Deploy Window Patch

AXISHK used Ask the Experts™
Create a script to deploy a window patch. However, it is running for over a hour without any error. Any idea ?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

We Just spent the weekend installing the MS17-010 patch across around 1000 systems

I found that when running the patch using /quiet there are error cases which hang and never resolve.

This seemed to be the case mostly when I would receive the "Unable to install the patch on this system" error message which means we're missing pre-requisites necessary to install the patch.

Although I did get some cases where wsua never existed and on re-run the patch was already present.

  We determined the only way to reliably do this was to install the patch by hand (our WSUS was not able to function properly due to everyone and their mother trying to install the patches at once over the weekend)

  We were unable to trap the errors using the /log option, well we were unable to locate the log at all, and didn;t dig much as it was still far simpler to log into 10- to 20 servers at once click through them open a CMD shell dump a few commands in from our clipboard and move on to the next, then go back through and click yes to installing the patch on them all or find that they had errored out with either "the patch is already installed" or "The patch is unable to be installed" and make note of those, then loop through and click the restart button.

keep in mind that the system still uses the broken version of the DLLs until you restart the systems so they aren't secure until you do a restart.

however, you may be able to get around this by Restarting the server service.

If you want to disable CIFs 1.0 entirely you can get around needing a reboot by making the registry change on the 2008/7 systems and restarting the server service,  That should be enough to disable the CIFs 1.0 functionality if you can't reboot, and may be enough after patching, but hard to say when doing a patch if it will behave correctly thereafter.

If you aren;t running any legacy XP/2003 Systems you can also consider just disabling CIFS 1.0 using Regedit to add the key and then
Lead SaaS Infrastructure Engineer
Interestingly, also this code you have here in batch B will not return the error level of the command you want.

you would need to do something like this:

   echo off
   SET "_UpdatePatch=c:\temp\windows6.1-kb4019264-x64_c2d1cef74d6cb2278e3b2234c124b207d0d0540f.msu"
   SET "_eLvl=0"


   EXIT /B %_eLvl%

   rem Pkgmgr /ip /m:\\mec-monitor\Export\  
   wusa.exe "%_UpdatePatch%" /quiet /norestart
   SET /A "_eLvl=%_eLvl%+%ERRORLEVEL%"
   IF /I "%_eLvl%" NEQ "0" (
      echo.Fail ! Error code: %_eLvl%
   ) else (

Open in new window


Should your proposed code be updated in DeployPatch.bat ?

Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

no, that is for deploypatch1.bat... still read the post above that, the change won't solve your issues, they are due to the item failing quietly


Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

I wrote a batch file to check for the patch being installed.

 you might want to have the second batch use start to have it install the patch asynchronously, then wait say 5 minutes and check the system for the MS17-010 patches

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial