5

The scenario is: Server1 and Server2, both running Windows Server 2012 R2 at the same patch level, are currently in a load-balancing cluster. Server1 has application issues and advice is to replace it. It's been taken out of the cluster and Server3 is being provisioned as it's replacement.

When Server1 and Server2 were originally built no patch-management solution was used. They were built at the same time and just patched to the then-latest level.

The objective is to patch Server3 to the same level as Server2.

As mentioned, no patch-management solution is available.

Going through the updates on Server2 one-by-one and applying them to Server3 is, of course, an option, but we should be able to do something better than that. It is 2017, after all.

It is possible to retrieve a list of all updates on Server2 via PowerShell and by KB number, and this list is available.

But how to then download and apply these updates, and only these updates, to Server3?

Initial research has turned up a number of Windows update scripts, both VBS and PowerShell, but they all fail at the critical requirement that not all current updates must be applied.

Bringing Server2's patch level to current, then also the same for Server3, is also an option but one which I'd prefer to avoid owing to having to schedule downtime/maintenance windows (there being no viable Server1 in the cluster) then a bunch of application testing. Let's keep that as a last resort.

So - what are my reasonable options for automating this in a sensible way, given the above constraints?

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36
  • You want to bring the server to the same patch level or the current patch level, because those are different things. – joeqwerty Jan 27 '17 at 21:13
  • 1
    @joeqwerty - I'm aware of that, yes. If it was just current patch level the job would be easy and I wouldn't be asking. The objective is to bring Server3 to the same patch level as Server2. – Maximus Minimus Jan 27 '17 at 21:16

3 Answers3

1

I'm pretty sure this is what you are looking for.

Run on server2 first to get your list of KB numbers, then run of server 3 and pass those KB numbers in.

Drifter104
  • 3,693
  • 2
  • 22
  • 39
  • Do you check it and it still works? Microsoft adds "Basket" to Update Catalog and remove direct links after last update for this script relised. – Slipeer Jan 31 '17 at 08:52
  • @Slipeer yes this still works, just used it to download an update I knew I had waiting just using the KB number – Drifter104 Jan 31 '17 at 09:49
1

Cleaner probably to install WSUS. You can then use the WSUS powershell module to do this. This script looks at locally installed updates, connects to WSUS, then approves those updates for a specific group in WSUS:

$servername = <ip of WSUS>
$port       = "8530"
$groupname  = <name of server group>

# Import Libraries
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

# Connect to WSUS
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($servername, $False, $port)

# Connect to local Update Service
$Session = New-Object -ComObject "Microsoft.Update.Session"
$Searcher = $Session.CreateUpdateSearcher()
$historyCount = $Searcher.GetTotalHistoryCount()
$installedUpdates = $Searcher.QueryHistory(0, $historyCount) | Select-Object Title

# Approve all locally installed updates in WSUS
foreach ($installedUpdate in $installedUpdates) {
  $update = $wsus.SearchUpdates($installedUpdate)
  $group = $wsus.GetComputerTargetGroups() | where {$_.Name -eq $groupname}
  $update[0].Approve(“Install”,$group)
}

You could also write all the local updates to a file:

$filename = <path>
$Session = New-Object -ComObject "Microsoft.Update.Session"
$Searcher = $Session.CreateUpdateSearcher()
$historyCount = $Searcher.GetTotalHistoryCount()
$installedUpdates = $Searcher.QueryHistory(0, $historyCount) | Select-Object Title
$installedUpdates | Export-Csv $filename

Then copy that file to the other server and run something like this: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387101(v=vs.85).aspx

mzhaase
  • 3,778
  • 2
  • 19
  • 32
  • I'm not 100% satisfied with any of the answers here; what I was really looking for was an equivalent of Get-WindowsFeature/Add-WindowsFeature but for updates (specifically OS updates), but this one at least confirms for me that installing WSUS is the way to go and so gets the bounty. – Maximus Minimus Feb 06 '17 at 17:41
  • @LeComteduMerde-fou Did you look at the powershell module I suggested? It does exactly that. – Drifter104 Feb 06 '17 at 20:35
  • @LeComteduMerde-fou If you follow the link, there is: `Set installer = updateSession.CreateUpdateInstaller() installer.Updates = updateToInstall` but WSUS is much cleaner, since it will store the update status in a DB, and takes care of dependencies and so on. – mzhaase Feb 07 '17 at 07:42
0

But how to then download and apply these updates, and only these updates, to Server3?

Do you check Microsoft Update Catalog (Note that site works only in IE)? You can fing any update by KB id, add it to basket and then download it all. I think you can even automate the addition of updates to Basket by KB id.

Having a list of required updates, the task becomes quite simple. Note: systeminfo util does not reflect the updates that have been superseded by a new - something that is required.

UPD. The best working method for automated download updates via the KB identifier described here. But he did not exclude manual work. Microsoft is struggling with updates direct downloading.

Slipeer
  • 3,255
  • 2
  • 18
  • 32