Link to home
Create AccountLog in
Avatar of AXISHK
AXISHK

asked on

Deploy Window Patch

Create a script to deploy a window patch. However, it is running for over a hour without any error. Any idea ?

Thx
C--temp-DeployPatch.bat.txt
C--temp-DeployPatch1.bat.txt
C--temp-DeployScreen.png
Avatar of Ben Personick (Previously QCubed)
Ben Personick (Previously QCubed)
Flag of United States of America image

We Just spent the weekend installing the MS17-010 patch across around 1000 systems

I found that when running the patch using /quiet there are error cases which hang and never resolve.

This seemed to be the case mostly when I would receive the "Unable to install the patch on this system" error message which means we're missing pre-requisites necessary to install the patch.

Although I did get some cases where wsua never existed and on re-run the patch was already present.

  We determined the only way to reliably do this was to install the patch by hand (our WSUS was not able to function properly due to everyone and their mother trying to install the patches at once over the weekend)

  We were unable to trap the errors using the /log option, well we were unable to locate the log at all, and didn;t dig much as it was still far simpler to log into 10- to 20 servers at once click through them open a CMD shell dump a few commands in from our clipboard and move on to the next, then go back through and click yes to installing the patch on them all or find that they had errored out with either "the patch is already installed" or "The patch is unable to be installed" and make note of those, then loop through and click the restart button.

keep in mind that the system still uses the broken version of the DLLs until you restart the systems so they aren't secure until you do a restart.

however, you may be able to get around this by Restarting the server service.

If you want to disable CIFs 1.0 entirely you can get around needing a reboot by making the registry change on the 2008/7 systems and restarting the server service,  That should be enough to disable the CIFs 1.0 functionality if you can't reboot, and may be enough after patching, but hard to say when doing a patch if it will behave correctly thereafter.

If you aren;t running any legacy XP/2003 Systems you can also consider just disabling CIFS 1.0 using Regedit to add the key and then
ASKER CERTIFIED SOLUTION
Avatar of Ben Personick (Previously QCubed)
Ben Personick (Previously QCubed)
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of AXISHK
AXISHK

ASKER

Hi
Should your proposed code be updated in DeployPatch.bat ?

Thx
no, that is for deploypatch1.bat... still read the post above that, the change won't solve your issues, they are due to the item failing quietly
Avatar of AXISHK

ASKER

thx
I wrote a batch file to check for the patch being installed.

 you might want to have the second batch use start to have it install the patch asynchronously, then wait say 5 minutes and check the system for the MS17-010 patches