Here was another fun one. Recently, we deployed a system that would not be able to have it’s Windows patches delivered the same way as 99% of our other systems. It’s been a bit of a struggle to really get meaningful information out of the vendor on the patching process, in an enterprise (24x7x365) environment.
I started building an entire automation sequence to be able to run these patches. It essentially shuts down everything in a very particular order (services on ~20 servers, about 6 MS SQL databases, some Linux services and so on), then runs the windows patches in a different, yet specific, order. The most useful out of all of those scripts is this one, Run-WindowsUpdate.
Essentially, this script is very simple. Some of the information I needed for it though was not available on TechNet or MSDN pages. I thought I was getting close on an MSDN article, through a series of links. The final link, for the Microsoft.Update.Session.CreateUpdateSearcher.Search function, ended up 404’ing. Wonderful. Going back a few steps, plugging a page in the Internet Archive’s WayBackMachine (https://archive.org/web/web.php), then following a similar set of links… eventually got me to a page for Server 2000. Luckily, the information still seemed accurate. This got me the GUIDs needed to be able to specify that we do not want every update out there – only Critical and Security updates.
Back to the script… it does only a few, simple things:
- First, checks the registry to see if there is a reboot pending from previous updates. If so, it’ll log that it needs rebooted and exit
- I’m still trying to sort out how I can have the script continue after this reboot (while writing to the same log file)
- This auto reboot behavior can be enabled by sending parameter “AutoRestartIfPending”
- If there is not pending reboot, it begins searching, downloading, and then installing all Critical and Security updates only
- This was the “difficult to find” information I noted above. I included the eventual reference link in the script, as well as the GUIDs needed to add/remove different patch categories
- Once the patches are downloaded and installed, it will then again log a needed reboot, or automatically reboot for you
- And, once again, if you so desire, you can enable auto reboot by simply sending parameter “AutoRestart”
Without further ado, I give you Run-WindowsUpdate.
As always, any questions, improvements or comments can be sent to Scripting@Resting-Blade.com!