I've been working on this VBScript on and off for a few years now. The purpose of the script is very simple. It installs security patches and other hotfixes on a server. Over the years the tool has been updated and improved primarily by me as well as some friends. I've always given it to anyone that wants it, but never got around to making a website page for the tool. I started developing this because I couldn't find a free or commercial patching tool that was easy to use and simple. I didn't (and still don't) need bells and whistles or anything pretty. I've tried a whole bunch of patching tools (Shavlik, WSUS, SUS, SMS, SCCM, etc.) and never really have been particularly happy with any of them. As a result I started putting this together. It's worked well for me and others for a while. Perhaps it will work well for you too.

Introduction
Setup Directions
Patching with SimplePatch
Miscellaneous Odds and Ends
Support
License
Warranty
Download Link

Introduction

Here's a quick overview of how the script works:

• Download the list of available patches from the server
• Check each patch to see if it applies to the local system and if it's not installed
• Download all the necessary patches
• Install the patches
• Reboot the local system

Or if you prefer a picture (PDF):

Before you read any further, take a moment to review the remainder of these bulleted lists so that your expectations are aligned appropriately. I built this script to support my needs as a consultant working in various environments, many of them large distributed organizations. I tend to make improvements when I have to do patching tasks and need to do something the script didn't do before. I do from time to time make general improvements that people request and you can feel free to ask too. It may just take a while for me to get to your request or I might decide it's not something that enough people will benefit from or perhaps implementing it will require major rework of the script. I manage bugs in the same way.

Here's a quick overview of what the script requires:

• An IIS server (6.0 or better) with the BITS extensions enabled
• A virtual directory configured for BITS which points to a folder housing all of the patches for distribution and the patch list
• On pre Windows Vista/Server 2008 machines, you will need the Windows Support Tools installed on each system as they contain bitsadmin.exe
• You'll need a copy of psexec from Sysinternals on the server where you push patches from if you intend to patch remotely

Here's a quick overview of what the script doesn't currently do:

• Install patches which don't use the standard mechanisms for platform fixes
  • XML and .NET are two frequent offenders
• Install service packs (it may actually, just never tested it)
• Upload logs or do reporting
• Detect unnecessary patches and not download them
• Download the patches from Microsoft for you
• Build the patch list for you
• Patch Itanium (IA64) versions of Windows

Here's a quick overview of where I've tested this:

• Windows Server 2003 x86
• Windows Server 2003 x64
• Windows Server 2008 x86
• Windows Server 2008 x64

Notes on using this on localized machines:

• This script is not localized. All strings are EN-US. That's US English.
• I've done some limited testing on machines which have their regional settings set to something other than EN-US
  • There are probably bugs in this space. If you report them (and include steps to reproduce), I'll work on fixing them
• I've done some VERY limited testing on machines which are running on a non EN-US language
  • There are probably bugs in this space. If you report them (and include steps to reproduce), I'll work on fixing them

Setup Directions

There are a few steps you'll need to take in order to get SimplePatch going for you. First, you'll need to download the latest version. Next, you'll need to configure your patch store and finally you'll need to configure IIS on your distribution server. I won't help you download or unzip the archive, but, I've got directions for configuring the patch store as well as setting up IIS6 and IIS7. If you need help with the mechanics of the zip, I suggest you stop now and engage a professional.

Configuring your Patch Store

First, you'll need to configure a file folder which contains all of the patches and hotfixes you wish to install. Presently I only support a flat structure and you'll need to go and download all these patches from Microsoft. Microsoft has a nice webpage you can use to search for and download the patches you need to deploy. Once you get your initial cache of them setup it shouldn't take long each month to maintain the list. It took me a few hours to build out my initial patch folder. If you have someone in your organization who qualifies for labels such as cheap labor, gopher, scut work person, etc., this is a great job for them.

Once you've got all your patches downloaded somewhere, you'll need to create a file in that same folder called patchlist.txt. This is the list the script downloads each time and evaluates to determine what needs to be deployed on the target systems. The format is quite simple albeit slightly repetitive. Currently you'll need to build it manually or scheme up a very simple script to parse your folder of patches and generate the file. I have a tool I've been working on to do this but it's not ready for prime time yet. Here's the file format and a sample paste from my patch list:

969897;5.2.3790;2;x86;IE7-WindowsServer2003-KB969897-x86-ENU.exe
969897;5.2.3790;1;x64;IE7-WindowsServer2003.WindowsXP-KB969897-x64-ENU.exe
969897;5.2.3790;2;x64;IE7-WindowsServer2003.WindowsXP-KB969897-x64-ENU.exe
969897;6.0.6001;1;x86;Windows6.0-KB969897-x86.msu
969897;6.0.6002;2;x86;Windows6.0-KB969897-x86.msu
969897;6.0.6001;1;x64;Windows6.0-KB969897-x64.msu
969897;6.0.6002;2;x64;Windows6.0-KB969897-x64.msu

As you may have noticed, it's one patch per line per applicable system. So, if the same file applies to Windows Server 2003 x86 SP1 and SP2, you need to have two lines for that patch. Also note that for Windows Server 2008 and Windows Vista, the Windows Version string actually changes across service packs.

You can download my ready backed patch list here if you want. You'll still have to download all the patches by hand but it gives an example of how to set things up. I've not been diligent in removing patches which are no longer needed (e.g. superseded cumulative updates), so, keep that in mind. Regardless, I recommend that you run Windows Update on a test system after patching to make sure you haven't missed anything. Windows Update is generally pretty reliable in this regard.

Configuring an IIS 6 Distribution Server

If you're using IIS7, then skip down a bit.

1. Ensure that the BITS Server Extensions and IIS6 are installed:
   1. Launch the Control Panel
   2. Open Add or Remove Programs and select Add/Remove Windows Components
   3. Select Application Server and click Details
   4. Select Internet Information Services (IIS) and click Details
   5. Check Background Intelligent Transfer Service (BITS) Server Extensions
   6. Click OK
   7. Click OK
   8. Click Next
2. Launch IIS Manager (start>run>inetmgr)
3. Right Click the Server node and select Properties
4. Click MIME Types
5. Click New
6. Specify extension .msu and extension type application/octet-stream:
   
7. Expand Web Sites, Right Click the Default Web Site, and select New>Virtual Directory:
   
8. Click Next and provide an Alias:
   
9. Click Next and provide a Path
10. Click Next
11. Click Finish
12. Test downloading a patch from your newly configured distribution server.
13. If you get an error make sure that you configured the MIME Type as discussed in steps two through six and that IIS has permissions to the patch folder
14. If necessary, grant read permissions to the IIS_WPG group on your patches folder:
    
15. Repeat Step 12.

Configuring an IIS 7 Distribution Serve

If you're using IIS6, then skip this section.

If you haven't installed IIS7, you'll need to go in Server Manager and do so. It's under Roles>Add Role>Web Server (IIS).

You don't get BITS out of the box when you install IIS, so you'll need to add that to the bundle. You can do that by running this command:

ServerManagerCmd -i BITS

Next, you'll need to go in IIS and setup a virtual directory and configure it for BITS:

1. Launch IIS Manager (start>run>inetmgr)
2. Select your Server in the Connections pane:
   
3. Double click MIME Types.
4. Click Add… on the Task Pane
5. Specify extension msu and MIME type application/octet-stream:
   
6. Right click the Default Web Site and Add Virtual Directory:
   
7. Provide the path to your patch store and give it a name:
   
8. Test downloading a patch from your newly configured distribution server.
9. If you get an error make sure that you configured the MIME Type as discussed in steps two through five and that IIS has permissions to the patch folder
10. If necessary, grant read permissions to the IIS_WPG group on your patches folder:
    
11. Repeat Step 8.

Patching with SimplePatch

Now that you've got everything configured, it's time to patch a test system or two. If you intend to patch systems remotely, you'll need to have two things in a folder:

1. SimplePatch.vbs
2. Psexec.exe

If you want to use it locally (e.g. as part of a larger job or a build process or something), you'll just need to get SimplePatch.vbs on to the system and execute it.

There are a couple arguments you'll need to supply to SimplePatch in order for it to function:

• Script operation mode
• Patch server URL

The usage for SimplePatch.vbs details this:

SimplePatch 1.41 Brian Desmond (brian@briandesmond.com)

Usage SimplePatch.vbs Mode ServerPath [/NoReboot] [/DlOnly]

Modes:
     /patch - This will launch the script and start patching
     /postList - This is called after downloading the patch list
     /postPatchDL - This is called after downloading the patches

ServerPath: This is the path to the root of the BITS HTTP server
For example, http://PatchServ/Patches/

/NoReboot - Supply this argument to supress reboots
/DlOnly - Supply this argument to download patches but not install them

For example if your patch server is at http://CHIMGT01/patches and you didn't want to automatically reboot the machine, you could do this:

cscript SimplePatch.vbs /patch http://CHIMGT01/patches /noreboot

I make this easier on myself by using a couple of batch files to do the legwork. They're all included in the zip, however I've pasted them below for demonstration purposes. The two which are particularly useful are PatchSystem.bat and PatchBatchWithReboot.bat. The first one simply patches the runs psexec against a remote system (supplied as the first argument to the batch file) and reboots the system. The latter will loop through a list of machines in a text file and patch each of them remotely.

PatchSystem.bat:

@echo off

md \\%1\c$\smplptch
copy /Y SimplePatch.vbs \\%1\c$\smplptch
psexec \\%1 -s -accepteula cscript c:\smplptch\SimplePatch.vbs /patch http://PATCHSERVER/patches

PatchBatchWithReboot.bat:

@echo off
FOR /F %%i IN (%1) DO PatchSystem.bat %%i

My strategy generally is that I organize my machines which I'll be patching into a series of batches. I put each batch in a text file (one machine per line), and then I run PatchBatchWithReboot one batch at a time. I depend on pre-existing monitoring to determine when all the machines in the batch have been through the patch and reboot cycle.

Miscellaneous Odds and Ends

The script drops a log in whatever directory it runs from. My batch scripts all launch it from c:\smplptch so that would be the location of the log file.

If you want to debug patch installs, you may wish to toggle PATCH_LOGS and DELETE_FAILED_INSTALLS at the top of the script according to the comments. The latter really needs to be set to TRUE on an environment with Windows Server 2008 or Windows Vista (or better) machines as otherwise patches which are simply not needed will be left behind and clog up the system.

The script has an additional mode called /dlonly courtesy of my friend Joe. If you need to patch a lot of boxes and don't want to wait for them to download all their patches, run the script ahead of time in /dlonly mode and it will cache all the patches on each machine. Next time you run the script (in /postpatchdl mode), it will go ahead and just install them. This is handy in slow WAN situations in particular.

Support

If you drop me an e-mail, I'll do what I can to help (and I endeavor to reply to all my email) but keep in mind this is just a side project of mine. I travel quite a lot for work so you should expect delays depending on where I am and how busy I am.

License

This is pretty simple. You should feel free to use this script however you please on your machine or your organization's machines and modify it if you want for your purposes. What you should not feel free to do (and shouldn't do) is post it somewhere on the Internet, sell it, redistribute it outside of your organization's network, or claim it's yours (it's not). If you've got a question about this, just drop me an email and I'd be happy to discuss or clarify. I look forward to hearing from you.

Warranty

There is none. I make no guarantees. You're on your own. If this breaks your network, kills your cat, gets you arrested, gets you fired, or anything else, it's your problem. Thus it's your responsibility to test this script (and your patches) in an actual test environment and determine the impact and ramifications and so forth. Patches have broken systems before, and they will break them in the future. Using your production network for a test lab is an indirect way to state that you have a test lab but no production network.

Download Link

Hypothetically by placing the download link at the bottom that implies you read all the stuff above (it's actually important and might be interesting). Anyway, download here.