Jump to content
BGags

How I got to 95% patch efficacy in Eight Easy(?) Steps

Recommended Posts

I am posting v1.4 of my script. Changes from the earlier version:

 

1) Has better version detection. The new script detects by version number, not by OS check fields, so it also handles Windows 7 Embedded systems (the old script would find Windows Embedded was not Windows 7/Server 2008R2 and would not patch them).

2) If you have a system so far behind due to an ancient Windows Update Agent, chances are it does not have the extremely important WannaCry patch (March Security Update KB4012212). So, the script downloads and deploys this as well to resolve this serious risk.

3) Because I don't have the script set to auto-reboot the system, the system opens a ticket to schedule the reboot, helpful if you cannot reboot the system right now.

 

As there are newer Windows Update Agent versions yet, I hope to in the future come out with a minor revision that willl check for a newer version yet and install the corresponding patch; this is something I had time to modify and test this afternoon.

Resolve Win7 Scan-Patch Issues v1.4.zip

Share this post


Link to post
Share on other sites

I have added another separate script. It could be potentially called from my first script, integrated with it, with or without a user variable to make it optional to run, but I didn't want to just add it outright.

 

This script re-initializes the Windows Update Agent. It performs the following:

 

1) Stops the Windows Update Agent and necessary adjunct services)

2) Renames the C:\Windows\SoftwareDistribution folder

3) Renames the C:\Windows\System32\Catroot2 folder

4) Restarts all necessary services

5) Deletes the renamed folders

6) Issues a command to force Windows Update to run

 

There are some checks to make sure the folders renamed properly and such, but this can also be useful. The script follows a method documented by Microsoft.

Re-initialize Windows Update Database 1.0.zip

Share this post


Link to post
Share on other sites

I wanted to thank everyone that contributed to this thread and especially Cubert for Patch Remedy. You guys really helped me get patching straightened out..

 

99.jpg.ef6f856dd3962468c4eefcb715b1d15b.jpg

Share this post


Link to post
Share on other sites

Very Awesome! Glad to have helped! We are expecting some really neat stuff for Windows 10+ from Patch Remedy in the near future.

Share this post


Link to post
Share on other sites

Patch 17 for LabTech is supposed to have some changes in calculating regarding superseded patches that should help improve compliance percentages, I'm told.

Share this post


Link to post
Share on other sites

I got this query from the support guy yesterday DELETE FROM hotfix WHERE installed=0 AND approved=2 AND Last_Date < DATE_ADD(NOW(),INTERVAL -2 DAY); to run on Labtech server. This query will clear any superseded patch and improve the patch score in the reports

Share this post


Link to post
Share on other sites

So, question for the group,

 

As we all know that Windows 10 patching is hit-or-miss in the current LabTech configuration, has anyone created scripting that does any of the following for better control?

 

-Use the WUSHOWHIDE.CAB setup from Microsoft to turn off (and on) Automatic Updates so we can control patch windows?

-Set Internet connections to "Metered" to disable updating?

-Set Windows Update policies (esp. on Anniversary and Creators) to defer feature upgrades and to delay immediate patching? (to prevent getting patched with something buggy that might get rolled back by Microsoft in the first 48-72 hours of release)

 

Very interested in what other people are doing (if anything) and to see any scriptwork associated.

Share this post


Link to post
Share on other sites
Quote

The scripts run against auto-join groups whose search criteria include agents that are a) missing approved updates...

How did you create a search with criteria for missing approved updates? In the New Search menu I don't see a field for that.

Share this post


Link to post
Share on other sites
18 hours ago, man said:

How did you create a search with criteria for missing approved updates? In the New Search menu I don't see a field for that.

I don't see it under the 'new'/Advanced search UI, but if you right-click and switch to 'Legacy' you'll see patch-related search options under "Related - Hotfixes." I'm fuzzy on specific memory, but IIRC  'Installed' was straightforward, 0 = No, 1 = Yes... for 'Approved' it depends on the specific patch manager version.

10.5 Patch Manager:

  • 0 = Not-Set
  • 1 = Approve
    Beyond that, I don't remember... I think 2 was Deny and 3 was Ignore?

11-12 Patch Manager:

  • 0 = Not-Set
  • 1 = Ignore
  • 2 = Approve
  • 4 = Deny

That tripped us up when we upgraded the Patch Manager a year or two ago - a bunch of our external patch reporting was keyed to the Approval setting, which changed and made our numbers look really really weird.

Edited by rdeal

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×