bits.

Other times we create ADMs (now we prefer Client-Side Preferences instead) for packages like Sun's JRE, SMARTBoard, etc. Adobe provides an Customization Wizard for Reader (and other products) that let's you customize the installer (and turn off auto-updates) without really getting your hands dirty. Adobe recently started offering updates in MSP form for simple distribution.

If you haven't already, check out the AppDeploy site. Some of the Package KBs can be helpful in identifying the correct incantation for turning off auto-updates.

We patch/upgrade our software collection (often using GP deployment, among other methods) based on review of the impact of the update versus security of the client.

Solution 2:

I'm just experimenting with it myself, but this is allows automated deployment of almost anything:

http://www.adminarsenal.com/download/pdq-deploy-free-download/

Edited for clarity