SMS MS Patches - Install Solution

**zorg2000k** · April 24, 2007

Hi,

Hope this is the correct forum.

I have a large network of around 10,500 computer's that we run an SMS job ,weekend's , nightly and sometime's daily,

for updating to the latest MS patches.

The script below is the main batch file that is called. I will try to breakdown each area.

:start
If Exist %windir%\System32\reg.exe goto WksCheck
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\reg.exe %windir%\system32\
:WksCheck
rem check to see if system is a workstation
%windir%\system32\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v ProductType | 
%windir%\system32\find.exe /i "WinNT" && goto WkStation
goto Main_exit

:WkStation
rem Utility Check and Copy routines

:Filever
rem Check for FileVer.exe
If Exist %windir%\System32\filever.exe goto FileVer-VerChk
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\filever.exe %windir%\system32\
:FileVer-VerChk
%windir%\system32\filever.exe /A /D %windir%\System32\filever.exe | %windir%\system32\find.exe "5.2.3790.0" && goto qchaincpy 
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\filever.exe %windir%\system32\

:qchaincpy
rem check for qchain.exe
If Exist %windir%\System32\qchain.exe goto qchain-VerChk
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\qchain.exe %windir%\system32\
:qchain-VerChk
%windir%\system32\filever.exe /A /D %windir%\System32\qchain.exe | %windir%\system32\find.exe "5.0.2195.6666" && goto sleepcpy 
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\qchain.exe %windir%\system32\

:sleepcpy
rem check for sleep.exe
If Exist %windir%\System32\sleep.exe goto sleep-VerChk
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\sleep.exe %windir%\system32\
:sleep-VerChk
%windir%\system32\filever.exe /A /D %windir%\System32\sleep.exe | %windir%\system32\find.exe "5.0.2134.1" && goto psshutdowncpy
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\sleep.exe %windir%\system32\

:psshutdowncpy
rem check for psshutdown.exe
If Exist %windir%\System32\psshutdown.exe goto psshutdown-VerChk
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\psshutdown.exe %windir%\system32\
:psshutdown-VerChk
%windir%\system32\filever.exe /A /D %windir%\System32\psshutdown.exe | %windir%\system32\find.exe "2.32.0.0" && goto addregval
copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\psshutdown.exe %windir%\system32\


:addregval
rem add reboot key and value to registry
%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl /v Reboot_Pending /t REG_SZ /d 0 /f


rem If XP, launch xp.bat
%windir%\system32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | %windir%\system32\find.exe "5.1" && goto XP_Launch

rem If W2K, launch 2K.bat
%windir%\system32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | %windir%\system32\find.exe "5.0" && goto 2K_Launch

rem If NT4, launch nt4.bat
%windir%\system32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | %windir%\system32\find.exe "4.0" && goto NT_Launch

goto office_launch

:XP_Launch
call XP_Patches.bat
goto office_Launch
goto shutdowncheck

:2K_Launch
call 2K_Patches.bat
goto office_Launch

:NT_Launch
call NT_Patches.bat
goto office_Launch


:office_Launch
:Word2k3_check
if exist "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" goto Excel2k3_Check
goto WordXP_check
:Excel2k3_Check
if exist "C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE" goto Powerpoint2K3_Check
goto WordXP_check
:Powerpoint2K3_Check
if exist "C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE" goto Office2k3_Install
goto WordXP_check

:WordXP_check
if exist "C:\Program Files\Microsoft Office\OFFICE10\WINWORD.EXE" goto ExcelXP_Check
goto Word2Kcheck
:ExcelXP_Check
if exist "C:\Program Files\Microsoft Office\OFFICE10\EXCEL.EXE" goto PowerpointXP_Check
goto Word2Kcheck
:PowerpointXP_Check
if exist "C:\Program Files\Microsoft Office\OFFICE10\POWERPNT.EXE" goto OfficeXP_Install
goto Word2Kcheck

:Word2Kcheck
if exist "C:\Program Files\Microsoft Office\OFFICE\WINWORD.EXE" goto Excel2K_Check
goto shutdowncheck
:Excel2K_Check
if exist "C:\Program Files\Microsoft Office\OFFICE\EXCEL.EXE" goto Powerpoint2K_Check
goto shutdowncheck
:Powerpoint2K_Check
if exist "C:\Program Files\Microsoft Office\OFFICE\POWERPNT.EXE" goto Office2K_Install
goto shutdowncheck

:Office2k3_Install
call Office2K3_Patches.bat
goto shutdowncheck

:OfficeXP_Install
call OfficeXP_Patches.bat
goto shutdowncheck

:Office2K_Install
call Office2K_Patches.bat
goto shutdowncheck

:shutdowncheck
%windir%\system32\reg.exe QUERY "HKLM\Software\GDS\VersionControl\PatchControl" /v Reboot_Pending | find "1" && goto psshutdown
goto Main_exit

:psshutdown
%windir%\system32\qchain.exe c:\smsinstall\qchain.txt
%windir%\system32\psshutdown.exe -f -r -t 28800 -m "All Required MS Security patches have been installed and a reboot is 
required - to stop this automated reboot countdown 
please manually reboot this computer at any suitable safe time prior to the 8hr deadline."
%windir%\system32\reg.exe add HKLM\Software\GDS\Reboot /v Reboot_Pending /t REG_SZ /d 0 /f
goto flagchecks

:flagchecks
:MS03
%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS03_Complete | %windir%\system32\find.exe "1" && goto MS04
goto dirty_exit
:MS04
%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS04_Complete | %windir%\system32\find.exe "1" && goto MS05
goto dirty_exit
:MS05
%windir%\system32\reg.exe QUERY "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS05_Complete | %windir%\system32\find.exe "1" && goto MS06
goto dirty_exit
:MS06
%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS06_Complete | %windir%\system32\find.exe "1" && goto MS07
goto dirty_exit
:MS07
%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS07_Complete | %windir%\system32\find.exe "Feb2" && goto Main_exit
goto dirty_exit


:Main_exit
exit /b 0

:dirty_exit
exit /b 10

1. The first part of the above script copies a few tools to the %windir%\system32 folder for future use.

2. The second part adds a reg value for quering (found later)

3. We have a few type's of machines on the network at the moment . Most are XPsp2 but we have a few NT4 and Win2K machines.

So a query is run to find out what type of machine

it is then it run's the relevant batch file. i.e xp_patches.bat 2k_patches.bat nt4_patches.bat

I will concentrate on the xp_patches.bat as the 2k_patches.bat and nt4_patches.bat run in the same manner.

Below is the batch file of my xp_patches

:MS03
%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS03_Complete | %windir%\system32\find.exe "1" && goto MS04

cd MS03-037
call MS03-037Install.bat
cd..

%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS03_Complete /t REG_SZ /d 1 /f

:MS04
%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS04_Complete | %windir%\system32\find.exe "1" && goto MS05

cd MS04-028
call MS04-028Install.bat
cd..

cd MS04-030
call MS04-030-XP.bat
cd..

cd MS04-031
call MS04-031-XP.bat
cd..

cd MS04-034
call MS04-034-XP.bat
cd..

cd MS04-037
call MS04-037-XP.bat
cd..

cd MS04-040
call XP.bat
cd..

cd MS04-041
call XP.bat
cd..

cd MS04-043
call XP.bat
cd..

cd MS04-044
call XP.bat
cd..

%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS04_Complete /t REG_SZ /d 1 /f


:MS05

%windir%\system32\reg.exe QUERY "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS05_Complete | %windir%\system32\find.exe "1" && goto MS06

cd MS05-007
call XP.bat
cd..

cd MS05-013
call XP.bat
cd..

cd MS05-017
call XP.bat
cd..

cd MS05-018
call XP.bat
cd..

cd MS05-026
call XP.bat
cd..

cd MS05-027
call XP.bat
cd..

cd MS05-033
call XP.bat
cd..

cd MS05-036
call XP.bat
cd..

cd MS05-040
call XP.bat
cd..

cd MS05-041
call XP.bat
cd..

cd MS05-042
call XP.bat
cd..

cd MS05-043
call XP.bat
cd..

cd MS05-044
call XP.bat
cd..

cd MS05-045
call XP.bat
cd..

cd MS05-047
call XP.bat
cd..

cd MS05-048
call XP.bat
cd..

cd MS05-049
call XP.bat
cd..

cd MS05-050
call XP.bat
cd..

cd MS05-051
call XP.bat
cd..

cd MS05-053
call XP.bat
cd..

cd MS05-054
call XP.bat
cd..

%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS05_Complete /t REG_SZ /d 1 /f


:MS06


%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS06_Complete | %windir%\system32\find.exe "1" && goto MS07

cd MS06-001
call XP.bat
cd..

cd MS06-002
call XP.bat
cd..

cd MS06-006
call XP.bat
cd..

cd MS06-007
call XP.bat
cd..

cd MS06-008
call XP.bat
cd..

cd MS06-011
call XP.bat
cd..

cd MS06-015
call XP.bat
cd..

cd MS06-018
call XP.bat
cd..

cd MS06-022
call XP.bat
cd..

cd MS06-023
call XP.bat
cd..

cd MS06-024
call XP.bat
cd..

cd MS06-025
call XP.bat
cd..

cd MS06-030
call XP.bat
cd..

cd MS06-032
call XP.bat
cd..

cd MS06-033
call XP.bat
cd..

cd MS06-034
call XP.bat
cd..

cd MS06-036
call XP.bat
cd..

cd MS06-041
call XP.bat
cd..

cd MS06-045_Fix
call MS06-045_Fix.bat
cd..

cd MS06-050
call XP.bat
cd..

cd MS06-051
call XP.bat
cd..

cd MS06-052
call XP.bat
cd..

cd MS06-053
call XP.bat
cd..

cd MS06-056
call XP.bat
cd..

cd MS06-057
call XP.bat
cd..

cd MS06-060
call WordView.bat
cd..

cd MS06-063
call XP.bat
cd..

cd MS06-064
call XP.bat
cd..

cd MS06-065
call XP.bat
cd..

cd MS06-066
call XP.bat
cd..

cd MS06-067
call XP.bat
cd..

cd MS06-068
call XP.bat
cd..

cd MS06-069
call XP.bat
cd..

cd MS06-070
call XP.bat
cd..

cd MS06-071
call XP.bat
cd..

cd MS06-073
call XP.bat
cd..

cd MS06-074
call XP.bat
cd..

cd MS06-075
call XP.bat
cd..

cd MS06-076
call XP.bat
cd..

cd MS06-078
call XP.bat
cd..

rem the data value (after /d) must be changed to correspond to the naming convention described above
%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS06_Complete /t REG_SZ /d 1 /f


:MS07

%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS07_Complete | 
%windir%\system32\find.exe "Feb2" && goto leave

cd MS07-004
call XP.bat
cd..

cd MS07-005
call XP.bat
cd..

cd MS07-006
call XP.bat
cd..

cd MS07-007
call XP.bat
cd..

cd MS07-008
call XP.bat
cd..

cd MS07-009
call XP.bat
cd..

cd MS07-011
call XP.bat
cd..

cd MS07-012
call XP.bat
cd..

cd MS07-013
call XP.bat
cd..

cd MS07-016
call XP.bat
cd..

rem Microsoft Critical Patch 05/04/2007
cd MS07-017
call XP.bat
cd..


rem Microsoft Critical Patch 11/04/2007
cd MS07-019
call XP.bat
cd..

rem Microsoft Critical Patch 11/04/2007
cd MS07-020
call XP.bat
cd..

rem Microsoft Critical Patch 11/04/2007
cd MS07-021
call XP.bat
cd..

rem Microsoft Important Patch 11/04/2007
cd MS07-022
call XP.bat
cd..

%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS07_Complete /t REG_SZ /d Apr1 /f


:leave

The script will look in the patchcontrol area in the reg for value called MS03_complete, MS04_complete, MS05_complete etc

If this value is found then that means that the machine has been completely patched for that MS range i.e MS05. If the value is not

found then it will continue on installing each of the MS patches until it reaches the end of the above script.

Below is the xp.bat file that is called for each on the MS patches, although the patche's , data may change they all

follow the same method.

:MSPatchCheck
rem reg query to identify if the patch is installed.
%windir%\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB926436" /v Description | 
%windir%\system32\find.exe "926436" && goto out

rem reg query to see if XP-SP2 is installed.
%windir%\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CSDVersion | 
%windir%\system32\find.exe "Service Pack 2" && goto xpsp2

:xpsp1
rem XP sp1 patch files here
WindowsXP-KB926436-x86-custom-ENU.exe /QUIET /NORESTART 
goto end

:xpsp2
rem XP sp2 patch files here
WindowsXP-KB926436-x86-ENU.exe /QUIET /NORESTART 
goto end

:end
rem Sets time of PC
net time /set /y
rem add reboot flag to registry
%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl /v Reboot_Pending /t REG_SZ /d 1 /f

:out
rem Copies Flag file to smsinstall folder.
md c:\smsinstall
copy /Y KB926436.exe c:\smsinstall\KB926436.exe
goto finish

:NotReq
rem Copies Flag file to smsinstall folder.
md c:\smsinstall
copy /Y KB926436NA.exe c:\smsinstall\KB926436NA.exe

:finish

1. It first check's the reg to see if it has been patched already. If already patched it goes to out and creates a dummy file "KB926436.exe"

within a folder called c:\smsinstall then exit's. This is done for SMS reporting as we one sweep for .exe in SMS 2003. Thsi is to help with a

slow network infrastructure.

2. If the reg value is not found it queries for XPsp1 or XPsp2 and then install's the relevant MS patch and then copies the dummy file

to c:\smsinstall then exit's and move's onto the next patch foler as in MS07-12 etc.

My question is. I have been tasked in making this process as simple as possible. If anyone has any idea's or comments on the above,

please leave me a reply.

Cheers

Stuart

Edited April 28, 2007 by xper

**zorg2000k** · April 25, 2007

If there are any SMS / Batch guru's out there that have a better way in deploying patches via sms then any feedback / help would be great. Even better are there any tools /apps that may help in in my quest

Is this the best forum for this type of query ???

Cheers

Stuart

**Bendes** · April 25, 2007

The recommended solution (by Microsoft) is a WSUS server/infrastructure...

**zorg2000k** · April 25, 2007

The recommended solution (by Microsoft) is a WSUS server/infrastructure...

Hi.

thanks for the reply. I should of said that that is not an option here at present. Needs to be done by SMS.

**Mason** · April 25, 2007

heya .. we have the same problem ... but we intigrated the microsoft inventory tool for sms ... with that one you can automatically distribute the missing patches to your machines. take a look :

http://www.microsoft.com/technet/prodtechn.../msupdates.mspx

**JohnGruhn** · April 25, 2007

If most of your computers are Windows XP, 2000, and 2003 (the mainline support OS from Microsoft), why are you not using ITMU v3 (http://www.microsoft.com/technet/prodtechnol/sms/sms2003/downloads/tools/msupdates.mspx) for detection and distribution of patches? ITMU v3 will detect and push anything pushed by Microsoft Update, ie Windows, Office, SQL, Exchange, etc. NT4 ITMU v3 will not work because it is way out of lifecycle. For those you will have to use you detection logic from above but you should be able to take out the OS detection and make a collection based on the OS. SMS2003's default collections allow for targeting by OS to reduce bandwidth. If you need to further define collections based on critera, you probably should have your AD structured to account for the different policies so you can make collections based on that for the patch pushing.

Implementation of this will last for SMS 2003, although as a previous poster has pointed out, eventaully it will go to a WSUS server setup in SCCM 2007. It will still be controlled via SMS, but the back operations will be SUS with a little added on.

If you want to know more about SMS; most of the user groups I use are on www.myitforum.com. That covers the entire System Center Family (SMS, MOM, etc)

SGT Gruhn, John L

BCT1 D101 S6 AMO NCOIC

**zorg2000k** · April 25, 2007

Hi,

thanks for the reply Mason and JohnGruhn. We will be moving to IMTU within the next 6 months or so but I need to resolve this now as it is now begining to cause issue's where machines are not being patched. I managed to have this mess dumped on me as it was being rotated around a team of tech's that never used the standards scripts that were provided to them to use

I have had another thought today about a different method. Any thoughts on this or help ?

What I would do is create a master list of KB files for SP1 / SP2 /WIN2K.

Query for machine type. Then query the reg against that list of KB file for that machine type. Pipe out the list of missing KB files then install those KB files.

Sounds easy but any help would be great.

Cheers

Stuart

Edited April 25, 2007 by zorg2000k

**JohnGruhn** · April 26, 2007

We will be moving to IMTU within the next 6 months or so but I need to resolve this now as it is now begining to cause issue's where machines are not being patched. I managed to have this mess dumped on me as it was being rotated around a team of tech's that never used the standards scripts that were provided to them to use

Just a thought but what is preventing you from using ITMU now? The hardest part of your solution is creating the detection logic and that alone is valuable time that SMS could be fixing your computers. Within one detection cycle after advertising the sync agent you would have a complete picture of what you need to fix and the packages you need to create. Even better, the reports for software compliance are updated along with the inventory so you can track your progress much mroe easily, something your homegrown solution will probably not do. OS detection is easy but ITMU gives you the rest of the detection. If your waiting for SMS 2003 SP3, that will be out on 27 APR 07 (ie Friday) and its more than worth it to switch and take two weeks to figure it out rather then reinvent the wheel. If your network is as borked as you say it is (been there, done that way too much), spending the week or so to figure out how to use ITMU which is not that hard will more than payoff in total time to completion.

SGT Gruhn, John L

BCT1 D101 S6 AMO NCOIC

**zorg2000k** · April 26, 2007

We will be moving to IMTU within the next 6 months or so but I need to resolve this now as it is now begining to cause issue's where machines are not being patched. I managed to have this mess dumped on me as it was being rotated around a team of tech's that never used the standards scripts that were provided to them to use
Just a thought but what is preventing you from using ITMU now? The hardest part of your solution is creating the detection logic and that alone is valuable time that SMS could be fixing your computers. Within one detection cycle after advertising the sync agent you would have a complete picture of what you need to fix and the packages you need to create. Even better, the reports for software compliance are updated along with the inventory so you can track your progress much mroe easily, something your homegrown solution will probably not do. OS detection is easy but ITMU gives you the rest of the detection. If your waiting for SMS 2003 SP3, that will be out on 27 APR 07 (ie Friday) and its more than worth it to switch and take two weeks to figure it out rather then reinvent the wheel. If your network is as borked as you say it is (been there, done that way too much), spending the week or so to figure out how to use ITMU which is not that hard will more than payoff in total time to completion.
SGT Gruhn, John L
BCT1 D101 S6 AMO NCOIC

Thanks again for the reply.

We have a very complex change management / strategic agenda process in place, which have set the timescales for this change. Might just have to live with what is there at present and fix if possible.

Cheers

Stuart

**scriptboy** · April 28, 2007

In GE Healthcare.we only use CA Unicenter.It is quite easy to distribute the software/security patch packages to thousands of clients.

Sign In

SMS MS Patches - Install Solution

Recommended Posts

zorg2000k

zorg2000k

Bendes

zorg2000k

Mason

JohnGruhn

zorg2000k

JohnGruhn

zorg2000k

scriptboy

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Activity

Browse