29 April, 2017

Install patches remotely - OS

When you need to install a hotfix outside of your normal patching cycle and outside of the usual patching tool (be that WSUS, SCCM...whatever) a good way is to do it semi-manually running wusa.exe.
However, if you have 20+ hosts, it might be a bit inconvenient to RDP to each and execute wusa or double-click on the msu file.

So why not use PS remoting or winrs? Let's give it a go (I copied the msu file to each host into their c:\temp folder prior to running winrs):

gc c:\hostlist.txt | %{winrs -r:$_ wusa.exe c:\temp\windows6.1-kbXXXXXXX.msu /passive /quiet /forcerestart}

But then you will get this: Windows update could not be installed because of error 2147942405 "Access is denied.

Whaaaat? Why? WHY? A bit of googling will get you here: https://support.microsoft.com/en-us/help/2773898/windows-update-standalone-installer-wusa-returns-0x5-error-access-denied-when-deploying-.msu-files-through-winrm-and-windows-remote-shell

Ok, I will need to extract the msu and then run dsim on each host. It's no big deal, you can run the 2 commands in a remote PS session, or run 2 lines of winrs...etc.. But here is an alternative solution, psexec:

"host1,host2,host3".split(",") | %{start-proces psexec.exe -arg "-s \\$_ wusa.exe c:\temp\windows6.1-kbXXXXXXX.msu /passive /quiet /forcerestart"}

However, you can't just run psexec as it gets hung on wusa.exe, you need to kick it off with 'start-process' and then pass the rest of the arguments to it which will be for psexec which then executes wusa.exe under SYSTEM context.

Hope this helps.

No comments:

Post a Comment