Sunday, November 20, 2016

How to apply Windows hotfix, patch... on a Windows without connect to network which is running on VMware ESXi?

Section 1 – To allow copy and paste text between administrator computer and VM via vSphere client

1.       Poweroff the Windows Server (VM)

2.       Change the following configuration parameters to allow copy and paste “text” via vSphere client

clip_image002

Section 2 – Use MBSA standalone to check a MS server for patch status and also transfer file between administrator computer and VM via vSphere client by mount the ISO file

3.       Download “Folder2Iso” (http://www.softpedia.com/get/CD-DVD-Tools/CD-DVD-Images-Utils/Folder2ISO.shtml)

4.       Download MBSA 2.3 and related files:

           a. Download Microsoft Baseline Security Analyzer 2.3 (for IT Professionals) - http://www.microsoft.com/en-us/download/details.aspx?id=7558&tduid=(4c7cdc0dd0c55c8a10d5e21f1173f9a1)(256380)(2459594)(TnL5HPStwNw-Vt9plCUUmDbMRMjz_kd1Lg)()

           b. Download Security update catalog (wsusscn2.cab) from : go.microsoft.com/fwlink/?LinkId=76054

Remark: You need to keep using the latest one before run the offline scan

           c. Windows Update Redistribution Catalogue (wuredist.cab) located at http://update.microsoft.com/redist/wuredist.cab

5.       Use Folder2Iso to convert those MBSA 2.3 files into ISO

6.       Power on the Windows Server (VM)

7.       Mount the ISO via vSphere client  

8.       Copy file from virtual CD to the server and install MBSA 2.3

9.       After the installation of MBSA complete, copy the wsusscn2.cab and wuredist.cab to “C:\Program Files\Microsoft Baseline Security Analyzer 2”

And then, go to command promote to run:

MBSACLI /xmlout /catalog “C:\Program Files\Microsoft Baseline Security Analyzer 2\wsusscn2.cab” /unicode >updates.xml

10.   Open the “updates.xml” by notepad and copy all text inside

clip_image004

Remark: You need to make sure all line being copied. Since the line and content in the files (updates.xml) may over the limit of VMware vSphere client able to copy, you need to check your result in file size very carefully. (I copy all text by separate the file into different parts – I did not copy all line in one time)

11.   Paste all text into a file which is on your machine and rename it to “updates.xml”

12.   Download the “Getupdate.ps1” from https://deploywindows.info/2015/01/22/automate-mbsa-scan-and-download-missing-patches/ or

https://powershell.org/forums/topic/script-to-automate-mbsa-scan-and-download-missing-patches/

Modify the line 31, to remove the “#” and save the file to “Getupdate.ps1”

clip_image005

Copy the Run the “updates.xml” and “Getupdate.ps1” into the C:\temp and run the “Getupdate.ps1” under PowerShell to download all necessary hotfix, patch….

Remark: If you running the download from Windows 7 machine, you will need to upgrade your PowerShell verison 5 (By download and install Windows Management Framework 5.0 - https://www.microsoft.com/en-us/download/details.aspx?id=50395)

13.   Use Folder2Iso to convert those hotfix, patch files into ISO file

14.   Mount the ISO via vSphere client

15. Copy all files to C:\temp

16.  Install those hotfix by run the “_install.bat”

Remark: If you are using Windows Server 2012 R2, you will need to do the following change of the “_install.bat”

Change "start /wait pkgmgr.exe /ip /m:" to "dism /online /Add-Package /PackagPath:C:\temp\"

Change "nostart" to "norestart"

Remove "/l:%SystemRoot%\Temp\*****.log"

clip_image006

clip_image008

17. You can go to “Programs and Features” – View installed updates to verify those hotfix, patch being installed:

clip_image010

18. Reboot the Server

19. Run the MBSA scan again until no missing patch have been found

Reference:

http://clintboessen.blogspot.hk/2009/11/perform-offline-mbsa-scan.html

http://www.breaknenter.org/2011/02/how-to-use-mbsa-standalone-to-check-a-ms-server-for-patch-status/

http://arnavsharma.net/windows-clients/understanding-mbsa-23-microsoft-baseline-security-analyzer

https://deploywindows.info/2015/01/22/automate-mbsa-scan-and-download-missing-patches/

https://blogs.technet.microsoft.com/askcore/2011/02/15/how-to-use-dism-to-install-a-hotfix-from-within-windows/ Print Friendly and PDF
Share/Bookmark

No comments:

Post a Comment