FOG + Powershell (WinUpdate) Question

RLane

I’m going to be deploying Windows 10 for the first time over the summer. In the past, I had used an HTA/VB script that would run after FOG completed the imaging task. This would require one of our tech’s to input the proper OU and computer name of that machine. After a tech completed that, it would finish up and run Windows update.

Now, with Windows 10, I’m trying to create a process that requires no human interaction. First, I would create my master image. I would upload it with FOG, deploy it. I’m now using FOG to join them to our domain, activate (KMS), and rename.

My question is: I have a Powershell script that should automatically look for Windows updates, download, and install them. The script that I’m using is below:

#Script: WSUS.ps1
#      Author: Gregory Strike
#     Website: www.GregoryStrike.com
#        Date: 02-19-2010
# Information: This script was adapated from the WUA_SearchDownloadInstall.vbs VBScript from Microsoft.  It uses the
#              Microsoft.Update.Session COM object to query a WSUS server, find applicable updates, and install them.
#
#              WSUS.ps1 is a little less verbose about what it is doing when compared to the orginal VBScript.  The
#              lines exist in the code below to show the same information as the original but are just commented out.
#
#
#              WSUS.ps1 can automatically install applicable updates by passing a Y to the script.  The default
#              behavior is to ask whether or not to install the new updates.
#
#              Syntax:  .\WSUS.ps1 [Install] [Reboot]
#                       Where [Install] is optional and can be "Y", "Yes", "No" or "N"
#                       Whether or not to install the updates automatically.  If Null, the user will be prompted.
#
#                       Where [Reboot] is optional and can be "Y", "Yes", "No" or "N",  This 
#                       If updates require a reboot, whether or not to reboot automatically.  If Null, the user will
#                       be prompted.

$UpdateSession = New-Object -Com Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
 
Write-Host("Searching for applicable updates...") -Fore Green
 
$SearchResult = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")
 
Write-Host("")
Write-Host("List of applicable items on the machine:") -Fore Green
For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
    $Update = $SearchResult.Updates.Item($X)
    Write-Host( ($X + 1).ToString() + "> " + $Update.Title)
}
 
If ($SearchResult.Updates.Count -eq 0) {
    Write-Host("There are no applicable updates.")
    Exit
}
 
#Write-Host("")
#Write-Host("Creating collection of updates to download:") -Fore Green
 
$UpdatesToDownload = New-Object -Com Microsoft.Update.UpdateColl
 
For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
    $Update = $SearchResult.Updates.Item($X)
    #Write-Host( ($X + 1).ToString() + "> Adding: " + $Update.Title)
    $Null = $UpdatesToDownload.Add($Update)
}
 
Write-Host("")
Write-Host("Downloading Updates...")  -Fore Green
 
$Downloader = $UpdateSession.CreateUpdateDownloader()
$Downloader.Updates = $UpdatesToDownload
$Null = $Downloader.Download()
 
#Write-Host("")
#Write-Host("List of Downloaded Updates...") -Fore Green
 
$UpdatesToInstall = New-Object -Com Microsoft.Update.UpdateColl
 
For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
    $Update = $SearchResult.Updates.Item($X)
    If ($Update.IsDownloaded) {
        #Write-Host( ($X + 1).ToString() + "> " + $Update.Title)
        $Null = $UpdatesToInstall.Add($Update)        
    }
}
 
$Install = [System.String]$Args[0]
$Reboot  = [System.String]$Args[1]
 
If (!$Install){
    $Install = Read-Host("Would you like to install these updates now? (Y/N)")
}
 
If ($Install.ToUpper() -eq "Y" -or $Install.ToUpper() -eq "YES"){
    Write-Host("")
    Write-Host("Installing Updates...") -Fore Green
 
    $Installer = $UpdateSession.CreateUpdateInstaller()
    $Installer.Updates = $UpdatesToInstall
 
    $InstallationResult = $Installer.Install()
 
    Write-Host("")
    Write-Host("List of Updates Installed with Results:") -Fore Green
 
    For ($X = 0; $X -lt $UpdatesToInstall.Count; $X++){
        Write-Host($UpdatesToInstall.Item($X).Title + ": " + $InstallationResult.GetUpdateResult($X).ResultCode)
    }
 
    Write-Host("")
    Write-Host("Installation Result: " + $InstallationResult.ResultCode)
    Write-Host("    Reboot Required: " + $InstallationResult.RebootRequired)
 
    If ($InstallationResult.RebootRequired -eq $True){
        If (!$Reboot){
            $Reboot = Read-Host("Would you like to install these updates now? (Y/N)")
        }
 
        If ($Reboot.ToUpper() -eq "Y" -or $Reboot.ToUpper() -eq "YES"){
            Write-Host("")
            Write-Host("Rebooting...") -Fore Green
            Restart-Computer -Force
#            (Get-WMIObject -Class Win32_OperatingSystem).Reboot()
        }
    }
}

I have a batch file that runs the task – started by my unattend file.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Windows\Setup\Scripts\WindowsUpdate.ps1" Y Y

The Y Y are the Yes flags to install and reboot if required without a user prompt.

My question is: How does FOG add hosts to the domain and rename them? This script takes time to run. I have 1 OnFirstLogon task (this batch script) – but it seems like FOG triggers it to reboot to join the domain and whatnot mid task.

Hopefully this makes sense… If someone else has a better solution for scripting Windows Updates to install automatically post-imaging, I would LOVE to hear how you do it. Working in K-12 education, I typically create images over the summer time and deploy them throughout the year. Obviously updates can add up so this would be an effective way to reduce man power.

Wayne Workman

Asking @jbob about it, since he wrote the new fog client.

A better solution for you might be to update your images quarterly. Another option is WSUS-Offline, it can be scripted. I used it heavily at my last job. Also, you might even setup a full-blown WSUS server, which comes standard in Windows Server 2012 and up, and you can have policy to update computers all the time, or just for a little while too.

RLane

@Wayne-Workman I have a WSUS server set up, which this script pulls the updates from. The only problem is we have it designed to push updates out on certain days for certain buildings. If I image a Admin PC Monday, they won’t get updates until Thursday. We did this to conserve bandwidth.

Having said that, I also wanted to use this to install PC-specific drivers from Windows Update since Windows 10 has all of our workstation drivers that work. If I injected them like I use to with WinPE, they would be out of date, etc.

Joe Schmitt

Marking this thread so I remember to come back to it after the v0.10 release.

Wayne Workman

@RLane I think it’s great that you are managing to do updates so often… But I work in k-12 as well and we don’t roll out updates period. Computers are updated when we re-image them, which is about once a year or if one goes belly-up.

And do I understand correctly when you say that FOG’s domain joining & followed reboot is breaking your updating process, thus causing problems?

Joe Schmitt

@RLane , could you just disable the FOG service in the image, and then have your powershell script re-enable it once finished?

RLane

@Wayne-Workman Interesting… any reason why you don’t roll updates out?

Also, yes. I’m not sure I understand 100% how the client works. Does the client fetch the domain and rename requests immediately after image competition?

This script should be the last thing that my SetupComplete.bat script calls but for some reason is rebooting prior to finishing. I suspect it’s FOG because my Unattend file has 1 OnFirstLogon flag set for the host administrator account. After that, it requires a domain login – indicating that FOG joined it to the domain and renamed it.

Currently using Client 0.9.12 and cloud version 7092.

Wayne Workman

@RLane said in FOG + Powershell (WinUpdate) Question:

any reason why you don’t roll updates out?

They break stuff. That’s why. lol.

I care about updates, I care about having the latest patches. However, I care more that state-required testing happens without a hitch, that class can happen without a hitch, and not loosing my job when those things have a hitch.

RLane

@Jbob Will reupload and test without the service enabled. I’ll report my findings back after.

RLane

@Jbob Tested and it worked fine without the AD and renaming. How does FOG handle this? Initially, I added a 45 second reboot task via my unattend file, but it didn’t join and rename until the second reboot.

Joe Schmitt

@RLane Give me an hour or so. We’re prepping v0.10 for release.

RLane

@Jbob No rush This is not my production FOG server - I have a sandbox of 3 devices + a VM I use for testing. I’m planning on rolling out Windows 10 in July - this is just early prep with the scripts.

Mentaloid

I used a snapin for tasks like this - because I found fog service was renaming and rebooting before any tasks that took more than a few seconds in my setupcomplete.bat. Any snapins are installed after domain join, at least by my testing.

Snapin Run With : %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Snapin run with argument : -ExecutionPolicy Bypass -File
Snapin File : WindowsUpdate.ps1
Snapin Args: Y Y

Snapin Command should look like this:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File WindowsUpdate.ps1 Y Y

That should work fine - and it seems snapins are pushed in order now, so I have this snapin named as 005.wsus for example.

RLane

@Mentaloid That’s actually a pretty nifty idea… let me upload a new image without the script running from my batch file. The more I use FOG, the more I start to realize it’s designed to make life easy…

Tom Elliott

@RLane Why not just disable the service before sysprep is run. In the Setupcomplete.cmd script at the end of the script re-enable the service.

RLane

@Tom-Elliott The FOG service? Didn’t think of that, either. While we’re on this topic - does anybody else have a more effective way of updating Windows via scripting? I know a lot of things I did on 7 I can no longer do now.

Wayne Workman

@Jbob said in FOG + Powershell (WinUpdate) Question:

@RLane , could you just disable the FOG service in the image, and then have your powershell script re-enable it once finished?

Mentaloid

@Wayne-Workman

Yep - I ended up doing that as well, but things I noted:

Some stuff the AD join and hostname change should be completed first (wsus server and policies and proxy via AD and group policies) - and without the service running, that won’t be completed. Enabling the service at the send of the setupcomplete.cmd means the rename and join hasn’t been completed. Doing it at the beginning, and then running other tasks mean that it will reboot while completing the other tasks.

This is what I’ve done to get the best of both…

example sysprep.cmd

sc stop FOGService
sc config FOGService start=disabled
sc stop FOGService

copy \\fog\Deploy\W10\unattend.xml %systemroot%\System32\sysprep\unattend.xml
mkdir %systemroot%\setup\scripts
copy \\fog\Deploy\W10\setupcomplete.cmd %systemroot%\setup\scripts\setupcomplete.cmd

net use * /del
del c:\users\administrator\desktop\*.lnk
c:
cd \windows\system32\sysprep
c:\windows\System32\sysprep\sysprep.exe /quiet /oobe /generalize /shutdown /unattend:unattend.xml

and my setupcomplete.cmd

@echo off
del /Q /F c:\windows\system32\sysprep\unattend.xml
del /Q /F c:\windows\panther\unattend.xml
net user Administrator /active:yes
sc config FOGService start=auto
sc start FOGService
net use * /del
exit

Then the snapins run after fog service renames and joins the domain.

The reason I use snapins for everything else - because I like my setupcomplete to be simple and fast - anything I want beyond the basics, I can choose to implement or not without changing the setupcomplete; just add the snapins (which for @RLane, would be the windowsupdate snapin).

RLane

@Mentaloid +1 — thank you!

Junkhacker

@Mentaloid said in FOG + Powershell (WinUpdate) Question:

I used a snapin for tasks like this - because I found fog service was renaming and rebooting before any tasks that took more than a few seconds in my setupcomplete.bat. Any snapins are installed after domain join, at least by my testing.

Snapin Run With : %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Snapin run with argument : -ExecutionPolicy Bypass -File
Snapin File : WindowsUpdate.ps1
Snapin Args: Y Y

Snapin Command should look like this:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File WindowsUpdate.ps1 Y Y

That should work fine - and it seems snapins are pushed in order now, so I have this snapin named as 005.wsus for example.

just wanted to post my results from getting a powershell script to run with the legacy client. i had to use the following settings:

Snapin Run With : powershell.exe
Snapin run with argument : -ExecutionPolicy Bypass -command "& ’
Snapin File : script.ps1
Snapin Args: ’ "

the -command "& ’ and ’ " will wrap the script with it’s full path in quotes, allowing for spaces in the path.