Nerd-cen-tric, adj. 1. Holding the view that technology is the center, object, and norm of all experience.

Scripted Windows Security Patching

As promised here is a quick write up on how I am doing security patches for our servers.  Basically I am able to run the script during normal work hours and schedule the patching for the evening. At night when the patching starts I get email notifications with success/fail information for each server.  I have been using this process for 3 or 4 months now and it’s working great.


Blat — This is used to email logs back to the administrator.
WuInstal v1.1 — A great utility created by Xeox that allows you to start the patching process on the remote system and provides detailed logging.

Control Script (patchSystem.cmd)

@echo off
Echo ——————————————
Echo Schedule Microsoft Patches
Echo ——————————————
::Set Low Hard Drive Value to 200MB — Will stop update
::Check Free Space on Remote System
for /f “tokens=3 delims= ” %%A in (‘dir /-c \\%1\c$ ^|find “Dir(s)”‘) do (set freespace=%%A)
SET Freespace=%freespace:~0,-6%
::If Freespace is less than LOW value abort update
If %freespace% LSS %LOW% Goto WARN
::Copies Blat WuInstall and helper script to remote system
echo Updating clientTools as needed on %1
xcopy /d /y /i scripts\update\*.* \\%1\c$\Scripts\update
xcopy /y /i scripts\update\*.cmd \\%1\c$\Scripts\update
::Schedule script to run on remote system at 8pm
Echo Scheduling update.cmd Script on %1
net time \\%1
at \\%1 20:00 cmd /c “c:\scripts\update\update.cmd”
at \\%1
Goto END
echo Low Hard Drive Space on %1. Stopping update!
MSG * Low Hard Drive Space on %1. Stopping update!

Helper Script (update.cmd)

@echo off
Echo —————————————
Echo Force Microsoft Patches
Echo          Written by: Rob Pucci
Echo —————————————
::Change the variables below as needed for your environment
::wuInstall options are /search /download /install
set wuInstallOption=”/install”
CD \Scripts\update
blat -install %mailServer% %fromAddress%
wuInstall %wuInstallOption% >wuInstall.log
if errorlevel 11 set status=errorRebootRequired & goto blatEmail
if errorlevel 10 set status=successRebootRequired & goto blatEmail
if errorlevel 6 set status=rebootFailed & goto blatEmail
if errorlevel 5 set status=rebootStarted & goto blatEmail
if errorlevel 4 set status=invalidCriteriaSpecified & goto blatEmail
if errorlevel 3 set status=noMatchingUpdates & goto blatEmail
if errorlevel 2 set status=noMoreUpdates & goto blatEmail
if errorlevel 1 set status=errorNoRebootNeeded & goto blatEmail
if errorlevel 0 set status=successNoRebootNeeded & goto blatEmail
echo wuInstall terminated with an UNKNOWN errorlevel (%errorlevel%) — sending email.
blat -to %toAddress% -subject “[scheduledUpdate] -unknownErrorLevel- wuInstall Log from %computername%” -bodyF wuInstall.log
goto end
echo wuInstall terminated with KNOWN errorlevel (%errorlevel%) — sending email.
blat -to %toAddress% -subject “[scheduledUpdate] -%status%- wuInstall Log from %computername%” -bodyF wuInstall.log
if %status% == errorRebootRequired goto rebootServer
if %status% == successRebootRequired goto rebootServer
echo  No Matches Reboot Not Required>>wuinstall.log
goto end
shutdown /r /c “System Patch Installation” /f
echo updateScript Complete

Setup Steps

1. Copy patchSystem.cmd to your Script Zombie scripts directory.
2. Copy update.cmd to your Script Zombie scripts\update directory.
3. Extract the Blat and wuInstall files to your Script Zombie scripts\update directory (sample below).  This directory will be copied to the remote system in a c:\scripts\update folder.

Sample Directory Listing for local scripts\updateSample Directory Listing for local scriptsupdate

4. Verify the “SET LOW” value in patchSystem.cmd is set at the megabyte value you want.
5. Set variables in update.cmd to match your platform/needs.

a. mailServer — This is the SMTP server blat will use to relay logs via email.
b. fromAddress — The emailed logs will be from this address.  Useful for setting up filters.
c. toAddress — Who should get the logs?  Distribution lists work for multiple recipients.
d. wuInstallOption–The choices here are /search /download /install.  Search will just check to see what patches are needed on a system.  Download will find what patches are needed and download them.  Install will do all of the above and install the patches.  If a reboot is required the script will reboot the system.

Leave a Reply

You must be logged in to post a comment.

Nerdcentric Twitter Feed