Here was another fun one. Recently, we deployed a system that would not be able to have it’s Windows patches delivered the same way as 99% of our other systems. It’s been a bit of a struggle to really get meaningful information out of the vendor on the patching process, in an enterprise (24x7x365) environment.

I started building an entire automation sequence to be able to run these patches. It essentially shuts down everything in a very particular order (services on ~20 servers, about 6 MS SQL databases, some Linux services and so on), then runs the windows patches in a different, yet specific, order. The most useful out of all of those scripts is this one, Run-WindowsUpdate.

Essentially, this script is very simple. Some of the information I needed for it though was not available on TechNet or MSDN pages. I thought I was getting close on an MSDN article, through a series of links. The final link, for the Microsoft.Update.Session.CreateUpdateSearcher.Search function, ended up 404’ing. Wonderful. Going back a few steps, plugging a page in the Internet Archive’s WayBackMachine (https://archive.org/web/web.php), then following a similar set of links… eventually got me to a page for Server 2000. Luckily, the information still seemed accurate. This got me the GUIDs needed to be able to specify that we do not want every update out there – only Critical and Security updates.

Back to the script… it does only a few, simple things:

  1. First, checks the registry to see if there is a reboot pending from previous updates. If so, it’ll log that it needs rebooted and exit
    1. I’m still trying to sort out how I can have the script continue after this reboot (while writing to the same log file)
    2. This auto reboot behavior can be enabled by sending parameter “AutoRestartIfPending”
  2. If there is not pending reboot, it begins searching, downloading, and then installing all Critical and Security updates only
    1. This was the “difficult to find” information I noted above. I included the eventual reference link in the script, as well as the GUIDs needed to add/remove different patch categories
  3. Once the patches are downloaded and installed, it will then again log a needed reboot, or automatically reboot for you
    1. And, once again, if you so desire, you can enable auto reboot by simply sending parameter “AutoRestart”

 

Without further ado, I give you Run-WindowsUpdate.

As always, any questions, improvements or comments can be sent to Scripting@Resting-Blade.com!