FOG + Powershell (WinUpdate) Question
-
Asking @jbob about it, since he wrote the new fog client.
A better solution for you might be to update your images quarterly. Another option is WSUS-Offline, it can be scripted. I used it heavily at my last job. Also, you might even setup a full-blown WSUS server, which comes standard in Windows Server 2012 and up, and you can have policy to update computers all the time, or just for a little while too.
-
@Wayne-Workman I have a WSUS server set up, which this script pulls the updates from. The only problem is we have it designed to push updates out on certain days for certain buildings. If I image a Admin PC Monday, they won’t get updates until Thursday. We did this to conserve bandwidth.
Having said that, I also wanted to use this to install PC-specific drivers from Windows Update since Windows 10 has all of our workstation drivers that work. If I injected them like I use to with WinPE, they would be out of date, etc.
-
Marking this thread so I remember to come back to it after the v0.10 release.
-
@RLane I think it’s great that you are managing to do updates so often… But I work in k-12 as well and we don’t roll out updates period. Computers are updated when we re-image them, which is about once a year or if one goes belly-up.
And do I understand correctly when you say that FOG’s domain joining & followed reboot is breaking your updating process, thus causing problems?
-
@RLane , could you just disable the FOG service in the image, and then have your powershell script re-enable it once finished?
-
@Wayne-Workman Interesting… any reason why you don’t roll updates out?
Also, yes. I’m not sure I understand 100% how the client works. Does the client fetch the domain and rename requests immediately after image competition?
This script should be the last thing that my SetupComplete.bat script calls but for some reason is rebooting prior to finishing. I suspect it’s FOG because my Unattend file has 1 OnFirstLogon flag set for the host administrator account. After that, it requires a domain login – indicating that FOG joined it to the domain and renamed it.
Currently using Client 0.9.12 and cloud version 7092.
-
@RLane said in FOG + Powershell (WinUpdate) Question:
any reason why you don’t roll updates out?
They break stuff. That’s why. lol.
I care about updates, I care about having the latest patches. However, I care more that state-required testing happens without a hitch, that class can happen without a hitch, and not loosing my job when those things have a hitch.
-
@Jbob Will reupload and test without the service enabled. I’ll report my findings back after.
-
@Jbob Tested and it worked fine without the AD and renaming. How does FOG handle this? Initially, I added a 45 second reboot task via my unattend file, but it didn’t join and rename until the second reboot.
-
@RLane Give me an hour or so. We’re prepping v0.10 for release.
-
@Jbob No rush This is not my production FOG server - I have a sandbox of 3 devices + a VM I use for testing. I’m planning on rolling out Windows 10 in July - this is just early prep with the scripts.
-
I used a snapin for tasks like this - because I found fog service was renaming and rebooting before any tasks that took more than a few seconds in my setupcomplete.bat. Any snapins are installed after domain join, at least by my testing.
Snapin Run With : %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Snapin run with argument : -ExecutionPolicy Bypass -File
Snapin File : WindowsUpdate.ps1
Snapin Args: Y YSnapin Command should look like this:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File WindowsUpdate.ps1 Y YThat should work fine - and it seems snapins are pushed in order now, so I have this snapin named as 005.wsus for example.
-
@Mentaloid That’s actually a pretty nifty idea… let me upload a new image without the script running from my batch file. The more I use FOG, the more I start to realize it’s designed to make life easy…
-
@RLane Why not just disable the service before sysprep is run. In the Setupcomplete.cmd script at the end of the script re-enable the service.
-
@Tom-Elliott The FOG service? Didn’t think of that, either. While we’re on this topic - does anybody else have a more effective way of updating Windows via scripting? I know a lot of things I did on 7 I can no longer do now.
-
@Jbob said in FOG + Powershell (WinUpdate) Question:
@RLane , could you just disable the FOG service in the image, and then have your powershell script re-enable it once finished?
-
Yep - I ended up doing that as well, but things I noted:
Some stuff the AD join and hostname change should be completed first (wsus server and policies and proxy via AD and group policies) - and without the service running, that won’t be completed. Enabling the service at the send of the setupcomplete.cmd means the rename and join hasn’t been completed. Doing it at the beginning, and then running other tasks mean that it will reboot while completing the other tasks.
This is what I’ve done to get the best of both…
example sysprep.cmd
sc stop FOGService sc config FOGService start=disabled sc stop FOGService copy \\fog\Deploy\W10\unattend.xml %systemroot%\System32\sysprep\unattend.xml mkdir %systemroot%\setup\scripts copy \\fog\Deploy\W10\setupcomplete.cmd %systemroot%\setup\scripts\setupcomplete.cmd net use * /del del c:\users\administrator\desktop\*.lnk c: cd \windows\system32\sysprep c:\windows\System32\sysprep\sysprep.exe /quiet /oobe /generalize /shutdown /unattend:unattend.xml
and my setupcomplete.cmd
@echo off del /Q /F c:\windows\system32\sysprep\unattend.xml del /Q /F c:\windows\panther\unattend.xml net user Administrator /active:yes sc config FOGService start=auto sc start FOGService net use * /del exit
Then the snapins run after fog service renames and joins the domain.
The reason I use snapins for everything else - because I like my setupcomplete to be simple and fast - anything I want beyond the basics, I can choose to implement or not without changing the setupcomplete; just add the snapins (which for @RLane, would be the windowsupdate snapin).
-
@Mentaloid +1 — thank you!
-
@Mentaloid said in FOG + Powershell (WinUpdate) Question:
I used a snapin for tasks like this - because I found fog service was renaming and rebooting before any tasks that took more than a few seconds in my setupcomplete.bat. Any snapins are installed after domain join, at least by my testing.
Snapin Run With : %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Snapin run with argument : -ExecutionPolicy Bypass -File
Snapin File : WindowsUpdate.ps1
Snapin Args: Y YSnapin Command should look like this:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File WindowsUpdate.ps1 Y YThat should work fine - and it seems snapins are pushed in order now, so I have this snapin named as 005.wsus for example.
just wanted to post my results from getting a powershell script to run with the legacy client. i had to use the following settings:
Snapin Run With : powershell.exe
Snapin run with argument : -ExecutionPolicy Bypass -command "& ’
Snapin File : script.ps1
Snapin Args: ’ "the -command "& ’ and ’ " will wrap the script with it’s full path in quotes, allowing for spaces in the path.
-
@Junkhacker wiki worthy