Microsoft’s patch tuesday is one time of the month when all Windows system admins get cold sweats. Will these patches break something? How much time will I have to spend patching all these servers?
Well, I have no control over Microsoft’s patch quality but I sure have a script that will help ease your pain when it comes to patching servers.
This script will help you update all windows servers on a network with just one click. You will also get an email report when the script has completed patching a server.
What the script does:
- Queries AD for a list of all windows servers.
- Presents you with the list and allows you to decide which windows servers you want to patch.
- Uses the Windows Update API to call the Windows Update agent on each server that you want to patch.
- Forces the Windows Update agent to check for all available patches (approved patches if you are using WSUS), then catalogs, downloads and installs them. The script just calls the windows update agent so, this script behaves exactly as the windows update agent would if you were to use it on a server to install patches.
- Sends you an email report for each server that is patched.
You can download the script here.
The zip archive has the following files in it:
- NetworkPatchInstall.bat – This is the main file that needs to be run when you start patching. IMPORTANT: When running the script in Windows Server 2008 or later, right click on the script and select “Run as Administrator” even if you are logged in as a Domain Admin to make sure that the script runs as expected.
- PsExec.exe – This is the executable that the batch file calls remotely patch servers.
- WSUSPull.vbs – This is the vbscript that calls the Windows Update API to patch servers. For email updates to work you will have to edit this script. Please read this for more information about the original script and how to configure this script. The script has been modified and in the form that it is supplied in here outputs its results on the remote console of the server that the script is run from and saves a log to C:\WSUSPull.log in addition to emailing you an update (if it is configured to do so).
Thanks to the Rob Dunn at www.wsus.info for creating this script.
PLEASE READ: When the script is first run, the script checks to see if your netlogon share has a folder called PatchInstall. If it doesnt exist, the script creates one (so you need to run this as a domain admin) and then copies psexec.exe and wsuspull.vbs to that folder. These files are really small and wont change after the first time you have run it so it wont add to your replication load. The reason for doing this is to ensure that it works in any Active Directory environment and performs seamlessly across geographically separate sites with no performance impact.
DISCLAIMER: I have been using this script successfully for about 3 years now and have never had an issue with it. This does not mean that this script will work seamlessly in your environment. Please ensure that you test this script before you put it into production. This script is provided as is and you take the risk and responsibility of using this script.
#1 by Harish on October 15, 2011 - 6:53 AM
Ith Pazhya Scrip thannae allae…. no version info
You could have added one more line which will make it more catchy. We can update pirated windows version using this without any issues