winupdates

This blog will walk you through utilizing Microsoft System Center to automate a process for keeping your Windows Server 2016 VHDX Image patched indefinitely.  You will no longer have to deploy a VM to do an image and recapture or the long process of running Windows Updates after a fresh VMM deployment. 

For this process, I am assuming you already have System Center Configuration Manager installed.  I also am assuming you have a syspreped VHD/VHDX file you use for Virtual Machine Manager or Hyper-V deployments.

 

The basic steps are:

1.      Setup an SCCM Automatic Deployment Rule.

2.      Customize the Powershell Script for your environment.

3.      Setup Automation.

 

Create Automatic Deployment Rule in SCCM:

Create an Automatic Deployment Rule to Download the Patches to a specific location.

For details on setting up an Automatic Deployment Rule see HERE

 

ADR

 

 

The filters used are here:

            Date Released or Revised Last 1 month

            Product “Windows Server 2016”

            Superseded No

Update Classification “Critical Updates” OR “Definition Updates” OR “Security Updates” OR “Service Packs” OR “Update Rollups” OR “Updates” OR “Upgrades”

ADRFilter

 

Offline Servicing Powershell Setup:

On your deployment server. (VMM in my situation)

Create a location to store the Powershell script: C:\Scripts\OfflineVMServicing.ps1

Also create a temp location for the script to mount the VHDX: C:\vmpatching

 

You should only need to edit lines 2 and 3 in the script to set the variables for $VHDPath and $PATCHPath:

          VHDPath will be the path to your VHD/VHDX file of your VM Image.

          PATCHPath will be the location you will select to store patches from your SCCM ADR Rule.

  

#Set Variables for VHD/VHDX path and Updates Location

$VHDPath = "D:\Library\VHDs\Win2016STD.vhdx"

$PATCHPath = "\\sccm\source$\Updates\Windows Server 2016\Cumulative Updates 4-12-2017"

#Get all available Update at SCCM

$Updatelistcab = get-childitem -Path "$PATCHPath" -include *.cab -recurse -File 

$Updatelistmsu = get-childitem -Path "$PATCHPath" -include *.msu –recurse -File

#Mount and Patch the VHD

Mount-WindowsImage -ImagePath "$VHDPath" -Path "c:\vmpatching" -Index 1

Foreach ($Updatecab in $Updatelistcab) 

    { 

     $UpdateReady=get-windowspackage -PackagePath $Updatecab -Path "c:\vmpatching"

     If ($UpdateReady.PackageState -eq "installed") 

       {Write-Output $UpdateReady.PackageName "is already installed"} 

        elseif ($updateReady.Applicable -eq "true")

         {Add-WindowsPackage -PackagePath $Updatecab.Directory -Path "c:\vmpatching"}

    } 

  Foreach ($Updatemsu in $Updatelistmsu)  

  { 

     add-windowspackage -PackagePath $Updatemsu.Directory -Path "c:\vmpatching"  

  } 

       

Dismount-WindowsImage -Path "c:\vmpatching" -save 

 

Setup Automation:

Now that the ADR is setup in SCCM and you have the script to patch your VHD/VHDX file you just need to setup a scheduled task to run this Powershell Script.  I plan to use Orchestrator for this step and will update the blog when completed.