Newly Imaged Machines - Patch process "Brian Drab" <kaplan[ at ]news.postalias> 5/18/2007 7:25:20 PM What is the recommended procedures for updating a new machine that has been connected to our domain. For example let's say I buy a Dell computer, receive it, join it to our domain and now I would like to update the machine with all the latest and greatest patches from my WSUS server. I don't want to go to Microsoft Update since it would take longer and I sometimes need to get this done fast and out the door overnight. I've read previously that you can set group policy to have the clients check for updates every hour but what if I want updates right NOW. I'm using server side targetting. Thank you.

Re: Newly Imaged Machines - Patch process "Olaf Engelke [MVP Windows Server]" <oenews01[ at ]mvps.org> 5/18/2007 8:12:18 PM Hi Brian, Brian Drab wrote: [Quoted Text] > What is the recommended procedures for updating a new machine that > has been connected to our domain. For example let's say I buy a Dell > computer, receive it, join it to our domain and now I would like to > update the machine with all the latest and greatest patches from my > WSUS server. I don't want to go to Microsoft Update since it would > take longer and I sometimes need to get this done fast and out the > door overnight. > > I've read previously that you can set group policy to have the > clients check for updates every hour but what if I want updates right > NOW. I'm using server side targetting. > wuauclt /detectnow may help, if the proper group policy is already applied. Best greetings from Germany Olaf

Re: Newly Imaged Machines - Patch process ClaudioG64 <ClaudioG64[ at ]gmail.com> 5/18/2007 9:54:02 PM On May 18, 9:25 pm, "Brian Drab" <kap...[ at ]news.postalias> wrote: [Quoted Text] > What is the recommended procedures for updating a new machine that has been > connected to our domain. For example let's say I buy a Dell computer, > receive it, join it to our domain and now I would like to update the machine > with all the latest and greatest patches from my WSUS server. I don't want > to go to Microsoft Update since it would take longer and I sometimes need to > get this done fast and out the door overnight. > > I've read previously that you can set group policy to have the clients check > for updates every hour but what if I want updates right NOW. I'm using > server side targetting. > > Thank you. Brian, I see you mention "newly IMAGED machines" in the title. If you distribute an image of a client that has been already connected to the WSUS server, you'll have cloned WUS client IDs. Basically that mean that multiple machines will appear as one, with changing properties. If that's the case, you can use this batch to reset each client and force it to generate a new (random) ID. --- BOF [ at ]echo off Echo 1. Stop the wuauserv service Echo 2. Delete the AccountDomainSid registry key (if it exists) Echo 3. Delete the PingID registry key (if it exists) Echo 4. Delete the SusClientId registry key (if it exists) Echo 5. Restart the wuauserv service Echo 6. Resets the Authorization Cookie [ at ]echo on net stop wuauserv /y REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \WindowsUpdate" /v AccountDomainSid /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \WindowsUpdate" /v PingID /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \WindowsUpdate" /v SusClientId /f net start wuauserv wuauclt /resetauthorization /detectnow --- EOF Please see this also for some details: http://technet2.microsoft.com/windowsserver/en/library/fdee3ce6-9b4d-4d3d-9a5c-ef341faf507d1033.mspx?mfr=true Ciao, Claudio http://www.pulsarit.net/cs/blogs/claudiog/

Re: Newly Imaged Machines - Patch process DaveMills <DaveMills[ at ]newsgroup.nospam> 5/19/2007 5:52:47 AM On Fri, 18 May 2007 15:25:20 -0400, "Brian Drab" <kaplan[ at ]news.postalias> wrote: [Quoted Text] >What is the recommended procedures for updating a new machine that has been >connected to our domain. For example let's say I buy a Dell computer, >receive it, join it to our domain and now I would like to update the machine >with all the latest and greatest patches from my WSUS server. I don't want >to go to Microsoft Update since it would take longer and I sometimes need to >get this done fast and out the door overnight. > >I've read previously that you can set group policy to have the clients check >for updates every hour but what if I want updates right NOW. I'm using >server side targetting. > >Thank you. What I am doing is: Create a GPO called "New Builds" Modify RIS so that all new computers get created in the OU "New Builds" Have client side targeting set Create a WSUSNewBuilds policy that puts the PC in the "NewBuilds" WSUS group detects every hour uses Option 4 Reschedules missed installs sets the delay after boot to 1 minute. In WSUS set an expired deadline for every update on the "NewBuilds" group. This is the most important setting as it forces the PC to install the expired deadline updates immediately. I also run a script that installs update but I do not think it is necessary with the deadline (set this up during WSUS 2 beta). Office is installed via a GPO (with other software too) and the Office installation seems to do a reboot with a "Install updates and Restart" action at least once. The net effect is Press F12 and start the build from RIS. Usually from a RIS CD image. Come back 2 hours later and the PC has installed about 10 software packages and all but a few updates. Things like .Net 1.1 are installed via GPO then WSUS adds the service pack then the update to the service pack then the security fix for the update. I think the last one or two require an addition detect/install cycle above those that happen as a result of either updates or Office etc. forcing a reboot. If I leave the PC a couple of hours it catches up. If I need it in production I do not wait but move it to the correct GPO (which installs other software if requited) and take it to it's deployment location. The reboot there gets one more chance to detect and install but I am quite happy that one or two updates will not get installed until to next scheduled update time. This after all is what happens to all the PCs that were installed in the past. It is rare that the PC is not fully updated with 24 hours. And this is all hands off The XP image has SP2 slipstreamed into it See also "How long does it take to fully update a Windows XP SP1 system?" at http://wsusinfo.onsitechsolutions.com/articles/012.htm My only wish would be to have the ability to set the GPO to treat all updates as having an expired deadline so I do not need to set a deadline on each update. This would same a lot of time and avoid the odd mistake. -- Dave Mills There are 10 type of people, those that understand binary and those that don't.

Re: Newly Imaged Machines - Patch process Harry Johnston <harry[ at ]scms.waikato.ac.nz> 5/19/2007 7:22:05 PM Brian Drab wrote: [Quoted Text] > What is the recommended procedures for updating a new machine that has > been connected to our domain. For example let's say I buy a Dell > computer, receive it, join it to our domain and now I would like to > update the machine with all the latest and greatest patches from my WSUS > server. I don't want to go to Microsoft Update since it would take > longer and I sometimes need to get this done fast and out the door > overnight. I have a fully scripted install process for the machines in our teaching labs. One of the very last steps is to update from WSUS so that I don't need to script every update. I use the following VBScript, which may suit your purposes. Although my machines run it automatically, it can be used manually (from a command line) or could be easily modified to display dialog boxes. It installs all the currently applicable patches from the WSUS server. There is no prompting or other confirmation. Oh, and it's never been tested with WSUS 3, though I don't expect any problems. There are other scripts available on the web which perform similar functions if this one doesn't suit your precise needs. ' Written in 2007 by Harry Johnston, University of Waikato, New Zealand. ' This code has been placed in the public domain. It may be freely ' used, modified, and distributed. However it is provided with no ' warranty, either express or implied. ' ' Exit Codes: ' 0 = scripting failure ' 1 = error obtaining or installing updates ' 2 = installation successful, no further updates to install ' 3 = reboot needed; rerun script after reboot ' ' Note that exit code 0 has to indicate failure because that is what ' is returned if a scripting error is raised. ' Set updateSession = CreateObject("Microsoft.Update.Session") Set updateSearcher = updateSession.CreateUpdateSearcher() Set updateDownloader = updateSession.CreateUpdateDownloader() Set updateInstaller = updateSession.CreateUpdateInstaller() Do WScript.Echo WScript.Echo "Searching for approved updates ..." WScript.Echo Set updateSearch = updateSearcher.Search("IsInstalled=0") If updateSearch.ResultCode <> 2 Then WScript.Echo "Search failed with result code", updateSearch.ResultCode WScript.Quit 1 End If If updateSearch.Updates.Count = 0 Then WScript.Echo "There are no updates to install." WScript.Quit 2 End If Set updateList = updateSearch.Updates For I = 0 to updateSearch.Updates.Count - 1 Set update = updateList.Item(I) WScript.Echo "Update found:", update.Title Next WScript.Echo updateDownloader.Updates = updateList updateDownloader.Priority = 3 Set downloadResult = updateDownloader.Download() If downloadResult.ResultCode <> 2 Then WScript.Echo "Download failed with result code", downloadResult.ResultCode WScript.Echo WScript.Quit 1 End If WScript.Echo "Download complete. Installing updates ..." WScript.Echo updateInstaller.Updates = updateList Set installationResult = updateInstaller.Install() If installationResult.ResultCode <> 2 Then WScript.Echo "Installation failed with result code", installationResult.ResultCode For I = 0 to updateList.Count - 1 Set updateInstallationResult = installationResult.GetUpdateResult(I) WScript.Echo "Result for " & updateList.Item(I).Title & " is " & installationResult.GetUpdateResult(I).ResultCode Next WScript.Quit 1 End If If installationResult.RebootRequired Then WScript.Echo "The system must be rebooted to complete installation." WScript.Quit 3 End If WScript.Echo "Installation complete." Loop

Re: Newly Imaged Machines - Patch process "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 5/21/2007 1:53:10 AM "DaveMills" <DaveMills[ at ]newsgroup.nospam> wrote in message news:bb2t43laqir3ujhin2ucfuqtmb9rh7gmce[ at ]4ax.com... [Quoted Text] > My only wish would be to have the ability to set the GPO to treat all > updates as > having an expired deadline so I do not need to set a deadline on each > update. > This would same a lot of time and avoid the odd mistake. Admittedly a great idea! I'll add it to my list of causes to champion (and, embarrassed that I didn't think of the idea myself, since I'm the guy who invented the idea of the "UnderConstruction" OU). :-) -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....

Re: Newly Imaged Machines - Patch process "Brian Drab" <kaplan[ at ]news.postalias> 5/21/2007 12:55:27 PM Even if sysprep is used prior to making the Image?? Just checking. Thanks. "ClaudioG64" <ClaudioG64[ at ]gmail.com> wrote in message news:1179525242.183715.30530[ at ]y80g2000hsf.googlegroups.com... [Quoted Text] > On May 18, 9:25 pm, "Brian Drab" <kap...[ at ]news.postalias> wrote: >> What is the recommended procedures for updating a new machine that has >> been >> connected to our domain. For example let's say I buy a Dell computer, >> receive it, join it to our domain and now I would like to update the >> machine >> with all the latest and greatest patches from my WSUS server. I don't >> want >> to go to Microsoft Update since it would take longer and I sometimes need >> to >> get this done fast and out the door overnight. >> >> I've read previously that you can set group policy to have the clients >> check >> for updates every hour but what if I want updates right NOW. I'm using >> server side targetting. >> >> Thank you. > > Brian, > I see you mention "newly IMAGED machines" in the title. If you > distribute an image of a client that has been already connected to the > WSUS server, you'll have cloned WUS client IDs. > Basically that mean that multiple machines will appear as one, with > changing properties. > > If that's the case, you can use this batch to reset each client and > force it to generate a new (random) ID. > > --- BOF > > [ at ]echo off > Echo 1. Stop the wuauserv service > Echo 2. Delete the AccountDomainSid registry key (if it exists) > Echo 3. Delete the PingID registry key (if it exists) > Echo 4. Delete the SusClientId registry key (if it exists) > Echo 5. Restart the wuauserv service > Echo 6. Resets the Authorization Cookie > > [ at ]echo on > net stop wuauserv /y > > REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion > \WindowsUpdate" /v AccountDomainSid /f > REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion > \WindowsUpdate" /v PingID /f > REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion > \WindowsUpdate" /v SusClientId /f > > net start wuauserv > wuauclt /resetauthorization /detectnow > > --- EOF > > Please see this also for some details: > http://technet2.microsoft.com/windowsserver/en/library/fdee3ce6-9b4d-4d3d-9a5c-ef341faf507d1033.mspx?mfr=true > > Ciao, > Claudio > http://www.pulsarit.net/cs/blogs/claudiog/ >

Re: Newly Imaged Machines - Patch process ClaudioG64 <ClaudioG64[ at ]gmail.com> 5/21/2007 1:29:03 PM On May 21, 2:55 pm, "Brian Drab" <kap...[ at ]news.postalias> wrote: [Quoted Text] > Even if sysprep is used prior to making the Image?? Just checking. Thanks. > > "ClaudioG64" <Claudio...[ at ]gmail.com> wrote in message > > news:1179525242.183715.30530[ at ]y80g2000hsf.googlegroups.com... > > > On May 18, 9:25 pm, "Brian Drab" <kap...[ at ]news.postalias> wrote: > >> What is the recommended procedures for updating a new machine that has > >> been > >> connected to our domain. For example let's say I buy a Dell computer, > >> receive it, join it to our domain and now I would like to update the > >> machine > >> with all the latest and greatest patches from my WSUS server. I don't > >> want > >> to go to Microsoft Update since it would take longer and I sometimes need > >> to > >> get this done fast and out the door overnight. > > >> I've read previously that you can set group policy to have the clients > >> check > >> for updates every hour but what if I want updates right NOW. I'm using > >> server side targetting. > > >> Thank you. > > > Brian, > > I see you mention "newly IMAGED machines" in the title. If you > > distribute an image of a client that has been already connected to the > > WSUS server, you'll have cloned WUS client IDs. > > Basically that mean that multiple machines will appear as one, with > > changing properties. > > > If that's the case, you can use this batch to reset each client and > > force it to generate a new (random) ID. > > > --- BOF > > > [ at ]echo off > > Echo 1. Stop the wuauserv service > > Echo 2. Delete the AccountDomainSid registry key (if it exists) > > Echo 3. Delete the PingID registry key (if it exists) > > Echo 4. Delete the SusClientId registry key (if it exists) > > Echo 5. Restart the wuauserv service > > Echo 6. Resets the Authorization Cookie > > > [ at ]echo on > > net stop wuauserv /y > > > REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion > > \WindowsUpdate" /v AccountDomainSid /f > > REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion > > \WindowsUpdate" /v PingID /f > > REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion > > \WindowsUpdate" /v SusClientId /f > > > net start wuauserv > > wuauclt /resetauthorization /detectnow > > > --- EOF > > > Please see this also for some details: > >http://technet2.microsoft.com/windowsserver/en/library/fdee3ce6-9b4d-... > > > Ciao, > > Claudio > >http://www.pulsarit.net/cs/blogs/claudiog/ Hello Brian, if you run Sysprep before cloning, you should be fine (as per http://www.wsuswiki.com/WSUSServerFAQ). Claudio

Re: Newly Imaged Machines - Patch process "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 5/21/2007 10:02:07 PM "ClaudioG64" <ClaudioG64[ at ]gmail.com> wrote in message news:1179754143.539253.136080[ at ]y2g2000prf.googlegroups.com... [Quoted Text] > On May 21, 2:55 pm, "Brian Drab" <kap...[ at ]news.postalias> wrote: >> Even if sysprep is used prior to making the Image?? Just checking. >> Thanks. > Hello Brian, > if you run Sysprep before cloning, you should be fine (as per > http://www.wsuswiki.com/WSUSServerFAQ). Merely running sysprep is not sufficient. You*must* use the -reseal parameter when building the master image to ensure the resetting of all machine SIDs when the mini-setup runs on the clone(s). -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....