FOG + Powershell (WinUpdate) Question



  • I’m going to be deploying Windows 10 for the first time over the summer. In the past, I had used an HTA/VB script that would run after FOG completed the imaging task. This would require one of our tech’s to input the proper OU and computer name of that machine. After a tech completed that, it would finish up and run Windows update.

    Now, with Windows 10, I’m trying to create a process that requires no human interaction. First, I would create my master image. I would upload it with FOG, deploy it. I’m now using FOG to join them to our domain, activate (KMS), and rename.

    My question is: I have a Powershell script that should automatically look for Windows updates, download, and install them. The script that I’m using is below:

    #Script: WSUS.ps1
    #      Author: Gregory Strike
    #     Website: www.GregoryStrike.com
    #        Date: 02-19-2010
    # Information: This script was adapated from the WUA_SearchDownloadInstall.vbs VBScript from Microsoft.  It uses the
    #              Microsoft.Update.Session COM object to query a WSUS server, find applicable updates, and install them.
    #
    #              WSUS.ps1 is a little less verbose about what it is doing when compared to the orginal VBScript.  The
    #              lines exist in the code below to show the same information as the original but are just commented out.
    #
    #
    #              WSUS.ps1 can automatically install applicable updates by passing a Y to the script.  The default
    #              behavior is to ask whether or not to install the new updates.
    #
    #              Syntax:  .\WSUS.ps1 [Install] [Reboot]
    #                       Where [Install] is optional and can be "Y", "Yes", "No" or "N"
    #                       Whether or not to install the updates automatically.  If Null, the user will be prompted.
    #
    #                       Where [Reboot] is optional and can be "Y", "Yes", "No" or "N",  This 
    #                       If updates require a reboot, whether or not to reboot automatically.  If Null, the user will
    #                       be prompted.
    
    $UpdateSession = New-Object -Com Microsoft.Update.Session
    $UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
     
    Write-Host("Searching for applicable updates...") -Fore Green
     
    $SearchResult = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")
     
    Write-Host("")
    Write-Host("List of applicable items on the machine:") -Fore Green
    For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
        $Update = $SearchResult.Updates.Item($X)
        Write-Host( ($X + 1).ToString() + "> " + $Update.Title)
    }
     
    If ($SearchResult.Updates.Count -eq 0) {
        Write-Host("There are no applicable updates.")
        Exit
    }
     
    #Write-Host("")
    #Write-Host("Creating collection of updates to download:") -Fore Green
     
    $UpdatesToDownload = New-Object -Com Microsoft.Update.UpdateColl
     
    For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
        $Update = $SearchResult.Updates.Item($X)
        #Write-Host( ($X + 1).ToString() + "> Adding: " + $Update.Title)
        $Null = $UpdatesToDownload.Add($Update)
    }
     
    Write-Host("")
    Write-Host("Downloading Updates...")  -Fore Green
     
    $Downloader = $UpdateSession.CreateUpdateDownloader()
    $Downloader.Updates = $UpdatesToDownload
    $Null = $Downloader.Download()
     
    #Write-Host("")
    #Write-Host("List of Downloaded Updates...") -Fore Green
     
    $UpdatesToInstall = New-Object -Com Microsoft.Update.UpdateColl
     
    For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
        $Update = $SearchResult.Updates.Item($X)
        If ($Update.IsDownloaded) {
            #Write-Host( ($X + 1).ToString() + "> " + $Update.Title)
            $Null = $UpdatesToInstall.Add($Update)        
        }
    }
     
    $Install = [System.String]$Args[0]
    $Reboot  = [System.String]$Args[1]
     
    If (!$Install){
        $Install = Read-Host("Would you like to install these updates now? (Y/N)")
    }
     
    If ($Install.ToUpper() -eq "Y" -or $Install.ToUpper() -eq "YES"){
        Write-Host("")
        Write-Host("Installing Updates...") -Fore Green
     
        $Installer = $UpdateSession.CreateUpdateInstaller()
        $Installer.Updates = $UpdatesToInstall
     
        $InstallationResult = $Installer.Install()
     
        Write-Host("")
        Write-Host("List of Updates Installed with Results:") -Fore Green
     
        For ($X = 0; $X -lt $UpdatesToInstall.Count; $X++){
            Write-Host($UpdatesToInstall.Item($X).Title + ": " + $InstallationResult.GetUpdateResult($X).ResultCode)
        }
     
        Write-Host("")
        Write-Host("Installation Result: " + $InstallationResult.ResultCode)
        Write-Host("    Reboot Required: " + $InstallationResult.RebootRequired)
     
        If ($InstallationResult.RebootRequired -eq $True){
            If (!$Reboot){
                $Reboot = Read-Host("Would you like to install these updates now? (Y/N)")
            }
     
            If ($Reboot.ToUpper() -eq "Y" -or $Reboot.ToUpper() -eq "YES"){
                Write-Host("")
                Write-Host("Rebooting...") -Fore Green
                Restart-Computer -Force
    #            (Get-WMIObject -Class Win32_OperatingSystem).Reboot()
            }
        }
    }
    

    I have a batch file that runs the task – started by my unattend file.

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Windows\Setup\Scripts\WindowsUpdate.ps1" Y Y
    

    The Y Y are the Yes flags to install and reboot if required without a user prompt.

    My question is: How does FOG add hosts to the domain and rename them? This script takes time to run. I have 1 OnFirstLogon task (this batch script) – but it seems like FOG triggers it to reboot to join the domain and whatnot mid task.

    Hopefully this makes sense… If someone else has a better solution for scripting Windows Updates to install automatically post-imaging, I would LOVE to hear how you do it. Working in K-12 education, I typically create images over the summer time and deploy them throughout the year. Obviously updates can add up so this would be an effective way to reduce man power.


  • Moderator

    Snapin templates have been added to FOG Trunk (future 1.3.0 release). They are very very easy to use.


  • Moderator

    @Junkhacker wiki worthy


  • Developer

    @Mentaloid said in FOG + Powershell (WinUpdate) Question:

    I used a snapin for tasks like this - because I found fog service was renaming and rebooting before any tasks that took more than a few seconds in my setupcomplete.bat. Any snapins are installed after domain join, at least by my testing.

    Snapin Run With : %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
    Snapin run with argument : -ExecutionPolicy Bypass -File
    Snapin File : WindowsUpdate.ps1
    Snapin Args: Y Y

    Snapin Command should look like this:
    %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File WindowsUpdate.ps1 Y Y

    That should work fine - and it seems snapins are pushed in order now, so I have this snapin named as 005.wsus for example.

    just wanted to post my results from getting a powershell script to run with the legacy client. i had to use the following settings:

    Snapin Run With : powershell.exe
    Snapin run with argument : -ExecutionPolicy Bypass -command "& '
    Snapin File : script.ps1
    Snapin Args: ’ "

    the -command "& ’ and ’ " will wrap the script with it’s full path in quotes, allowing for spaces in the path.



  • @Mentaloid +1 — thank you!



  • @Wayne-Workman

    Yep - I ended up doing that as well, but things I noted:

    Some stuff the AD join and hostname change should be completed first (wsus server and policies and proxy via AD and group policies) - and without the service running, that won’t be completed. Enabling the service at the send of the setupcomplete.cmd means the rename and join hasn’t been completed. Doing it at the beginning, and then running other tasks mean that it will reboot while completing the other tasks.

    This is what I’ve done to get the best of both…

    example sysprep.cmd

    sc stop FOGService
    sc config FOGService start=disabled
    sc stop FOGService
    
    copy \\fog\Deploy\W10\unattend.xml %systemroot%\System32\sysprep\unattend.xml
    mkdir %systemroot%\setup\scripts
    copy \\fog\Deploy\W10\setupcomplete.cmd %systemroot%\setup\scripts\setupcomplete.cmd
    
    net use * /del
    del c:\users\administrator\desktop\*.lnk
    c:
    cd \windows\system32\sysprep
    c:\windows\System32\sysprep\sysprep.exe /quiet /oobe /generalize /shutdown /unattend:unattend.xml
    

    and my setupcomplete.cmd

    @echo off
    del /Q /F c:\windows\system32\sysprep\unattend.xml
    del /Q /F c:\windows\panther\unattend.xml
    net user Administrator /active:yes
    sc config FOGService start=auto
    sc start FOGService
    net use * /del
    exit
    

    Then the snapins run after fog service renames and joins the domain.

    The reason I use snapins for everything else - because I like my setupcomplete to be simple and fast - anything I want beyond the basics, I can choose to implement or not without changing the setupcomplete; just add the snapins (which for @RLane, would be the windowsupdate snapin).


  • Moderator

    @Jbob said in FOG + Powershell (WinUpdate) Question:

    @RLane , could you just disable the FOG service in the image, and then have your powershell script re-enable it once finished?



  • @Tom-Elliott The FOG service? Didn’t think of that, either. While we’re on this topic - does anybody else have a more effective way of updating Windows via scripting? I know a lot of things I did on 7 I can no longer do now.


  • Senior Developer

    @RLane Why not just disable the service before sysprep is run. In the Setupcomplete.cmd script at the end of the script re-enable the service.



  • @Mentaloid That’s actually a pretty nifty idea… let me upload a new image without the script running from my batch file. The more I use FOG, the more I start to realize it’s designed to make life easy…



  • I used a snapin for tasks like this - because I found fog service was renaming and rebooting before any tasks that took more than a few seconds in my setupcomplete.bat. Any snapins are installed after domain join, at least by my testing.

    Snapin Run With : %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
    Snapin run with argument : -ExecutionPolicy Bypass -File
    Snapin File : WindowsUpdate.ps1
    Snapin Args: Y Y

    Snapin Command should look like this:
    %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File WindowsUpdate.ps1 Y Y

    That should work fine - and it seems snapins are pushed in order now, so I have this snapin named as 005.wsus for example.



  • @Jbob No rush :) This is not my production FOG server - I have a sandbox of 3 devices + a VM I use for testing. I’m planning on rolling out Windows 10 in July - this is just early prep with the scripts.


  • Senior Developer

    @RLane Give me an hour or so. We’re prepping v0.10 for release.



  • @Jbob Tested and it worked fine without the AD and renaming. How does FOG handle this? Initially, I added a 45 second reboot task via my unattend file, but it didn’t join and rename until the second reboot.



  • @Jbob Will reupload and test without the service enabled. I’ll report my findings back after.


  • Moderator

    @RLane said in FOG + Powershell (WinUpdate) Question:

    any reason why you don’t roll updates out?

    They break stuff. That’s why. lol.

    I care about updates, I care about having the latest patches. However, I care more that state-required testing happens without a hitch, that class can happen without a hitch, and not loosing my job when those things have a hitch.



  • @Wayne-Workman Interesting… any reason why you don’t roll updates out?

    Also, yes. I’m not sure I understand 100% how the client works. Does the client fetch the domain and rename requests immediately after image competition?

    This script should be the last thing that my SetupComplete.bat script calls but for some reason is rebooting prior to finishing. I suspect it’s FOG because my Unattend file has 1 OnFirstLogon flag set for the host administrator account. After that, it requires a domain login – indicating that FOG joined it to the domain and renamed it.

    Currently using Client 0.9.12 and cloud version 7092.


  • Senior Developer

    @RLane , could you just disable the FOG service in the image, and then have your powershell script re-enable it once finished?


  • Moderator

    @RLane I think it’s great that you are managing to do updates so often… But I work in k-12 as well and we don’t roll out updates period. Computers are updated when we re-image them, which is about once a year or if one goes belly-up.

    And do I understand correctly when you say that FOG’s domain joining & followed reboot is breaking your updating process, thus causing problems?


  • Senior Developer

    Marking this thread so I remember to come back to it after the v0.10 release.


Log in to reply
 

368
Online

39.3k
Users

11.0k
Topics

104.4k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.