As promised here is a quick write up on how I am doing security patches for our servers. Basically I am able to run the script during normal work hours and schedule the patching for the evening. At night when the patching starts I get email notifications with success/fail information for each server. I have been using this process for 3 or 4 months now and it’s working great.
Prerequisites
Blat — This is used to email logs back to the administrator.
WuInstal v1.1 — A great utility created by Xeox that allows you to start the patching process on the remote system and provides detailed logging.
Control Script (patchSystem.cmd)
@echo off Echo —————————————— Echo Schedule Microsoft Patches Echo —————————————— ::Set Low Hard Drive Value to 200MB — Will stop update SET LOW=200
::Check Free Space on Remote System for /f “tokens=3 delims= ” %%A in (‘dir /-c \\%1\c$ ^|find “Dir(s)”‘) do (set freespace=%%A) SET Freespace=%freespace:~0,-6%
::If Freespace is less than LOW value abort update If %freespace% LSS %LOW% Goto WARN
:copyClientTools ::Copies Blat WuInstall and helper script to remote system echo. echo Updating clientTools as needed on %1 xcopy /d /y /i scripts\update\*.* \\%1\c$\Scripts\update xcopy /y /i scripts\update\*.cmd \\%1\c$\Scripts\update echo.
:scheduleRemoteScript ::Schedule script to run on remote system at 8pm echo. Echo Scheduling update.cmd Script on %1 echo. net time \\%1 at \\%1 20:00 cmd /c “c:\scripts\update\update.cmd” at \\%1 Goto END
:WARN echo Low Hard Drive Space on %1. Stopping update! MSG * Low Hard Drive Space on %1. Stopping update!
:END
Helper Script (update.cmd)
@echo off Echo ————————————— Echo Force Microsoft Patches Echo Written by: Rob Pucci Echo —————————————
:setVariables ::Change the variables below as needed for your environment set mailServer=mail.myserver.com set fromAddress=update@mydomain.com set toAddress=Rob.Pucci@mydomain.com ::wuInstall options are /search /download /install set wuInstallOption=”/install”
:blatInstall CD \Scripts\update blat -install %mailServer% %fromAddress%
:installUpdates wuInstall %wuInstallOption% >wuInstall.log if errorlevel 11 set status=errorRebootRequired & goto blatEmail if errorlevel 10 set status=successRebootRequired & goto blatEmail if errorlevel 6 set status=rebootFailed & goto blatEmail if errorlevel 5 set status=rebootStarted & goto blatEmail if errorlevel 4 set status=invalidCriteriaSpecified & goto blatEmail if errorlevel 3 set status=noMatchingUpdates & goto blatEmail if errorlevel 2 set status=noMoreUpdates & goto blatEmail if errorlevel 1 set status=errorNoRebootNeeded & goto blatEmail if errorlevel 0 set status=successNoRebootNeeded & goto blatEmail
:warnEmail echo. echo wuInstall terminated with an UNKNOWN errorlevel (%errorlevel%) — sending email. blat -to %toAddress% -subject “[scheduledUpdate] -unknownErrorLevel- wuInstall Log from %computername%” -bodyF wuInstall.log goto end
:blatEmail echo. echo wuInstall terminated with KNOWN errorlevel (%errorlevel%) — sending email. echo. blat -to %toAddress% -subject “[scheduledUpdate] -%status%- wuInstall Log from %computername%” -bodyF wuInstall.log
:checkReboot if %status% == errorRebootRequired goto rebootServer if %status% == successRebootRequired goto rebootServer echo No Matches Reboot Not Required>>wuinstall.log goto end
:rebootServer shutdown /r /c “System Patch Installation” /f
:end echo updateScript Complete
Setup Steps
1. Copy patchSystem.cmd to your Script Zombie scripts directory.
2. Copy update.cmd to your Script Zombie scripts\update directory.
3. Extract the Blat and wuInstall files to your Script Zombie scripts\update directory (sample below). This directory will be copied to the remote system in a c:\scripts\update folder.
Sample Directory Listing for local scriptsupdate4. Verify the “SET LOW” value in patchSystem.cmd is set at the megabyte value you want.
5. Set variables in update.cmd to match your platform/needs.
a. mailServer — This is the SMTP server blat will use to relay logs via email.
b. fromAddress — The emailed logs will be from this address. Useful for setting up filters.
c. toAddress — Who should get the logs? Distribution lists work for multiple recipients.
d. wuInstallOption–The choices here are /search /download /install. Search will just check to see what patches are needed on a system. Download will find what patches are needed and download them. Install will do all of the above and install the patches. If a reboot is required the script will reboot the system.