How to apply WSUS updates to a Windows Server 2008 Core machine
Windows Server 2008 Core is an old new concept in the Windows world. We’ve spent the last couple decades trying to put a fancy user interface onto our computers to make tasks easier for the user. The server world has followed suit as well with the same GUI advancements. And I’ll be the first to admit that I like working in a GUI for most small or one-off tasks on a server.
The problem is that with all that code to make a pretty interface you get a much larger attack surface for your environment. All of a sudden you need to apply patches Internet Explorer and media player to your critical SQL server!
So along comes Windows Server 2008 and the option of a “Core” installation. Server Core removes pretty much all of the user interface components leaving a greatly reduced attack (and patch) surface that you have to manage. I recently heard the comment that if Windows Server 2000 had a Core install mode only 40% of patches for the platform would apply (60% for Win2003). Check out more about Server Core here.
So great – I’ve got a lot fewer patches to deploy … but I DO need to still deploy patches. I work in a smaller-scale environment; roughly 50 servers in my core datacenter with another 40+ scattered in local offices around the country and the UK, and about 650 users. We’re not big enough to have the right folks on staff to run Microsoft’s System Center Configuration Manager (formally SMS) to push out applications and patches to computers.
Instead we rely on Windows Server Update Service (WSUS) to manage the Windows Update agent already on each machine (the local agent actually does the install). Our user and dev machines automatically download and install patches, but our servers just download the patches (pre-staged for install) so we can manually manage when each server installs and reboots. This way we make sure servers are rebooted in the right order and are around to ensure everything comes back up. π
The problem comes in with Server Core … there’s no way for you to see the “you have updates to install” notice in the system tray when you log on to the computer because, well, there’s no system tray! I looked and looked and couldn’t figure out how to still leverage WSUS to push patches out and kick off an install.
I recently attended an event on the Microsoft campus in nearby Redmond where I had access to some of the key players in the Windows 2008 product world. The event is under NDA so I can’t give a lot of details, but let’s just say I’M TOTALLY SOLD!
I reached out to a couple of Microsoft contacts from that event to get some help and was rewarded with a link to an MSDN article the solves my issue! Effectively you get a command-line representation of the Windows Update user interface by calling a VBscript!
http://msdn2.microsoft.com/en-us/library/aa387102(VS.85).aspx
Copy the code to a Notepad window and save the file as a .vbs file accessible on the Server Core machine you want to patch (I copied it to a directory on the local disk). From the Server Core command line execute that script via ‘cscript nameofscripthere.vbs’ and let it work it’s magic. You’ll see the patches it scans and finds you need (according to your WSUS group policies … guessing this would work against the public Microsoft Update servers too), will download them (or leverage the pre-staged bits already downloaded), and then ask if you if you want to proceed to install. Give it a “Y” and you’re on your way!
Special thanks to Brendan and Paul for finding this solution!
π
As an aside, you can also manually download each patch’s .MSU installer to the Server Core box (using a file copy from another machine) and then call each patch individually from the command line using ‘wusa.exe patchnamehere.msu’. You’ll actually still get the standard Windows Update user interface dialog where you can prompt it not to reboot. You can even use a couple command line options to make wusa.exe run in a quite mode and not reboot, thus allowing you to apply multiple patches via a batch script. Still kind of clunky though.
The problem is that the WSUS/WUA tools don’t download the .MSU files (or if they do they store them in an “exploded” form) so you can’t use that combination to push out the patches to your boxes for deployment – thus the need for the VBS script above and my 4 day search for a good solution.
Nathan's Occasional Blog 
You are such a geek.
But I love you anyway. π
You could also run a fully managed dedicated server and not have to worry about such updates. We run a server from Server Intellect and they handle all the updates for us. Even run malware scans. I know a lot of people like to the work themselves but not let someone else sweat the small stuff so you can work on the hard problems=)
Haha – is Alicea your girlfriend? When I blogged I got the same kind of responses from my girlfriend.
Thanks for the great post – I thought I wasn’t getting updates on my lab’s Core installs, but the GPO settings were working after all. I kept the script anyway, because it’s good.
Later.
So I’m using the vbs script to do updates on my core server (I don’t have a WSUS server running and don’t like to run fully auto on servers), and it is awesome. The one thing I noticed though is that no matter how many times I run it there are always 2 updates it says I need. One is KB953631 I believe, the other is the Malicious Software Tool for the current month. I can keep running the update script and it says it needs to be installed everytime. I setup another core VM to test it out, and it does the same thing, so I don’t think it is the system unless it is a VM only problem. Anyone know a way to install these properly or at least get it to stop detecting them? Also, if I set it to full auto updating, does that mean it will try to install those 2 updates every night?
I wrote a FREE application to manage Windows 2008 Core servers. This application includes a module to show updates available and install selected updates. You can set Automatic Updates and select the day/hour or Turn Off Automatic Updates.
Visual Core Configurator 2008 is available to download at http://ctxadmtools.musumeci.com.ar
Thanks Guillermo. You are the man.
That saves me. Thanks for being so sesbnlie!
I am having the same trouble as Tim with my Server Core 2008 machine and KB953631. What is the fix?
Thanks this was very helpful!
Thank you very much for the link to a useful script. Worked like a charm.
Thanks so much for sharing this script! I really do wish my company had gone with VMware rather than the idiocy of Hyper-V
Sure its a bit late on this article, but there is not much out there to help with server core…
Use Sconfig to manage server core(2008r2). saves a lot of time. option 6 for updates.
In this script there is an input requested in the form of Y/N when you want to install the update. It doesn’t work if I type Y in the command prompt neither does it work by clicking OK. Please help.
Don’t worry. I had to do cscript instead of running the VBS directly. Thanks.
Glad you’ve got it working Amol. I’ve changed roles significantly since I wrote this up and haven’t touched a Windows Core installation in over 2 years. π I’m going to ask a couple folks internally (I work at Microsoft now) and see if there’s anything better than this script out there. I’ll post an update if anything worthwhile comes up.
i have a windows core 2008 .without internet acces! .. ( network people stuff)
and i want to install selective updates , ‘case its gonna joint to a cluster that has certanly update and hotfixs ..
can you give a clue’?
a friend toldme that download manually the patches , but where , and how can i install it manually?
Thnxs for your help ..
All security patches are available for one-off download via the Microsoft Download Center (microsoft.com/downloads). You’d need to identify which KB’s you want to install (every security hotfix has it’s own release), download, and install these. You should be able to search for some automated methods of installing all KB’s in a given folder online, or you can manually install each one if you want to spend A LOT of time. π
The other method would be to use WSUS, since it would have Internet access and your Core server would only need access to the WSUS box (not necessarily to the Internet).
Hope that helps.
hi
we can export computer status from WSUS server using VBScript ?
Thanks,
Prasanna
hi
we can export computer status from WSUS server using VBScript ?
Thanks,
Prasanna
Hi Prasanna, I really am not sure about VBscript and WSUS. This post was more about how to use WSUS on Windows Server Core instalations and focused on the “client” side. I don’t have domain-specific knowledge around what API’s are available for WSUS. That being said, you should check out the info available over on TechNet like the WSUS forums (http://social.technet.microsoft.com/Forums/en-US/winserverwsus/threads) or the wealth of info published on the product page (http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx).
Good luck!
Hi,
I copied the script and gave it a whirl, but it did not actually install and returned an install code of 3. Note that this server target is registered in WSUS but SP2 install has consistently failed for no apparent reason. Eventually, I gave up and installed from the command line. Nice script all the same.