Batch install Windows server patch

Scenes

Windows Server often need to install security patches, policies wsus install the patch, especially this piece, does not meet the requirements, one by one manually install and requires a lot of time to restart the server. Therefore, the deployment of a control unit, remote batch by running PowerShell scripts to install Windows patch, can greatly improve work efficiency.

aims

Batch install Windows server patch.

introduction

Microsoft defines a WS-Management protocol, the protocol provides an open standard for the exchange of computer equipment remotely manage data. On the Windows platform, MS implements WS-Management protocol via Windows Remote Management Services (Windows Remote Management service, referred to as WinRM). This is what we can perform basic remote operation via PowerShell, since PowerShell is to be operated remotely via WinRM service.

---

But the real test, when we use the following command to remotely install time, but always failed to install.

Invoke-Command -ComputerName  $Computer -ScriptBlock { wusa.exe   xxx.msu /quiet /norestart}

It can be seen through the log, being given as follows: Windows update can not be installed because of an error: 2147942405 "Access denied."

It turned out that Microsoft does not support the use of wusa and its API to remotely install the patch update, solution is to use dism instead.

https://support.microsoft.com/en-us/help/2773898/windows-update-standalone-installer-wusa-returns-0x5-error-access-deni

achieve

The main batch install three steps:

• Copy the patch file to download the patch [-> Control Machine -> target]
• Remote install the patch files
• Verify the installation

The first step: copying files

Download the patch file (.msu), copy the corresponding directory to the control unit (e.g., c: \ fix), by a script to decompress (dism pressurized facilitate mounting) and copied to the destination machine.

"Computer_list.txt" target machine to store user names, one per line. This file is only two need to be manually edited (the other is to download the patch to the copy machine control).

#Script_name:copy.ps1

$PC = Get-Content("C:\scripts_wusa\computer_list.txt")
$FileMSU = Get-ChildItem C:\fix -Name
$CAB_PATH = "C:\fix_cab\"
wusa.exe "C:\fix\$FileMSU" /extract:$CAB_PATH
#解压过程休息90s
Start-Sleep -Seconds 90

$i = 0

foreach ($h in $PC){

$i++
Copy-Item -Path $CAB_PATH -Destination \\$h\C$\ -Recurse -Force

if ($h -eq $PC[-1]){
    Write-Progress -Activity "进度显示" -status "正在处理最后一台主机 $h !"
    Write-Output "总计处理 $i 台主机,传输完毕!"
    #Start-Sleep -Seconds 20
    pause
}
else{
    Write-Progress -Activity "进度显示" -status "正在处理 第 $i 台主机 $h ,请耐心等待!"  -PercentComplete  ($i/$PC.count*100)
}

}

Step two: Run remote installation script
this step of 2 script, a script for performing the mounting operation, a first call to another script, perform remote operations.

Note that: domain computer, the domain administrator login control machine, without performing authentication when remotely. Extraterritorial computer, remote operation must provide administrative credentials certified by the parameters -Credential.

Installation script:

#Script_name:action_fix.ps1

$FileCAB = Get-ChildItem  C:\fix_cab  *KB*.cab -Name
Foreach ($file in $FileCAB)
{
 Add-WindowsPackage -Online -PackagePath C:\fix_cab\$file  -NoRestart  
}

Remote call:

#Script_name:Remote_install.ps1

$PC = Get-Content("C:\scripts_wusa\computer_list.txt")
$i=0
foreach ($h in $PC){

$i++
#域内计算机
Invoke-Command -ComputerName $h -FilePath C:\scripts_wusa\action_fix.ps1
#未加域计算机
#Invoke-Command -ComputerName $h -FilePath C:\action_fix.ps1 -Credential administrator
Write-Progress -Activity "安装进度" -Status "正在为主机 $h 安装补丁，请耐心等待!" -PercentComplete ($i/$PC.Count*100)

}

The third step: remote installation verification results

This step also two script, a script for performing the operation check, a first call to another script, perform remote operations.

Check the installation results:

#Script_name:check_show

$FileCAB = Get-ChildItem  C:\fix_cab  *KB*.cab -Name

Function Get_fix()
{
     foreach ($i in $FileCAB){
        $KB = $i.Split("-")[1]
        Get-hotfix | where {$_.HotFixID -eq $KB }
      }
}

Get_fix

Remote call:

#Script_name:check_fix_install.ps1

$PCs = Get-Content("C:\scripts_wusa\computer_list.txt")

foreach ($h in $PCs)
{ 
    $result = Invoke-Command -ComputerName $h -FilePath C:\scripts_wusa\get_fix.ps1
    if ($result){
        Write-Output "$h  install Sucess!"
    }
    else{
        Write-Output "$h  install Failure!"  
    }

}

Look at the operating results of the third step (you can only print the host failed installation, after all, we are more concerned about the installation failure):

After the patch installation is successful, the rest is the administrator selects a reasonable time, the server can be restarted, you can also restart by remote powershell batch woman. [Restart-Computer -ComputerName pc-1, pc-2, pc-N -Force]