I got a question from Mike this week:
“Hi steve. Hope all is well. I am the IT manager at a small bank in Texas. We have lots of patch management tools…so I am not looking for that. Before an audit I would like to quickly force all of my machines to download and install the latest security patches from MS. Is there any way to force Windows to do this from the command line? And I mean like right now! 
Not next Tuesday. Thanks!”
I came across a script right on Microsoft’s website that can do something close to what you want:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa387102(v=vs.85).aspx
It has a few issues. First, it tries to install all patches. Like the latest version of Internet Explorer, major service packs, and that ridiculous Windows Search 4.0. These require user intervention, and might even break things.
Another issue with the script is that it does not let you know when it failed because the network is down.
We took that script changed it to only include security updates. That way it gets to the core of the issue – getting the latest security patches, without any extra stuff.
With our new version of the script we created a plugin for Network Administrator. This will allow you to remotely install the latest security patches across your network:
If the computer already is up to date, it will say: “This computer is up to date”
You can tell it to just download, or download and install. There is even an option to reboot when the install is complete:
The free version allows you to work with three computers at a time. You can get it from our download page:
http://www.intelliadmin.com/index.php/downloads/
What about that script? If you want to do it yourself without Network Administrator, here is the updated version:
http://www.intelliadmin.com/ForceAU.dat
Just rename it to ForceAU.vbs, and call it like this from the command line:
cscript.exe ForceAU.vbs
Once it starts, it will zoom through and install the latest security patches:
The script, and the plugin work with Windows XP, 2003, Windows Vista, Windows 7, and Windows 2008.
It does require administrator access, so if your users have a limited account you will need to either use the task scheduler, group policy, or Network Administrator.
One other thing to note, is that it does not install service packs – So keep that in mind when using the plugin, or the script.
{ 5 comments… read them below or add one }
Steve,
How in the *hell* did you find those methods in VB Script?
I have the god awful script that launches IE, and has code to check for each different version of IE so it can do the proper clicks and stuff.
I am going to try your script first thing in the morning when I get to the office
Hi there Dave. I spent a lot longer on this script that I originally thought, and I had some help too
Indeed it was not easy to find the Category option that allows the script to skip the service packs, IE upgrades, and that Windows Search 4.0…especially since this solution works with other language versions of Windows
Steve,
What a great tool. Thanks for this
Hi Steve,
I purchased Network Administrator a while back. How do I install this latest plugin?
Hello,
If you already have a previous version…simply make sure it is not running, and install the latest from here:
http://www.intelliadmin.com/NetworkAdministrator.exe
It will automatically install the new plugins.
This is true for the free, and paid versions.