How To Patch Nano Server, Part 1: Choosing the Correct Path -- Redmondmag.com

How To Patch Nano Server, Part 1: Choosing the Correct Path

While there are many methods for applying patches, going through PowerShell is the most straightforward way to get the job done.

By Brien Posey
04/19/2017

Ever since Microsoft first announced Nano Server as a Windows Server 2016 feature, there has been talk of how Nano Server will greatly reduce the patch management burden. Because of Nano Server's tiny code base, it should theoretically require far fewer patches than a Windows Server that is running a full GUI deployment. Even so, there is a big difference between requiring fewer patches, and requiring no patches. Eventually, you are going to have to patch your Nano Server. The question is, how do you do it?

When I first looked into patch management for Nano Server, I was surprised to learn that there are actually a number of different methods for applying patches. Some of these patch management methods serve a specific purpose. For instance, there is one method that only works for updating an offline VHD or VHDX file.

When it comes to patching a running Nano Server, there are a few different methods that you can use, but there is one particular method that I have found to be easier than the others. In order to use this method, you will need to know your Nano Server's IP address. If you don't already know the IP address, you can get it by logging into the Nano Server's recovery console, and going to the Network Adapter Settings screen. This screen provides you with all of the pertinent IP configuration information.

Once you have documented your Nano Server's current IP address configuration, open an administrative PowerShell window on the computer from which you plan to do the update. Next, you will need to establish a remote session to the Nano Server. There are a few different ways of doing this, but here is the command that Microsoft provides.

Enter-PSSession -ComputerName (Read-Host "Enter Nano  Server IP address") -Credential (Get-Credential)

Upon executing this command, PowerShell will prompt you for the Nano Server's IP address, and will then prompt you to enter a set of credentials for the Nano Server. Once you provide the required information, PowerShell will establish a remote session to the Nano Server. You can see what this looks like in Figure 1.

**[Click on image for larger view.]** *Figure 1.* You will need to establish a remote connection to the Nano Server.

The next thing that you will need to do is to check for available updates. You can do so, by using this block of code, which was provided by Microsoft:

$ci = New-CimInstance -Namespace  root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession  

  $result = $ci | Invoke-CimMethod -MethodName  ScanForUpdates -Arguments  @{SearchCriteria="IsInstalled=0";OnlineScan=$true}

  $result.Updates

Although this block of code is admittedly a bit tedious to type, it is this code block that makes this one of the easier methods of updating a Nano Server. Other methods for patching Nano Server require you to figure out which patches are required, download the patch and apply the patch. This block of code checks for the available updates for you, so that you don't have to do it manually. The code compiles a list of available patches and writes the list to a variable named $Result. The last line of code displays the available patches on the screen, as shown in Figure 2.

**[Click on image for larger view.]** *Figure 2.* Here are the available patches.

The next block of code actually installs the available updates. Here is the code:

$ci = New-CimInstance -Namespace  root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession

  Invoke-CimMethod -InputObject $ci -MethodName  ApplyApplicableUpdates

  Restart-Computer; exit

You can see the output from these commands in Figure 3.

**[Click on image for larger view.]** *Figure 3.* The Nano Server has been patched.

The last line of code shown in the block above reboots the server once the patches have been installed. Once the reboot is complete, Microsoft recommends verifying that the patches have been applied successfully. To do so, you can use these commands:

Enter-PSSession -ComputerName (Read-Host "Enter Nano  Server IP address") -Credential (Get-Credential) 

  $ci = New-CimInstance -Namespace  root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession

  $result = $ci | Invoke-CimMethod -MethodName  ScanForUpdates -Arguments  @{SearchCriteria="IsInstalled=1";OnlineScan=$true}

  $result.Updates

You can see the results in Figure 4.

**[Click on image for larger view.]** *Figure 4.* The patches were installed successfully.

As you can see, it is possible to use PowerShell to patch Nano Server. Even so, the technique that I just showed you is more than a little bit tedious to use. That being the case, I am going to write a Part 2 to this article series, in which I am going to mix Microsoft's code with some code of my own, and show you how you can both scale and automate the patch management process. In the meantime, you can access Microsoft's documentation for patching Nano Server here.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.