Problem solve Get help with specific problems with your technologies, process and projects.

Scripting resources to automate patching

Although lacking the bells and whistles of commercial patching tools, scripts can offer a quick and simple way to automate Windows patch deployment. Contributor Tony Bradley identifies several handy patching scripts and resources in this tip.

When most people hear the word "script" they think of the document an actor or actress would use to learn lines for a movie or play. More than just a collection of lines to memorize, though, the script gives step-by-step instructions on how each scene of the performance should go.

In a similar – yet much less dramatic -- fashion, scripts written for your Windows operating system provide step-by-step instructions for the computer to execute. In its simplest form, a script is just a short text file listing out commands to be run. Any command that can be executed from a command line can also be automated by adding it to a script.

Scripts can be assigned on an individual level through the user account properties on a Windows network. However, it is more efficient to use Group Policy in a Windows domain network, where you can assign scripts to be executed automatically when the computer itself boots up or shuts down, or you can assign scripts to run when a user logs on or off the system.

Used in this manner, Windows scripts can automatically install patches and updates on computer systems. By placing security patches on a server, and creating login scripts to automatically execute patch installations each time computers are rebooted or accessed, administrators can ensure that everyone receives the latest updates.

The Script Repository on Microsoft's Script Center contains a variety of scripts that can be used to administer Windows desktop machines. The following scripts are aimed specifically at security:

Install an Update: To script the installation of a Microsoft patch

Modify the Update Schedule: To script the configuration of the Automatic Update settings on client machines

Deploying patches this way is obviously cheaper than purchasing and implementing a commercial patch management tool. However, it lacks many features of such tools, including the ability to track the successful patch deployments, automatically recall or undo patches that may cause problems on the network, or create reports about the current state or historical view of patching within the environment. There are scripts available to accomplish some of these tasks, but they are much more tedious and time consuming to use than a full patch management solution.

In any event, Windows scripts are valuable resources to have in your administrator toolbox. With all of the bells and whistles of the Windows GUI interface, it is easy to forget just how quick and simple it can be to execute commands from the command line. A good resource for additional Windows scripts is Microsoft's TechNet Script Center or Doc Rice's Security Patch Scripts for Microsoft Windows NT, 4.0, 2000 and XP.

About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions, visit Essential Computer Security.

More information from

  • Tip: Manual vs. automated patch tracking
  • Tip: Patching tug-o-war: When to push or pull patches
  • Topics: Get resources for secure scripting in this topic section

  • Dig Deeper on Windows 10 security and management