Skip to main content

This worklet can be used to install any standalone Windows 10 KB patch that you can download from the Microsoft Update Catalog. We often use this to install Windows patches that aren’t included in the official patch releases. For example, sometimes the Intel Microcode patches that patch Meltdown, Spectre, and other speculative execution vulnerabilities aren’t included in the standard Windows patches.



Note: I’ve only test this on Windows 10 PCs.



Evaluation Code:


In this example, I am installing KB4558130, which is the Intel Microcode Patch that was released for Windows 10 build 2004 on 8/31/2020 (https://support.microsoft.com/en-us/help/4558130/intel-microcode-updates). This evaluation code checks if that patch is currently installed. If it is currently installed, the script will quit and not move onto the remediation code. If the patch isn’t installed, it will continue on to the remediation script.



#Check for this Windows Patch.

#Replace KB4558130, with your patch KB

$kb="KB4558130"



if(Get-HotFix -id $kb){

# if found...quit

exit 0

}else{

# if not found continue to remediation script

exit 1

}



Remediation Code:


The remediation code uses wusa.exe, which is the built-in Windows Standalone Installer Updater (https://support.microsoft.com/en-us/help/934307/description-of-the-windows-update-standalone-installer-in-windows). It will install the Windows patch in the background and require no user interaction. I’ve also included the /norestart switch, so it doesn’t reboot their PC. If you’d like to force a reboot after installing the patch, just change /norestart to /forcerestart.



You’ll need to download the Windows Patch and upload it to the Automox worklet. In every Microsoft KB article, Microsoft will link where you can download the patch directly. In my example, here is the Microsoft Update Catalog link for the KB4558130: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4558130



# Replace windows10.0-kb4558130-x64_faf2c27d20b0ab4e2e430ed2a410c537f1c8b799.msu, with the patch file name you downloaded

Start-Process wusa.exe -Wait -ArgumentList "windows10.0-kb4558130-x64_faf2c27d20b0ab4e2e430ed2a410c537f1c8b799.msu /quiet /norestart"

Have you tested on Windows Server 2012 or 2016?

If the KB needs a reboot, and assuming it is safe to reboot, do I just change the flag to /Restart?


Reply