Discussion:
Get all updates on quicker after install
(too old to reply)
Jordan
2010-04-16 15:52:44 UTC
Permalink
I use RIS server to deploy Windows XP workstations. I use Group Policies
and Active Directory to deploy almost all my software including Office,
Visual Studio, etc. I also use WSUS 3.0 to update the workstations and I
use Group Policies to set the schedule to download the updates and install
them at 3:00 AM which works well.

When I setup a new computer using RIS and deploy all the software using AD
GPOs it takes about 4 or 5 nights to fully patch XP, Office, Visual Studio,
and the patches to upgrade to IE 8. If I want it done quicker I can just
login and run wuauclt.exe /detectnow and apply the patches faster.

Is there some script or something that I can run where Windows XP will
automatically check for the updates after it finishes booting (without
logging in) and check for and install all the updates and reboot if needed?
I would like to add this to Windows' startup script so when I build a new
computer it will just keep patching away until complete.
Lawrence Garvin [MVP]
2010-04-16 18:01:28 UTC
Permalink
Post by Jordan
When I setup a new computer using RIS and deploy all the software using AD
GPOs it takes about 4 or 5 nights to fully patch XP, Office, Visual
Studio, and the patches to upgrade to IE 8. If I want it done quicker I
can just login and run wuauclt.exe /detectnow and apply the patches
faster.
Is there some script or something that I can run where Windows XP will
automatically check for the updates after it finishes booting (without
logging in) and check for and install all the updates and reboot if needed?
Not directly Jordan, but there is a methodology you can use to help expedite
this process and conceivably have these updates done in a matter of hours,
rather than days.

Create a special OU for these newly deployed systems (you may already be
using it), and create a special WSUS Target Group to house these systems.
Link the target group via GPO to the OU, and then use Deadlines to approve
the updates for that special Target Group. More significantly, use expired
deadlines. The WUAgent performs a detection scan after every
installation-related restart, to see if there are newly applicable updates.
In the typical scenario, it finds those updates, downloads them, and
schedules them for installation at the next scheduled installation event. If
the update has an expired deadline, however, the WUAgent will install those
updates immediately.

The key to doing this is to let the post-RIS updating to occur before you
deliver the machine to the desktop, so that the user will not be
inconvenienced by the extra install/reboot events. In this way you can
process through your normal 4-5 day installation cycle in about 4-5 *hours*
and deliver a fully patched machine to the desktop only a few hours later
than you would have delivered an unpatched machine.

If you configure this entire task sequence to run overnight, the user will
be completely oblivious to the process.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Dave Mills
2010-04-18 23:00:14 UTC
Permalink
On Fri, 16 Apr 2010 13:01:28 -0500, "Lawrence Garvin [MVP]"
Post by Lawrence Garvin [MVP]
Post by Jordan
When I setup a new computer using RIS and deploy all the software using AD
GPOs it takes about 4 or 5 nights to fully patch XP, Office, Visual
Studio, and the patches to upgrade to IE 8. If I want it done quicker I
can just login and run wuauclt.exe /detectnow and apply the patches
faster.
Is there some script or something that I can run where Windows XP will
automatically check for the updates after it finishes booting (without
logging in) and check for and install all the updates and reboot if needed?
Not directly Jordan, but there is a methodology you can use to help expedite
this process and conceivably have these updates done in a matter of hours,
rather than days.
Create a special OU for these newly deployed systems (you may already be
using it),
Change the RIS config to put newly deployed computers into this "New Builds" OU
by default. This means that when you deploy a new PC it will be placed in the
"New Builds" OU automatically. Then the deadline Lawrence is advocating will
apply these updates to the new PC ASAP. I also have a startup script to run
"wuauclt /detectnow" on reboots. This helps where software such as Office is
deployed via GPO and causes a reboot. This triggers a detection and the newly
required Office updates will be found. The expired deadlines will force these to
install ASAP. Generally it takes less than an hour to get installed and up to
date. You do need to rebuild the image once in a while to embed all the current
updates and save applying 100s.
Post by Lawrence Garvin [MVP]
and create a special WSUS Target Group to house these systems.
Link the target group via GPO to the OU, and then use Deadlines to approve
the updates for that special Target Group. More significantly, use expired
deadlines. The WUAgent performs a detection scan after every
installation-related restart, to see if there are newly applicable updates.
In the typical scenario, it finds those updates, downloads them, and
schedules them for installation at the next scheduled installation event. If
the update has an expired deadline, however, the WUAgent will install those
updates immediately.
The key to doing this is to let the post-RIS updating to occur before you
deliver the machine to the desktop, so that the user will not be
inconvenienced by the extra install/reboot events. In this way you can
process through your normal 4-5 day installation cycle in about 4-5 *hours*
and deliver a fully patched machine to the desktop only a few hours later
than you would have delivered an unpatched machine.
If you configure this entire task sequence to run overnight, the user will
be completely oblivious to the process.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Harry Johnston [MVP]
2010-04-19 02:17:00 UTC
Permalink
Post by Jordan
I use RIS server to deploy Windows XP workstations. I use Group Policies
and Active Directory to deploy almost all my software including Office,
Visual Studio, etc. I also use WSUS 3.0 to update the workstations and I
use Group Policies to set the schedule to download the updates and install
them at 3:00 AM which works well.
When I setup a new computer using RIS and deploy all the software using AD
GPOs it takes about 4 or 5 nights to fully patch XP, Office, Visual Studio,
and the patches to upgrade to IE 8. If I want it done quicker I can just
login and run wuauclt.exe /detectnow and apply the patches faster.
Is there some script or something that I can run where Windows XP will
automatically check for the updates after it finishes booting (without
logging in) and check for and install all the updates and reboot if needed?
I would like to add this to Windows' startup script so when I build a new
computer it will just keep patching away until complete.
My script may be of use here:

<http://www.scms.waikato.ac.nz/~harry/wsusupdate.vbs>

http://www.scms.waikato.ac.nz/~harry/wsusupdate.vbs

It is designed to be run from the command line, i.e., cscript rather than
wscript, and to be wrapped in a command (or other) script which reboots the
system if necessary and handles error conditions. Obviously you could modify it
to suit your preferences.

Note that it may not be wise to run this in a startup script for production
computers, as it could overload your WSUS server if many computers are switched
on at roughly the same time in the morning. If applied only to computers that
are being built - either as a startup script in a separate OU, or as part of the
build process - it should be OK.

Harry.
--
Harry Johnston
http://harryjohnston.wordpress.com
Loading...