This article explains how to facilitate regular VM template patching using WSUS.
1. Set up WSUS on your template library. Identify all Operating Systems you want to get serviced. Set up WSUS auto approval rule which will automatically approve all updates. Let’s say your library server has 2 drives, C: and D:, WSUS updates folder is set as C:\WSUS and VM templates are stored in D:\Templates. Create C:\WSUS\AllUpdates folder, this is where we will extract all updates to.
2. Create a test file templates.to.update.txt and put all template file names including full path into this file.
3. This script will do the rest:
@echo off
rem
rem This script updates all templates listed in templates.to.update.txt file
rem
rem Created by Serge Chegorian
rem This script is provided as-is, and makes no claim to the validity and accuracy of the content.
rem Use this code at your own risk. I am not responsible for any harm done as a result of using the content
rem or code provided on this Web site.
rem
rem Extracting all available updates and put them to C:\WSUS\AllUpdates
for /r c:\wsus\wsuscontent %f in (*.cab) do copy %f C:\WSUS\AllUpdates /y
rem Pick up template name one by one
for /f %%i in (templates.to.update.txt) do call :update_template %%i
goto :EOF
rem Patching subroutine
:update_template
echo select vdisk file=%1 > diskpart-attach.txt
echo attach vdisk >> diskpart-attach.txt
echo list volume >> diskpart-attach.txt
rem The volume number is a number of existing volumes on the server plus one.
echo select volume 3 >> diskpart-attach.txt
echo assign letter=v >> diskpart-attach.txt
diskpart /s diskpart-attach.txt
dism /image:v:\ /Add-Package /Packagepath:C:\WSUS\AllUpdates
echo select vdisk file=%1 > diskpart-detach.txt
echo detach vdisk >> diskpart-detach.txt
diskpart /s diskpart-detach.txt
exit /B
:EOF
4. Schedule this script to run once or twice per month. This is it.
Dependency consideration
Some updates might be dependent on other updates. Microsoft recommends to identify this dependency and install updates in correct order using DISM answer file. Another option is when you start with unpatched template patch it 2 or 3 times, identify when it becomes fully patched by brining it online and then just patch it on monthly basis.
