How to deploy a patch using a startup script via GPO


If we are going to deploy a patch using a startup script we want a script that will only install the patch if the patch is not already installed. In this walkthrough we are going to determine if the patch is already installed by having the script evaluate the following reg key:


When Office patches are installed on a machine there will be an entry in this location for each of them. In my example I will be deploying the hotfix from KB978551.

We will need to determine what the compressed GUID is for this patch. I have extracted the MSP out of the EXE for this patch. Then we right click on the MSP, goto properties, goto the details tab. Here we will find a revision #. This first number is the uncompressed GUID for this patch. It is {25DD7329-11CE-403F-884E-EB21D3572BD2}. We need to convert it to determine what the compressed GUID is. The following blog entry discusses converting a GUID to a compressed GUID.

After converting the GUID we find that the compressed GUID is 9237DD52EC11F30488E4BE123D75B22D. As a result we know that if this patch is installed already the following reg key will exist. We will check for this key in our startup script.


Next we need to place our patch in a share that everyone will have read access to. For this walkthrough I created a share named “\\2008r2\patches” and placed the MSP in that location.

I then verified that the computer I want to apply this patch to is in the appropriate OU. I then created a new GPO for that OU and added a startup script under “Computer configuration/Policies/Windows Settings/Scripts/Startup”.

Here is the script I created and added to the default location for the startup scripts for that GPO.



reg query HKEY_CLASSES_ROOT\Installer\Patches\9237DD52EC11F30488E4BE123D75B22D
if %errorlevel%==1 (goto Patches) else (goto End)

REM If 1 returned, the patch is not installed. Install the patch here.
"%windir%\system32\msiexec.exe" /p \\2008r2\patches\IRMPRTIDNMinus1.msp /qn

REM If 0 or other was returned, the patch is already installed. Do nothing.



The logic behind the startup script is as follows:

Check to see if the reg key HKEY_CLASSES_ROOT\Installer\Patches\9237DD52EC11F30488E4BE123D75B22D exists. If it does, than the patch is already installed. Goto end. If the reg key does not exist than this patch needs to be installed. Run the command to install it.

After running a GPUPDATE on my target machine we will find that the patch installs as expected upon reboot.

Here is a step by step video demonstration of this procedure. 


Comments (0)

Skip to main content