Last week I received an advisory regarding the urgent patching of Windows servers used on the corporate network due to the Wannacry vulnerability and that all non-compliant machines had to be patched with MS17-010.
Now I use Windows Servers quite a bit in my day job for reproduction of customer issues but I knew the majority of VM’s I used were either Linux based or VMware Appliances. I did not have any physical boxes so this made the information gathering exercise easier.
After some internal dogfooding using vRealize Configuration Manager (part of vRealize Operations Suite), I ran a vCenter Guests collection and was then able to get a complete list of Windows VM’s which would require patching. The final total was 35 machines spread over 3 OS types – Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.
Now I could have copied the required MSU files to each server and executed the patching process manually but I wanted to make this more interesting so I decided to flex my PowerShell skills and semi-automate the process.
The premise of the script was the following:
- Read in a list of machines from .txt file
- Check if connection to machine can be established
- Detect the OS version and the patch variant required to install
- Create temp folder on C:\ if it does not exist (subject to permissions)
- Launch PS Exec and then execute remote call to WUSA to install the patch
- Based on the code output from WUSA, script either reported success or fail.
- The code iteratively worked through each machine and once the .txt file had been read the script would exit gracefully.
After a few coding iterations I created DeployPatch_MS17_010.ps1, the screenshot below shows the script running on 1 out of 26 machines.
Note: I have had to obfuscate the VM name as this was a customer repro VM.
To follow on from this I plan to create 2 more scripts which will detect which machines require reboots and then detect that the patch is installed correctly and is now compliant. I may also make additional changes to v1.0 to allow for pre-selection of .txt file plus other enhancements.
Thanks for reading and please feel free to leave a comment or message me on twitter (@lukaswinn) if you found this article useful.