Information Systems:How To Push An MSU Patch To Desktops And Laptops
In October of 2016 Microsoft changed the way WindowsUpdates were being published for Windows7 computers. In prior months and years, each patch would be associated with a knowledge base article that detailed what it fixed and other information that was important and each month there would be many individual patches. As of October 2016 each month's group of patches will be rolled into 1 or 2 cumulative updates. There are disadvantages to this change however, if the quality control and testing are not sufficient to catch a regression, then the end user doesn't really have the option of declining that month's rollup because next month's will still contain the "bug". Since not patching is an even worse option, this documentation will show how to push out a Hotfix that should fix whatever bug is within a month's cumulative update. This documentation assumes that Microsoft acknowledges the bug and has created a small downloadable patch file. If it hasn't then you are out of options. To find out if a Hotfix exists, you will have to find the KB article for the month's rollup and see if a link is on that page pointing to a Hotfix. Sometimes Microsoft will not publically publish that Hotfix, if it exists, it may require a phone call to MS in order to get the file - all depends on how widespread the bug is and how "bad" it is.
Please be aware that Microsoft creates these Hotfix patches in the MSU file format. MSU files cannot be installed by using a Group Policy object and cannot be injected into WSUS and assigned that way either.
- Download the 32bit and 64bit version of the Hotfix MSU file and put them into a folder on the SuperServer that everyone has read access to such as "Shared User Folders"
- Download PSTools from https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx and extract the zip file to a folder on your desktop
- In the PSTools folder create a text file and list the FQDN host names of all the desktops, laptops and servers that you want the MSU file to install on to. If you have to separate 32 and 64bit then make 2 text files and name them list32.txt and list64.txt. Each host name should be on its own line in the text file with no other characters
- Create 2 batch files and name them patch32.bat and patch64.bat
- If the MSU file comes in specific Windows Server flavor then make additional list text files and batch files for the Server editions you want to patch
The contents of the batch files should be as follows
- psexec @list32.txt -s -u UNIPHARM\Administrator -p NewVisionIT wusa "\\superserver\shared user folders\patchfolder\win7-32\patch.msu" /quiet /forcerestart
- pause
PSExec is a program that parses the list text files and logs on to each computer in that list with the credentials shown after the -u and -p switches. Then once PSExec is logged into the remote computer, it runs the WUSA program that reads the MSU file from the folder where it is located on the SuperServer. The MSU file is run with the quiet and forced reboot switches so that the patch applies with no prompts and reboots the machine immediately after the install completes. This is best done after hours or on a weekend because an immediate reboot is very disruptive if done during the middle of a week day. When each computer in the list text file is done, there will be an error code showing what was the result of the WUSA command. To see what each error code means, refer to https://msdn.microsoft.com/en-us/library/windows/desktop/aa376931(v=vs.85).aspx The best error codes are 1641 or 3010. The "pause" line in the batch file keeps the command window open when the list of computers is finished. Having the window remain open allows you to see which machines got a good error code or a bad one. If for some reason you want to install the MSU file but don't want to reboot immediately, then replace /forcerestart with /silent /norestart. Those switches along with /quiet will install the MSU invisibly without rebooting the remote computer. Not rebooting after installing an MSU is not recommended.