Shulou(Shulou.com)06/02 Report--

Scene

Windows Server often needs to install security patches, and the strategy for wsus to install patches, especially in restarting the server, does not meet the demand, and it takes a lot of time to install manually. Therefore, the deployment of a control machine, by running the PowerShell script to install Windows patches in bulk remotely, can greatly improve work efficiency.

target

Install Windows server patches in bulk.

Introduction

Microsoft defines a protocol for WS-Management, which provides a public standard for remote exchange of management data by computer devices. On the Windows platform, MS implements the WS-Management protocol through Windows remote Management Service (Windows Remote Management service, referred to as WinRM). This is the basis on which we can perform remote operations through PowerShell, because PowerShell operates remotely through WinRM services.

But in the actual test, when we use the following command to install remotely, the installation always fails.

Invoke-Command-ComputerName $Computer-ScriptBlock {wusa.exe xxx.msu / quiet / norestart}

As you can see from the log, the error is as follows: the Windows update cannot be installed because of an error: 2147942405 "access denied."

It turns out that Microsoft does not support using wusa and its API to install patch updates remotely, and the solution is to use dism or add-windowspackage instead.

Https://support.microsoft.com/en-us/help/2773898/windows-update-standalone-installer-wusa-returns-0x5-error-access-deni

Realize

There are three main steps for bulk installation:

Copy the patch file [download patch-> controller-> target machine] remotely install the patch file to verify the installation result

Step 1: copy the file

Download the patch file (.msu), copy it to the corresponding directory of the control machine (such as c:\ fix), extract it through script (after compression for dism or add-windowspackage installation), and copy it to the target machine.

The "computer_list.txt" user stores the target machine name, one per line. This file is the only one that needs to be manually edited by the administrator (the other is to download the patch and copy it to the controller).

This step: right-click and run "copy.ps1" using powershell

# Script_name:copy.ps1 $PC = Get-Content ("C:\ scripts_wusa\ computer_list.txt") $FileMSU = Get-ChildItem C:\ fix-Name$CAB_PATH = "C:\ fix_cab\" wusa.exe "C:\ fix\ $FileMSU" / extract:$CAB_PATH# rest during decompression 90sStart-Sleep-Seconds 90$ I = 0foreach ($h in $PC) {$i++Copy-Item-Path $CAB_PATH-Destination\ $h\ C $\-Recurse-Forceif ($h-eq $PC [- 1] ) {Write-Progress-Activity "Progress shows"-status "is processing the last host $h!" Write-Output "total processing of $I hosts, transfer complete!" # Start-Sleep-Seconds 20 pause} else {Write-Progress-Activity "Progress shows that"-status "is processing the $I host $h, please wait patiently!"-PercentComplete ($i/$PC.count*100)}}

Step 2: run the remote installation script

There are two scripts in this step, one script is used to perform the installation action, and the other script is used to call the first to perform remote operations.

This step: right-click and run "Remote_install.ps1" using powershell

It should be noted that after the domain administrator logs in to the control computer, the remote operation does not need to be authenticated. For extraterritorial computers, remote operation management credential authentication must be provided through the parameter-Credential.

Installation script:

# Script_name:action_fix.ps1 $FileCAB = Get-ChildItem C:\ fix_cab * KB*.cab-NameForeach ($file in $FileCAB) {Add-WindowsPackage-Online-PackagePath C:\ fix_cab\ $file-NoRestart}

Remote call:

# Script_name:Remote_install.ps1 $PC = Get-Content ("C:\ scripts_wusa\ computer_list.txt") $i=0foreach ($h in $PC) {$iadded computers in the domain Invoke-Command-ComputerName $h-FilePath C:\ scripts_wusa\ action_fix.ps1# non-domain computers # Invoke-Command-ComputerName $h-FilePath C:\ action_fix.ps1-Credential administratorWrite-Progress-Activity "installation Progress-Status" is installing a patch for host $h Please be patient! "- PercentComplete ($i/$PC.Count*100)}

Step 3: verify the results of remote installation

There are also two scripts for this step, one script to perform the check action and the other script to call the first to perform the remote operation.

This step: right-click and run "check_fix_install.ps1" using powershell

Check the installation results:

# Script_name:check_show$FileCAB = Get-ChildItem C:\ fix_cab * KB*.cab-NameFunction Get_fix () {foreach ($I in $FileCAB) {$KB = $i.Split ("-") [1] Get-hotfix | where {$_ .HotFixID-eq $KB}} Get_fix

Remote call:

# Script_name:check_fix_install.ps1 $PCs = Get-Content ("C:\ scripts_wusa\ computer_list.txt") foreach ($h in $PCs) {$result = Invoke-Command-ComputerName $h-FilePath C:\ scripts_wusa\ get_fix.ps1 if ($result) {Write-Output "$h install Sucess!"} else {Write-Output "$h install Failure!"} pause

Take a look at the running result of step 3 (you can only print the hosts that failed to install, after all, we are more concerned about the failed ones):

After the patch is installed successfully, all that is left is for the administrator to choose a reasonable time to restart the server, or you can restart it remotely through powershell. [Restart-Computer-ComputerName pc-1,pc-2,pc-N-Force]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.