Deploy Window Patch

Create a script to deploy a window patch. However, it is running for over a hour without any error. Any idea ?

Thx
C--temp-DeployPatch.bat.txt
C--temp-DeployPatch1.bat.txt
C--temp-DeployScreen.png
AXISHKAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ben Personick (Previously QCubed)Lead Network EngineerCommented:
We Just spent the weekend installing the MS17-010 patch across around 1000 systems

I found that when running the patch using /quiet there are error cases which hang and never resolve.

This seemed to be the case mostly when I would receive the "Unable to install the patch on this system" error message which means we're missing pre-requisites necessary to install the patch.

Although I did get some cases where wsua never existed and on re-run the patch was already present.

  We determined the only way to reliably do this was to install the patch by hand (our WSUS was not able to function properly due to everyone and their mother trying to install the patches at once over the weekend)

  We were unable to trap the errors using the /log option, well we were unable to locate the log at all, and didn;t dig much as it was still far simpler to log into 10- to 20 servers at once click through them open a CMD shell dump a few commands in from our clipboard and move on to the next, then go back through and click yes to installing the patch on them all or find that they had errored out with either "the patch is already installed" or "The patch is unable to be installed" and make note of those, then loop through and click the restart button.

keep in mind that the system still uses the broken version of the DLLs until you restart the systems so they aren't secure until you do a restart.

however, you may be able to get around this by Restarting the server service.

If you want to disable CIFs 1.0 entirely you can get around needing a reboot by making the registry change on the 2008/7 systems and restarting the server service,  That should be enough to disable the CIFs 1.0 functionality if you can't reboot, and may be enough after patching, but hard to say when doing a patch if it will behave correctly thereafter.

If you aren;t running any legacy XP/2003 Systems you can also consider just disabling CIFS 1.0 using Regedit to add the key and then
1
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
Interestingly, also this code you have here in batch B will not return the error level of the command you want.

you would need to do something like this:

@(
   SETLOCAL
   echo off
   SET "_UpdatePatch=c:\temp\windows6.1-kb4019264-x64_c2d1cef74d6cb2278e3b2234c124b207d0d0540f.msu"
   SET "_eLvl=0"
)

CALL :MAIN

(
   ENDLOCAL
   EXIT /B %_eLvl%
)

:Main
   rem Pkgmgr /ip /m:\\mec-monitor\Export\6A49ACC5CC9BB164A1729679D472A589B5552F0F.cab  
   wusa.exe "%_UpdatePatch%" /quiet /norestart
   SET /A "_eLvl=%_eLvl%+%ERRORLEVEL%"
   IF /I "%_eLvl%" NEQ "0" (
      echo.Fail ! Error code: %_eLvl%
   ) else (
      echo.Success!  
   ) 
GOTO :EOF

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AXISHKAuthor Commented:
Hi
Should your proposed code be updated in DeployPatch.bat ?

Thx
0
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Ben Personick (Previously QCubed)Lead Network EngineerCommented:
no, that is for deploypatch1.bat... still read the post above that, the change won't solve your issues, they are due to the item failing quietly
0
AXISHKAuthor Commented:
thx
0
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
I wrote a batch file to check for the patch being installed.

 you might want to have the second batch use start to have it install the patch asynchronously, then wait say 5 minutes and check the system for the MS17-010 patches
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Batch

From novice to tech pro — start learning today.