We help IT Professionals succeed at work.

Deploy Window Patch

AXISHK asked
Last Modified: 2017-05-22
Create a script to deploy a window patch. However, it is running for over a hour without any error. Any idea ?

Watch Question

Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

We Just spent the weekend installing the MS17-010 patch across around 1000 systems

I found that when running the patch using /quiet there are error cases which hang and never resolve.

This seemed to be the case mostly when I would receive the "Unable to install the patch on this system" error message which means we're missing pre-requisites necessary to install the patch.

Although I did get some cases where wsua never existed and on re-run the patch was already present.

  We determined the only way to reliably do this was to install the patch by hand (our WSUS was not able to function properly due to everyone and their mother trying to install the patches at once over the weekend)

  We were unable to trap the errors using the /log option, well we were unable to locate the log at all, and didn;t dig much as it was still far simpler to log into 10- to 20 servers at once click through them open a CMD shell dump a few commands in from our clipboard and move on to the next, then go back through and click yes to installing the patch on them all or find that they had errored out with either "the patch is already installed" or "The patch is unable to be installed" and make note of those, then loop through and click the restart button.

keep in mind that the system still uses the broken version of the DLLs until you restart the systems so they aren't secure until you do a restart.

however, you may be able to get around this by Restarting the server service.

If you want to disable CIFs 1.0 entirely you can get around needing a reboot by making the registry change on the 2008/7 systems and restarting the server service,  That should be enough to disable the CIFs 1.0 functionality if you can't reboot, and may be enough after patching, but hard to say when doing a patch if it will behave correctly thereafter.

If you aren;t running any legacy XP/2003 Systems you can also consider just disabling CIFS 1.0 using Regedit to add the key and then
Lead SaaS Infrastructure Engineer
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)


Should your proposed code be updated in DeployPatch.bat ?

Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

no, that is for deploypatch1.bat... still read the post above that, the change won't solve your issues, they are due to the item failing quietly


Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

I wrote a batch file to check for the patch being installed.

 you might want to have the second batch use start to have it install the patch asynchronously, then wait say 5 minutes and check the system for the MS17-010 patches

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions