How do you do....it? Thread, How do you install all windows updates after a workstation rebuild? in Technical; I'm looking for a way to have windows updates get slipstreamed or auto installed so that when I rebuild a ...
How do you install all windows updates after a workstation rebuild?
I'm looking for a way to have windows updates get slipstreamed or auto installed so that when I rebuild a workstation and it gets to the logon screen it's fully patched and up-to-date. I'm trying to secure some funds to purchase SpecOps Deploy 4.0 (leverages WDS), but if not i'll probably remain on Fog. I would have WSUS setup as well.
The way I see if i've got a few options:
Capture an image that already has had Windows Update manually run - the problem here is i doubt i'm going to end up with one image, more likely it will be 3 or more. I don't want to have to keep refreshing images and potentially damaging the images just to install a couple of updates.
Manually setup each individual update and deploy it like an application - similar to how our current CC3 system operates, this appeals to me as management is more central but updates would be delayed and I would have to assume that all MS updates would be friendly to the process.
Find a way / buy a program to mount the WIM images and inject the updates - I've been told this is potentially a future development for Deploy 4.0, but I haven't found anything else that would do it.
Buy a program called WuInstall Pro - This is actually really cheap for education, $250 for unlimited client use. It's a command line utility that can apparenty install all Windows updates, accepting the EULAs as you go. This could be scripted into the build somewhere and appears to be exactly what I need.
Anyone know of any other way to guarantee that a newly built workstation is up to date? I don't mind the standard WSUS to keep them up to date, but I don't want anything being used half patched.
If you don't want to maintain an image how about maintaining an installation CD? You could use nlite to bundle the vast majority of updates into the installation (and drivers if you wished) then leaving WSUS to fix them up afterwards.
I find this approach works particularly well; we made a point of updating the CD every month or two with the latest updates available and as time goes on you build a pretty good baseline.
It would mean a little more manual work or use of the Concatenate feature in Excel but if you went onto the Microsoft Catalog (The web based directory version of Windows Update), you could download all of the updates that you want to a network share.
Although it may not work for all, you can extract each of the .exe update files into the expanded packages. From there, you could run the updates that you want for each of the machines in a script, (perhaps run from your sysprep config or Group Policy - depending which you have access to) along with command line switches to accept the EULA.
Again, not all updates allow the acceptance of the EULA.
I do also think that some of the newer updates actually allow silent install in the compressed form.
I'm currently doing the same at the moment so I'll share some ideas or samples if you like.
Thank you. Is there a general rule as to the updates which require user interaction? I'm thinking i'd only need the security / bug fix type of updates to go on, not anything to install new applications like IE8.
Do the updates usually share common switches for silent installation or do you have to do your homework everytime?
I usually don't find this an issue, Our images are anything from 1 to 12 months old at any given time and they just get picked up by WSUS pretty quickly, so within a day or so they are backup to the current baseline.
With Vista/7 imaging you can even force an update check against WSUS during the install process.
Are there any updates that actually need to run through the proper update services or are they effectively just downloaded and executed anyway? Also if I was looking at just the post SP3 updates will there be any dependency issues or is the order irrelevant as long as the stuff like Windows Installer is up to date first?
We are pretty much the same scenario described by DrCheese above. If we're talking a couple of machines in a misc room then we'll re-image and leave WSUS to do its business. (If we've gone a step further and physically brought the PC to our office or know the image is quite out of date, we'll force the updates)
If we're talking a whole room re-image (which we tend to plan ahead and revolve over half terms) then we'll actually create a new base image to keep our image library up to date.
Thanks Mark, I think it might come down to speed and reliabilty in the end. If running through all the updates after the imaging stage is working well then I think it's worth it to guarantee that all the updates are on every workstation without any normal WSUS scheduling. I'll see if I can get a trial version of WUInstall Pro to see how reliable it is.