With the release of such a critical patch as MS08-067 it seems that us "patchers" are up against it. Well this post is just really to detail an alternative method of deploying patches using PSExec and PowerShell.
Tools
- PSExec
- PowerShell (with Quest AD Cmdlets installed)
1. OK, so first you need to create a share that all the servers can see. Once done download the patch (or patches) and copy them to the share.
2. Now you need a list of all your servers if you dont have one. I would use PowerShell for this.
get-qadobject -sizelimit 0 -type computer | where {$_.osname -match "server"} | select name > c:\servers.txt
Tidy up the text file by removing the header field (Name) manually.
3. Now use PSExec to deploy the patch from the share to the servers listed in the file.
psexec @serverlist.txt -c "\\File-Server\SecurityPatches$\MS08-067.exe /quiet /norestart /overwriteoem"
If you have many patches to install you could place the line above into a batch file and simply change the name of the patch on each line.
4. Use PowerShell to reboot all the server in the list if required. The following PowerShell one-liner will do that.
gc c:\servers.txt | ForEach-Object { gwmi win32_operatingsystem -ComputerName $_ | ForEach-Object { $_.reboot() }}
5. Finally, Use PowerShell to check that the patches have been deployed successfully. The following script will prompt you for your server list file and the HotFix ID you want to check for.
function Get-HotFix($server,$hotFixID) {
PROCESS{
$results = gwmi win32_quickfixengineering -computer $_ -filter "HotFixID='$hotFixID'"
if ($results) {
$results | select CSName,HotFixID,@{n="Installed";e={"Yes"}}
} else {
$results = "" | select CSName,HotFixID,Installed
$results.CSName=$_
$results.HotFixID=$hotFixID
$results.Installed="No"
$results
}
}
}
gc (Read-Host "Please provide path to server list file") | Get-HotFix -hotFixID (Read-Host "Hotfix ID") | ft -auto
Or you could use WSUS or SMS I guess.