none
Batch File -- Scripting Windows Updates and Verifying the Installation RRS feed

  • General discussion

  • Hi All,

    I have a disconnected network of a handful of workstations.  Every quarter I need to update the workstations individually with the latest Windows updates using a batch file looking similar to the following:

    Windows6.1-KB3087038-x64.msu /quiet /NORESTART
    Windows6.1-KB3087039-x64.msu /quiet /NORESTART
    Windows6.1-KB3069114-x64.msu /quiet /NORESTART......

    Unfortunately I am starting to get installation failures and Event Viewer isn't helping with narrowing down any of the issues.  Please keep in mind that I cannot alter the OS/software installations/add software/remove software/use powershell/use WSUS to update the servers and workstations in question. 

    Is there anyway to have the batch file, after each windows update installation, verify/invalidate the installation and come back with a message stating if the installation was successful or not? 

    Thanks in advance

    Thursday, December 17, 2015 1:51 PM

All replies

  • would bypassing the PowerShell execution policy be an option?

    powershell.exe -ExecutionPolicy ByPass -File .\filename.ps1


    Cheers, Matthew Kerfoot

    Thursday, December 17, 2015 2:01 PM
  • Hi,

    Batch files are likely limited in what they can do for you. I've (very happily) completely forgotten almost everything I knew about them since I moved to PowerShell.

    My recommendation would be to use the /log switch and see if that gives you better insight.

    This thread may help with the logging:

    https://social.technet.microsoft.com/Forums/windows/en-US/1227c00c-2eb0-4ed8-8844-6595414d903a/when-using-wusaexe-to-install-msu-update-package-and-enabling-logging-using-the-log-switch-what?forum=w7itprogeneral


    Thursday, December 17, 2015 2:20 PM
  • Unfortunately not...
    Thursday, December 17, 2015 2:44 PM
  • Thank you for the recommendation -- I'll take a look.
    Thursday, December 17, 2015 2:45 PM
  • Why can't you use PowerShell or WSUS?

    -- Bill Stewart [Bill_Stewart]

    Thursday, December 17, 2015 4:11 PM
    Moderator
  • Bill,

    We need to keep our network as an exact replica of the systems and networks out in the field.  If we alter the systems in anyway we would have to make changes to all of our exterior systems which would cost money and time for this project.  As per PowerShell -- we cannot use it due to specific constraints put on our OS's

    Thursday, December 17, 2015 4:36 PM
  • What specific constraints put on your OSes?

    PowerShell is "baked in" on Windows 7 and newer and is now a standard part of the operating system.


    -- Bill Stewart [Bill_Stewart]

    Thursday, December 17, 2015 5:24 PM
    Moderator
  • Yes it is -- we have specific standards that need to be followed by DISA, the ACA and DoD regulations.
    Thursday, December 17, 2015 6:03 PM
  • So what's your specific question?

    As noted, Cmd.exe shell script (batch) is archaic and inflexible. If that's what you're forced to use (and for some reason, you don't want to tell me specifically why you can't use PowerShell - referring to vague standards doesn't actually answer the question), your job is going to be annoyingly difficult at best.

    If this is critical to your business, I think you will need to hire a consultant. The purpose of this forum is to answer specific scripting questions rather than to design scripts based on specifications.


    -- Bill Stewart [Bill_Stewart]

    Thursday, December 17, 2015 6:08 PM
    Moderator
  • The patch installer should set an error code.  Check %ERRORLEVEL% for  non zero result.  This can be used to abort the bath file.  ALso use Mike's suggestion to turn on logging to a file.


    \_(ツ)_/

    Thursday, December 17, 2015 6:43 PM
  • Bill,

    I'd prefer to not to pen a diatribe about all of the regulations, SRG's and SCAP content that needs to be fulfilled and adhered to concerning government contracts and the upkeep of secured systems -- I don't think this is the forum for that.  This is a group of systems that cannot be altered due to hardening standards -- standards put forth by the contract in question and DoD standards but forth by the ACA.  PowerShell as well as many other services that are inherent to Windows OS's are blocked or shutdown due to security/hardening concerns that cannot be re mediated by normal Windows updates and are considered unsecured "holes".  By DoD standards, if it cannot be secured it is shut off.  If you would like to go into more depth of the "why's" and "how's" I would suggest going to IASA website, but I warn you, it's not light/fun reading -- trust me, I have first hand knowledge.   

    Back to the original question:

    "Is there anyway to have the batch file, after each windows update installation, verify/invalidate the installation and come back with a message stating if the installation was successful or not?"

    I thought this was a specific question relating to batch files and I was following the rules put forth by scripting forum.  I wasn't asking someone to create a script for me -- I was just asking to see if there was a few commands out there that I was unaware of.  In the interim I will just /log the installation to see if I can figure out why certain files aren't installing.  I appreciate your time and effort. 


    Thursday, December 17, 2015 7:05 PM
  • Thanks, jrv, I'll take a look.
    Thursday, December 17, 2015 7:41 PM
  • Puzzling, seeing as PowerShell is more secure than Cmd.exe, not less (it has execution policies and the ability to digitally sign scripts). Also, an executable file is not a security boundary. Thus I suspect this "restriction" is a result of a misunderstanding.

    But be that as it may: As jrv has said, you can check the exit code of an executable by the %ERRORLEVEL% dynamic variable in Cmd.exe and log files.


    -- Bill Stewart [Bill_Stewart]

    Thursday, December 17, 2015 8:30 PM
    Moderator