Avatar of AXISHK
 asked on

Deploy Window Patch

Create a script to deploy a window patch. However, it is running for over a hour without any error. Any idea ?

Windows BatchWSUS

Avatar of undefined
Last Comment
Ben Personick (Previously QCubed)

8/22/2022 - Mon
Ben Personick (Previously QCubed)

We Just spent the weekend installing the MS17-010 patch across around 1000 systems

I found that when running the patch using /quiet there are error cases which hang and never resolve.

This seemed to be the case mostly when I would receive the "Unable to install the patch on this system" error message which means we're missing pre-requisites necessary to install the patch.

Although I did get some cases where wsua never existed and on re-run the patch was already present.

  We determined the only way to reliably do this was to install the patch by hand (our WSUS was not able to function properly due to everyone and their mother trying to install the patches at once over the weekend)

  We were unable to trap the errors using the /log option, well we were unable to locate the log at all, and didn;t dig much as it was still far simpler to log into 10- to 20 servers at once click through them open a CMD shell dump a few commands in from our clipboard and move on to the next, then go back through and click yes to installing the patch on them all or find that they had errored out with either "the patch is already installed" or "The patch is unable to be installed" and make note of those, then loop through and click the restart button.

keep in mind that the system still uses the broken version of the DLLs until you restart the systems so they aren't secure until you do a restart.

however, you may be able to get around this by Restarting the server service.

If you want to disable CIFs 1.0 entirely you can get around needing a reboot by making the registry change on the 2008/7 systems and restarting the server service,  That should be enough to disable the CIFs 1.0 functionality if you can't reboot, and may be enough after patching, but hard to say when doing a patch if it will behave correctly thereafter.

If you aren;t running any legacy XP/2003 Systems you can also consider just disabling CIFS 1.0 using Regedit to add the key and then
Ben Personick (Previously QCubed)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Should your proposed code be updated in DeployPatch.bat ?

Ben Personick (Previously QCubed)

no, that is for deploypatch1.bat... still read the post above that, the change won't solve your issues, they are due to the item failing quietly
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Ben Personick (Previously QCubed)

I wrote a batch file to check for the patch being installed.

 you might want to have the second batch use start to have it install the patch asynchronously, then wait say 5 minutes and check the system for the MS17-010 patches