How to deploy Microsoft Hotfixes.

How to deploy Microsoft Hotfixes.

轉載至 https://itaudiotech.blogspot.com/2013/05/how-to-deploy-microsoft-hotfixes.html

Scenario:

Microsoft have released a hotfix to a problem you are experiencing and you need to deploy it to multiple computers

Problem:

Microsoft hotfixes are released as .MSU files.

If you are using WSUS to mangage Windows updates, .MSU files cannot be imported into WSUS and the hotfix list in the WSUS update catalog is quite truncated and doesn't contain the hotfix you need to deploy.

Hotfixes aren't rolled into an update package until Service Pack releases either so it's no use waiting around for it to be released.

.MSU files are not able to be deployed by group policy software settings as they are not an .MSI file and it is not straight forward to convert them to .MSI files.

Chances are you've also done a search for how to deploy MSU files and came up with nothing useful.

Using WUSA.exe as a start up script could work though it would try to install the update every time you start the computer and that's not exactly desirable.

So how do you deploy a hotfix en masse to computers on your domain?

Microsoft修補程序以.MSU文件的形式發布。

如果您使用WSUS來管理Windows更新，則無法將.MSU文件導入WSUS，並且WSUS更新目錄中的修補程序列表會被截斷，並且不包含您需要部署的修補程序。

在Service Pack發布之前，修補程序不會進入更新程序包，因此等待它被釋放是沒有用的。

.MSU文件無法由組策略軟件設置部署，因為它們不是.MSI文件，並且不能直接將它們轉換為.MSI文件。

您可能還搜索瞭如何部署MSU文件，並且沒有任何用處。

使用WUSA.exe作為啟動腳本可以工作，雖然它會在每次啟動計算機時嘗試安裝更新，但這並不是完全可取的。

那麼如何將修補程序整體部署到域中的計算機上？

Solution:

The desirable behaviour is the hotfix being installed when the computer starts and only being installed once.

The scenario we have working here is that we use WMI to check and see if the hotfix has been installed on the computer and create an environmental variable which stores a "0" for not installed or a "1" for installed. Another group policy runs which is constrained by a WMI filter so that the group policy is only applied if the created environment variable is equal to "1".

理想的行為是計算機啟動時安裝的修補程序，只安裝一次。

我們在這里工作的場景是我們使用WMI檢查並查看計算機上是否已安裝此修補程序並創建一個環境變量，該變量存儲未安裝的“0”或安裝的“1”。 另一個組策略運行受WMI篩選器約束，因此僅在創建的環境變量等於“1”時才應用組策略。

Checking to see if the hotfix is installed

Credit goes to the author of the EvilGPO blog, specifically on this page http://evilgpo.blogspot.com.au/2012/05/inverting-wmi-filters.html. Credit goes to the documentation supplied with Local Update Publisher for the WMI query required to find if a hotfix has been installed.

感謝EvilGPO博客的作者，特別是在此頁面http://evilgpo.blogspot.com.au/2012/05/inverting-wmi-filters.html。 Credit轉到Local Update Publisher隨附的文檔，以查找是否已安裝修補程序所需的WMI查詢。

1. Create a new GPO and call it something descriptive, example - "WMI Environmental Variables - Hotfix KB####### Installation Status"
2. Edit the GPO and go to "Computer Configuration" - "Windows Settings" - "Environment"
3. Create two new "Environment Variables"
   1. Right click and select "New Environment Variable" - the first variable created will return a value of Zero for when the hotfix is not installed
   2. In the "New Environment Properties" dialog "General" tab:
      1. Select "System Variable"
      2. Name: "KB#######Installed"
      3. Value: "0"
   3. In the "Common" tab
      1. Check "Item Level Targeting" and click "Targeting"
      2. Click "New item" - "WMI Query"
      3. Enter the following in the query textbox - "select * from win32_quickfixengineering where HotFixID = 'KB#######'" - ensure you edit the KB number to match the hotfix you are installing.
      4. Ensure that the namespace is "Root\cimv2"
      5. Right click on the entry "the WMI query..." and select "is not" (the end of the line will change to "does not return a value for"
   4. Right click and select "New Environment Variable" - the second variable created will return a value of One for when the hotfix is installed
   5. In the "New Environment Properties" dialog "General" tab:
      1. Select "System Variable"
      2. Name: "KB#######Installed" - keep it the same as the first variable created
      3. Value: "1"
   6. In the "Common" tab:
      1. Check "Item Level Targeting" and click "Targeting".
      2. Click "New item" - "WMI Query".
      3. Enter the following in the query textbox - select * from win32_quickfixengineering where HotFixID = 'KB2748246'.
      4. Ensure that the namespace is "Root\cimv2".
      5. The WIM query will be set by default to return true if a value is found.
4. Close the group policy edit window
5. Apply the group policy to the computers that need the hotfix.

At the end of this procedure you will have a group policy which runs a WMI query against the appropriate computers to see if a hotfix is installed, creates an environment variable and sets it to either "1" or "0" based on whether or not it is installed.

在此過程結束時，您將擁有一個組策略，該策略針對相應的計算機運行WMI查詢以查看是否已安裝修補程序，創建環境變量並根據是否為“1”或“0”將其設置為“1”或“0” 它已安裝。

Create the WMI filter in Group Policy

Once the group policy is created that sets the environment variable a filter needs to be configured that checks the state of the environment variable.

創建設置環境變量的組策略後，需要配置篩選器以檢查環境變量的狀態。

1. Open Group Policy
2. Click on "WMI Filters"
3. Right click and select "New..."
4. Call the filter something memorable, for example "Hotfix KB####### Installed"
5. Click on "Add"
6. Ensure the namespace is set to "root\CIMv2"
7. Enter the following in the query "select * from win32_environment where name="KB#######Installed" and variablevalue="0""
   • Make sure the name is the same as the variable you created in the previous procedure
8. Click "OK"
9. Click "Save"

This filter will return true if the variable is "0", meaning the hotfix is NOT installed. When applied to a group policy it will mean the policy is applicable if the hotfix is not installed.

如果變量為“0”，則此過濾器將返回true，表示未安裝此修補程序。 應用於組策略時，如果未安裝此修補程序，則表示該策略適用。

Install the Hotfix

1. Create a new GPO and call it something descriptive, for example "Hotfix Installation - KB####### Description of the hotfix"
2. Expand "Computer Configuration" - "Policies" - "Windows Settings" - "Scripts"
3. Double click on "Startup"
4. Click on "Add"
5. in the "Edit Script" dialog box
   1. set script name to "wusa.exe"
   2. set the Script parameters to: \\path\to\Windows6.1-KB#######-x64.msu /quiet /norestart
      • run wusa.exe without any parameters from the command line to see the options
      • I used no restart because we are running asynchronous login scripts and by the time the hotfix has installed the user will have been able to log in and start working. A reboot can wait
6. click "OK"
7. click "OK"
8. close the group policy edit window
9. Select the "Scope" tab
10. Under WMI filtering select "Hotfix KB####### Installed"
11. Click "OK"
12. Link the GPO to the appropriate OUs in your organisation.
13. Hope like heck you didn't miss anything.

Mop up the aftermath

1. Reboot the computers
   • The first time sets the environment variable for the first time to "0"
2. Reboot the computers again
   • the second time will install the hotfix
3. Reboot the computers again
   • This time it finalises the installation of the hotfix and sets the variable to "1"

Posted 27th May 2013 by Mick Kerr