zorg2000k Posted April 24, 2007 Share Posted April 24, 2007 (edited) Hi,Hope this is the correct forum.I have a large network of around 10,500 computer's that we run an SMS job ,weekend's , nightly and sometime's daily, for updating to the latest MS patches.The script below is the main batch file that is called. I will try to breakdown each area.:startIf Exist %windir%\System32\reg.exe goto WksCheckcopy /Y \\ngsysm02\smssource\Desktop\SMSUtils\reg.exe %windir%\system32\:WksCheckrem check to see if system is a workstation%windir%\system32\reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v ProductType | %windir%\system32\find.exe /i "WinNT" && goto WkStationgoto Main_exit:WkStationrem Utility Check and Copy routines:Fileverrem Check for FileVer.exeIf Exist %windir%\System32\filever.exe goto FileVer-VerChkcopy /Y \\ngsysm02\smssource\Desktop\SMSUtils\filever.exe %windir%\system32\:FileVer-VerChk%windir%\system32\filever.exe /A /D %windir%\System32\filever.exe | %windir%\system32\find.exe "5.2.3790.0" && goto qchaincpy copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\filever.exe %windir%\system32\:qchaincpyrem check for qchain.exeIf Exist %windir%\System32\qchain.exe goto qchain-VerChkcopy /Y \\ngsysm02\smssource\Desktop\SMSUtils\qchain.exe %windir%\system32\:qchain-VerChk%windir%\system32\filever.exe /A /D %windir%\System32\qchain.exe | %windir%\system32\find.exe "5.0.2195.6666" && goto sleepcpy copy /Y \\ngsysm02\smssource\Desktop\SMSUtils\qchain.exe %windir%\system32\:sleepcpyrem check for sleep.exeIf Exist %windir%\System32\sleep.exe goto sleep-VerChkcopy /Y \\ngsysm02\smssource\Desktop\SMSUtils\sleep.exe %windir%\system32\:sleep-VerChk%windir%\system32\filever.exe /A /D %windir%\System32\sleep.exe | %windir%\system32\find.exe "5.0.2134.1" && goto psshutdowncpycopy /Y \\ngsysm02\smssource\Desktop\SMSUtils\sleep.exe %windir%\system32\:psshutdowncpyrem check for psshutdown.exeIf Exist %windir%\System32\psshutdown.exe goto psshutdown-VerChkcopy /Y \\ngsysm02\smssource\Desktop\SMSUtils\psshutdown.exe %windir%\system32\:psshutdown-VerChk%windir%\system32\filever.exe /A /D %windir%\System32\psshutdown.exe | %windir%\system32\find.exe "2.32.0.0" && goto addregvalcopy /Y \\ngsysm02\smssource\Desktop\SMSUtils\psshutdown.exe %windir%\system32\:addregvalrem add reboot key and value to registry%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl /v Reboot_Pending /t REG_SZ /d 0 /frem If XP, launch xp.bat%windir%\system32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | %windir%\system32\find.exe "5.1" && goto XP_Launchrem If W2K, launch 2K.bat%windir%\system32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | %windir%\system32\find.exe "5.0" && goto 2K_Launchrem If NT4, launch nt4.bat%windir%\system32\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion | %windir%\system32\find.exe "4.0" && goto NT_Launchgoto office_launch:XP_Launchcall XP_Patches.batgoto office_Launchgoto shutdowncheck:2K_Launchcall 2K_Patches.batgoto office_Launch:NT_Launchcall NT_Patches.batgoto office_Launch:office_Launch:Word2k3_checkif exist "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" goto Excel2k3_Checkgoto WordXP_check:Excel2k3_Checkif exist "C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE" goto Powerpoint2K3_Checkgoto WordXP_check:Powerpoint2K3_Checkif exist "C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE" goto Office2k3_Installgoto WordXP_check:WordXP_checkif exist "C:\Program Files\Microsoft Office\OFFICE10\WINWORD.EXE" goto ExcelXP_Checkgoto Word2Kcheck:ExcelXP_Checkif exist "C:\Program Files\Microsoft Office\OFFICE10\EXCEL.EXE" goto PowerpointXP_Checkgoto Word2Kcheck:PowerpointXP_Checkif exist "C:\Program Files\Microsoft Office\OFFICE10\POWERPNT.EXE" goto OfficeXP_Installgoto Word2Kcheck:Word2Kcheckif exist "C:\Program Files\Microsoft Office\OFFICE\WINWORD.EXE" goto Excel2K_Checkgoto shutdowncheck:Excel2K_Checkif exist "C:\Program Files\Microsoft Office\OFFICE\EXCEL.EXE" goto Powerpoint2K_Checkgoto shutdowncheck:Powerpoint2K_Checkif exist "C:\Program Files\Microsoft Office\OFFICE\POWERPNT.EXE" goto Office2K_Installgoto shutdowncheck:Office2k3_Installcall Office2K3_Patches.batgoto shutdowncheck:OfficeXP_Installcall OfficeXP_Patches.batgoto shutdowncheck:Office2K_Installcall Office2K_Patches.batgoto shutdowncheck:shutdowncheck%windir%\system32\reg.exe QUERY "HKLM\Software\GDS\VersionControl\PatchControl" /v Reboot_Pending | find "1" && goto psshutdowngoto Main_exit:psshutdown%windir%\system32\qchain.exe c:\smsinstall\qchain.txt%windir%\system32\psshutdown.exe -f -r -t 28800 -m "All Required MS Security patches have been installed and a reboot is required - to stop this automated reboot countdown please manually reboot this computer at any suitable safe time prior to the 8hr deadline."%windir%\system32\reg.exe add HKLM\Software\GDS\Reboot /v Reboot_Pending /t REG_SZ /d 0 /fgoto flagchecks:flagchecks:MS03%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS03_Complete | %windir%\system32\find.exe "1" && goto MS04goto dirty_exit:MS04%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS04_Complete | %windir%\system32\find.exe "1" && goto MS05goto dirty_exit:MS05%windir%\system32\reg.exe QUERY "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS05_Complete | %windir%\system32\find.exe "1" && goto MS06goto dirty_exit:MS06%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS06_Complete | %windir%\system32\find.exe "1" && goto MS07goto dirty_exit:MS07%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS07_Complete | %windir%\system32\find.exe "Feb2" && goto Main_exitgoto dirty_exit:Main_exitexit /b 0:dirty_exitexit /b 10 1. The first part of the above script copies a few tools to the %windir%\system32 folder for future use.2. The second part adds a reg value for quering (found later)3. We have a few type's of machines on the network at the moment . Most are XPsp2 but we have a few NT4 and Win2K machines. So a query is run to find out what type of machine it is then it run's the relevant batch file. i.e xp_patches.bat 2k_patches.bat nt4_patches.batI will concentrate on the xp_patches.bat as the 2k_patches.bat and nt4_patches.bat run in the same manner.Below is the batch file of my xp_patches:MS03%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS03_Complete | %windir%\system32\find.exe "1" && goto MS04cd MS03-037call MS03-037Install.batcd..%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS03_Complete /t REG_SZ /d 1 /f:MS04%windir%\system32\reg.exe query "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS04_Complete | %windir%\system32\find.exe "1" && goto MS05cd MS04-028call MS04-028Install.batcd..cd MS04-030call MS04-030-XP.batcd..cd MS04-031call MS04-031-XP.batcd..cd MS04-034call MS04-034-XP.batcd..cd MS04-037call MS04-037-XP.batcd..cd MS04-040call XP.batcd..cd MS04-041call XP.batcd..cd MS04-043call XP.batcd..cd MS04-044call XP.batcd..%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS04_Complete /t REG_SZ /d 1 /f:MS05%windir%\system32\reg.exe QUERY "HKLM\Software\GDS\VersionControl\PatchControl\OSPatch" /v MS05_Complete | %windir%\system32\find.exe "1" && goto MS06cd MS05-007call XP.batcd..cd MS05-013call XP.batcd..cd MS05-017call XP.batcd..cd MS05-018call XP.batcd..cd MS05-026call XP.batcd..cd MS05-027call XP.batcd..cd MS05-033call XP.batcd..cd MS05-036call XP.batcd..cd MS05-040call XP.batcd..cd MS05-041call XP.batcd..cd MS05-042call XP.batcd..cd MS05-043call XP.batcd..cd MS05-044call XP.batcd..cd MS05-045call XP.batcd..cd MS05-047call XP.batcd..cd MS05-048call XP.batcd..cd MS05-049call XP.batcd..cd MS05-050call XP.batcd..cd MS05-051call XP.batcd..cd MS05-053call XP.batcd..cd MS05-054call XP.batcd..%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS05_Complete /t REG_SZ /d 1 /f:MS06%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS06_Complete | %windir%\system32\find.exe "1" && goto MS07cd MS06-001call XP.batcd..cd MS06-002call XP.batcd..cd MS06-006call XP.batcd..cd MS06-007call XP.batcd..cd MS06-008call XP.batcd..cd MS06-011call XP.batcd..cd MS06-015call XP.batcd..cd MS06-018call XP.batcd..cd MS06-022call XP.batcd..cd MS06-023call XP.batcd..cd MS06-024call XP.batcd..cd MS06-025call XP.batcd..cd MS06-030call XP.batcd..cd MS06-032call XP.batcd..cd MS06-033call XP.batcd..cd MS06-034call XP.batcd..cd MS06-036call XP.batcd..cd MS06-041call XP.batcd..cd MS06-045_Fixcall MS06-045_Fix.batcd..cd MS06-050call XP.batcd..cd MS06-051call XP.batcd..cd MS06-052call XP.batcd..cd MS06-053call XP.batcd..cd MS06-056call XP.batcd..cd MS06-057call XP.batcd..cd MS06-060call WordView.batcd..cd MS06-063call XP.batcd..cd MS06-064call XP.batcd..cd MS06-065call XP.batcd..cd MS06-066call XP.batcd..cd MS06-067call XP.batcd..cd MS06-068call XP.batcd..cd MS06-069call XP.batcd..cd MS06-070call XP.batcd..cd MS06-071call XP.batcd..cd MS06-073call XP.batcd..cd MS06-074call XP.batcd..cd MS06-075call XP.batcd..cd MS06-076call XP.batcd..cd MS06-078call XP.batcd..rem the data value (after /d) must be changed to correspond to the naming convention described above%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS06_Complete /t REG_SZ /d 1 /f:MS07%windir%\system32\reg.exe QUERY HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS07_Complete | %windir%\system32\find.exe "Feb2" && goto leavecd MS07-004call XP.batcd..cd MS07-005call XP.batcd..cd MS07-006call XP.batcd..cd MS07-007call XP.batcd..cd MS07-008call XP.batcd..cd MS07-009call XP.batcd..cd MS07-011call XP.batcd..cd MS07-012call XP.batcd..cd MS07-013call XP.batcd..cd MS07-016call XP.batcd..rem Microsoft Critical Patch 05/04/2007cd MS07-017call XP.batcd..rem Microsoft Critical Patch 11/04/2007cd MS07-019call XP.batcd..rem Microsoft Critical Patch 11/04/2007cd MS07-020call XP.batcd..rem Microsoft Critical Patch 11/04/2007cd MS07-021call XP.batcd..rem Microsoft Important Patch 11/04/2007cd MS07-022call XP.batcd..%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl\OSPatch /v MS07_Complete /t REG_SZ /d Apr1 /f:leaveThe script will look in the patchcontrol area in the reg for value called MS03_complete, MS04_complete, MS05_complete etcIf this value is found then that means that the machine has been completely patched for that MS range i.e MS05. If the value is not found then it will continue on installing each of the MS patches until it reaches the end of the above script.Below is the xp.bat file that is called for each on the MS patches, although the patche's , data may change they all follow the same method.:MSPatchCheckrem reg query to identify if the patch is installed.%windir%\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB926436" /v Description | %windir%\system32\find.exe "926436" && goto outrem reg query to see if XP-SP2 is installed.%windir%\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CSDVersion | %windir%\system32\find.exe "Service Pack 2" && goto xpsp2:xpsp1rem XP sp1 patch files hereWindowsXP-KB926436-x86-custom-ENU.exe /QUIET /NORESTART goto end:xpsp2rem XP sp2 patch files hereWindowsXP-KB926436-x86-ENU.exe /QUIET /NORESTART goto end:endrem Sets time of PCnet time /set /yrem add reboot flag to registry%windir%\system32\reg.exe add HKLM\Software\GDS\VersionControl\PatchControl /v Reboot_Pending /t REG_SZ /d 1 /f:outrem Copies Flag file to smsinstall folder.md c:\smsinstallcopy /Y KB926436.exe c:\smsinstall\KB926436.exegoto finish:NotReqrem Copies Flag file to smsinstall folder.md c:\smsinstallcopy /Y KB926436NA.exe c:\smsinstall\KB926436NA.exe:finish1. It first check's the reg to see if it has been patched already. If already patched it goes to out and creates a dummy file "KB926436.exe" within a folder called c:\smsinstall then exit's. This is done for SMS reporting as we one sweep for .exe in SMS 2003. Thsi is to help with a slow network infrastructure.2. If the reg value is not found it queries for XPsp1 or XPsp2 and then install's the relevant MS patch and then copies the dummy file to c:\smsinstall then exit's and move's onto the next patch foler as in MS07-12 etc.My question is. I have been tasked in making this process as simple as possible. If anyone has any idea's or comments on the above, please leave me a reply.Cheers Stuart Edited April 28, 2007 by xper Link to comment Share on other sites More sharing options...
zorg2000k Posted April 25, 2007 Author Share Posted April 25, 2007 If there are any SMS / Batch guru's out there that have a better way in deploying patches via sms then any feedback / help would be great. Even better are there any tools /apps that may help in in my quest Is this the best forum for this type of query ???CheersStuart Link to comment Share on other sites More sharing options...
Bendes Posted April 25, 2007 Share Posted April 25, 2007 The recommended solution (by Microsoft) is a WSUS server/infrastructure... Link to comment Share on other sites More sharing options...
zorg2000k Posted April 25, 2007 Author Share Posted April 25, 2007 The recommended solution (by Microsoft) is a WSUS server/infrastructure...Hi.thanks for the reply. I should of said that that is not an option here at present. Needs to be done by SMS. Link to comment Share on other sites More sharing options...
Mason Posted April 25, 2007 Share Posted April 25, 2007 heya .. we have the same problem ... but we intigrated the microsoft inventory tool for sms ... with that one you can automatically distribute the missing patches to your machines. take a look :http://www.microsoft.com/technet/prodtechn.../msupdates.mspx Link to comment Share on other sites More sharing options...
JohnGruhn Posted April 25, 2007 Share Posted April 25, 2007 If most of your computers are Windows XP, 2000, and 2003 (the mainline support OS from Microsoft), why are you not using ITMU v3 (http://www.microsoft.com/technet/prodtechnol/sms/sms2003/downloads/tools/msupdates.mspx) for detection and distribution of patches? ITMU v3 will detect and push anything pushed by Microsoft Update, ie Windows, Office, SQL, Exchange, etc. NT4 ITMU v3 will not work because it is way out of lifecycle. For those you will have to use you detection logic from above but you should be able to take out the OS detection and make a collection based on the OS. SMS2003's default collections allow for targeting by OS to reduce bandwidth. If you need to further define collections based on critera, you probably should have your AD structured to account for the different policies so you can make collections based on that for the patch pushing.Implementation of this will last for SMS 2003, although as a previous poster has pointed out, eventaully it will go to a WSUS server setup in SCCM 2007. It will still be controlled via SMS, but the back operations will be SUS with a little added on.If you want to know more about SMS; most of the user groups I use are on www.myitforum.com. That covers the entire System Center Family (SMS, MOM, etc)SGT Gruhn, John LBCT1 D101 S6 AMO NCOIC Link to comment Share on other sites More sharing options...
zorg2000k Posted April 25, 2007 Author Share Posted April 25, 2007 (edited) Hi,thanks for the reply Mason and JohnGruhn. We will be moving to IMTU within the next 6 months or so but I need to resolve this now as it is now begining to cause issue's where machines are not being patched. I managed to have this mess dumped on me as it was being rotated around a team of tech's that never used the standards scripts that were provided to them to use I have had another thought today about a different method. Any thoughts on this or help ?What I would do is create a master list of KB files for SP1 / SP2 /WIN2K.Query for machine type. Then query the reg against that list of KB file for that machine type. Pipe out the list of missing KB files then install those KB files.Sounds easy but any help would be great.CheersStuart Edited April 25, 2007 by zorg2000k Link to comment Share on other sites More sharing options...
JohnGruhn Posted April 26, 2007 Share Posted April 26, 2007 We will be moving to IMTU within the next 6 months or so but I need to resolve this now as it is now begining to cause issue's where machines are not being patched. I managed to have this mess dumped on me as it was being rotated around a team of tech's that never used the standards scripts that were provided to them to use Just a thought but what is preventing you from using ITMU now? The hardest part of your solution is creating the detection logic and that alone is valuable time that SMS could be fixing your computers. Within one detection cycle after advertising the sync agent you would have a complete picture of what you need to fix and the packages you need to create. Even better, the reports for software compliance are updated along with the inventory so you can track your progress much mroe easily, something your homegrown solution will probably not do. OS detection is easy but ITMU gives you the rest of the detection. If your waiting for SMS 2003 SP3, that will be out on 27 APR 07 (ie Friday) and its more than worth it to switch and take two weeks to figure it out rather then reinvent the wheel. If your network is as borked as you say it is (been there, done that way too much), spending the week or so to figure out how to use ITMU which is not that hard will more than payoff in total time to completion.SGT Gruhn, John LBCT1 D101 S6 AMO NCOIC Link to comment Share on other sites More sharing options...
zorg2000k Posted April 26, 2007 Author Share Posted April 26, 2007 We will be moving to IMTU within the next 6 months or so but I need to resolve this now as it is now begining to cause issue's where machines are not being patched. I managed to have this mess dumped on me as it was being rotated around a team of tech's that never used the standards scripts that were provided to them to use Just a thought but what is preventing you from using ITMU now? The hardest part of your solution is creating the detection logic and that alone is valuable time that SMS could be fixing your computers. Within one detection cycle after advertising the sync agent you would have a complete picture of what you need to fix and the packages you need to create. Even better, the reports for software compliance are updated along with the inventory so you can track your progress much mroe easily, something your homegrown solution will probably not do. OS detection is easy but ITMU gives you the rest of the detection. If your waiting for SMS 2003 SP3, that will be out on 27 APR 07 (ie Friday) and its more than worth it to switch and take two weeks to figure it out rather then reinvent the wheel. If your network is as borked as you say it is (been there, done that way too much), spending the week or so to figure out how to use ITMU which is not that hard will more than payoff in total time to completion.SGT Gruhn, John LBCT1 D101 S6 AMO NCOICThanks again for the reply.We have a very complex change management / strategic agenda process in place, which have set the timescales for this change. Might just have to live with what is there at present and fix if possible.CheersStuart Link to comment Share on other sites More sharing options...
scriptboy Posted April 28, 2007 Share Posted April 28, 2007 In GE Healthcare.we only use CA Unicenter.It is quite easy to distribute the software/security patch packages to thousands of clients. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now