Category: Windows Update

It’s a fact that the world is constantly changing and with it we can choose if we want to tag along or continue doing what we’ve been doing forever. This blog post is about shifting the mindset and daily work from traditional patch management and creating time to make efforts in other security related areas that matters. Change management at its finest!

Fundamental idea: We all know that we need Windows patches, and if you have made the move to Office 365 ProPlus the principle is the same, you need to deploy and install the patches that are released. It really is as simple as that. Testing is a must of course but the fact remains, you need those patches.

Traditional vs modern patch management

A discussion I have with many customers is the patching story around Windows 10 devices. The benefits of using Windows Update for Business (WUfB) are many although leaves less control. What matters in the end is that the Windows 10 devices are patched, and that it is done in a user-friendly manner.

If you compare all the components and the flow that needs to be in place for patching to work all the way in ConfigMgr, you realize there are quite a few things that can go wrong. And in my experience, things do go wrong far too often.

High level overview of all the steps and components in the patch flow using ConfigMgr

High level flow overview of patching using Windows Update for Business

By looking at the above comparisons it’s clear that there are a lot more to manage and a lot more can and more often so do go wrong when patching via ConfigMgr.

Maintaining and fixing the infrastructure or doing more valuable things?

With ConfigMgr you must spend significant time managing and making sure that infrastructure is up to date and working (orange colored bar below). The green colored bar illustrates how much time you typically spend on patch follow-up and fixing patches that could not be installed correctly etc.

With Windows Update for Business, you can focus almost entirely on follow-up and hopefully by doing so also shifting your security work to other areas patching other stuff such as insecure firmware, applications and drivers, so that it makes your environment safer overall.

Pros and cons for using Windows Update for Business

Here is my list of pros and cons of using Windows Update for Business, if you are still not convinced Windows Update for Business is the natural way to go.

• User friendly restart prompts. ConfigMgr isn’t exactly known for its user-unfriendly restart prompts. Using WUfB you get the built-in Windows 10 restart features which gives your end users more control, postponing and picking a time that suits them.
• Get control over devices away from office network. Many organizations have little, less or no control or possibility to patch devices that are solely on the internet or away from the network office. With WUfB that is not an issue as you can not only patch but also follow-up on each and every Windows device that has a working internet connection.
• Less error prone = higher patch level. By cutting all the steps and infrastructure components that need to be in place for patching via ConfigMgr you get a higher success rate of patching your Windows 10 devices.
• Timesaving for IT admins. No more spending time on approving patches and dealing with distribution and install problems. Instead leaves time to focus on other more relevant security work.
• Fully automatic. Well, you can achieve fully automation in ConfigMgr as well but not many do that as they want to stay in control. With WUfB everything is automatic and only if problems during the multiple testing phases are discovered is the flow paused.
• Less control. Yes, on the negative side, you lose control as you cannot really choose which Windows patches you deploy. This revolves back to the question which there is typically only one answer to: Do you really need this control as you need to have all Windows (and Office) patches?

Summary

By shifting to modern patch management using Windows Update for Business you can free time and put that time on patching other stuff, for example insecure firmware, applications or device drivers.

You can also focus on activating Windows features that raise security, such as the Windows Defender technologies Exploit Guard and Application Guard, or Microsoft Defender ATP which can take your security work to a level you could only dream of.

A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!

NOTE: I have also posted this guide to TechNet Wiki where you find an improved version of this article (although the steps in the article found below is still valid): TechNet Wiki: HOW TO: Create the perfect and fully automated reference image for Windows operating systems

There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!

Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.

1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.

2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.

3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).

4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).

5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.

[Settings]
Priority=Default
Properties=MyCustomProperty

[Default]
OSInstall=Y
SkipAppsOnUpgrade=YES
SkipCapture=YES
DoCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipUserData=YES
SkipTimeZone=YES
SkipFinalSummary=YES
SkipSummary=YES
SkipLocaleSelection=YES
SkipDomainMembership=YES
SkipComputerName=YES
SkipBitlocker=YES
SkipApplications=YES
ComputerBackupLocation=NETWORK
BackupShare=\\server\share
BackupDir=Captures

6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.

[Settings]
Priority=Default

[Default]
SkipBDDWelcome=YES
DeployRoot=\\server\share
UserDomain=CONTOSO.COM
UserID=username
UserPassword=password

7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.

WSUSServer=http://nameofwsusserver

8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:

BackupFile=Windows7Enterprisex64.wim

9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.

Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.

You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.

Done! Happy deploying!

Most problems with Windows Update can be solved by the simply renaming the folder SoftwareDistribution from the Windows directory. To be able to do so you are required to stop the service Automatic Updates (if you’re on Windows XP or Server 2003 or earlier) or the Windows Update service if you are on Windows Vista or Windows Server 2008 and later.

The SoftwareDistribution folder is automatically recreated when you start the service again. Bear in mind that you will lose the update history when performing this trick, something you can get back of course if you change the name of the SoftwareDistribution folder instead of just deleting it.

Also keep in mind that deleting the SoftwareDistribution folder is for fixing problems with searching for updates or contacting a WSUS server for instance, you will not solve problems installing various hotfixes or updates using this method. To troubleshoot problems related to Windows Update or Automatic Updates look in the WindowsUpdate.log located in the root of thew Windows directory for clues. For problametic hotfix installations see the hotfix log file.

Windows Vista introduced patches in MSU (Microsoft Standalone Update) format which has many advantages over the traditional Windows XP patches format. However, if one want to uninstall patches in Windows Vista, this is kind of tricky.

You will be glad to learn that in Windows 7 the wusa.exe command line tool has been improved so that you can use an uninstall switch and just supply the KB number for the update you want to remove.

wusa.exe /uninstall /kb:940102 /quiet

Could it become easier to uninstall patches using scripts?

If you have tried out Windows 7 you know that it includes some changes when it comes to Windows Update. The good news for Windows Vista users is that the Windows Update client included in Windows 7 also will be available for Windows Vista. A few days ago the beta program for the next version of the Windows Update client started on Microsoft Connect.

Some of the improvements that can be seen in Windows 7 and that will be available in Windows Vista are as follows:

• Reduced number of UAC prompts and the option to allow all users to install any updates.
• Much better interface and separated optional and important updates.
• More information when errors do occur, now also with descriptions.
• Better notification for the user telling them that the computer will be restarted at xx:xx hours and that the user need to save all open documents, if the settings are set to automatically install and restart the client that is.

If you want to try the new Windows Update client for Windows Vista, go to http://connect.microsoft.com and apply to the program called “MUv4 Beta”.

More information about setting Microsoft Update to be the default instead of Windows Update by script can be found in this post I made quite some time ago. I’ve also verified that this works in Windows 7 as well as in Windows Vista.

More than half a year ago Microsoft silently released updated Windows Update components. No official notice was made about this silent release until now, when Microsoft finally published a Knowledge Base article about it, providing download links. But hey, wait! The downloads have been available since the new components were released in mid August. That is because the new Windows Update components are automatically downloaded via Windows Update, and all files that are downloaded via Windows Update are specified with download paths in WindowsUpdate.log. You can always find the download links directly in the WindowsUpdate.log (located in %WINDIR%) if you look at what the file name requested is and then adding it to the base download path.

The benefits of downloading the new Windows Update components from here is that you can integrate the CAB files directly into the Windows Vista install.wim image. Here are the links to the Windows Update Components CAB files (please note that you need to integrate/slipstream all three files for each platform):

• Windows Update Component ActiveX, x86 or x64.
• Windows Update Component Aux, x86 or x64.
• Windows Update Component Core, x86 or x64.

More information and download links for the EXE installers for Windows Vista and Windows XP can be found in the Microsoft Support KB article KB946928.

Windows Update in Windows Vista is wrapped in a regular window in the operating system itself rather than being opened as a web page in Internet Explorer 7. The basics are the same and it is the same underlying components in both Windows Vista and when you run Windows Update in a browser window on for instance Windows XP. Never mind, on a Vista client computer set to connect to a WSUS (Windows Server Update Services) server it will of course always check for updates there. In the Windows Update control panel on a client computer you can however choose to alternatively search for updates on Windows Update. If you deploy other software such as Office 2007 you might want to use Microsoft Update instead of Windows Update, to see if there are other updates available for Office and other Microsoft products, not only Windows.

The reason why I want to check Microsoft Update manually from time to time us is to regularly check which updates arrive to the various client computers that can be downloaded separately and then integrated into our installation media. Since opting into Microsoft Update require administrative rights on the computers I want to set Microsoft Update somehow automatically and apparently there are still no GPO settings for this, which I find rather strange. After doing some reserach I have found the solution to automatically set that Microsoft Update will be the default instead of Windows Update. The script to add is as follows:

Set ServiceManager = CreateObject(“Microsoft.Update.ServiceManager”)
ServiceManager.ClientApplicationID = “My App”
‘add the Microsoft Update Service, GUID
Set NewUpdateService = ServiceManager.AddService2(“7971f918-a847-4430-9279-4a52d1efe18d”,7,””)

Add this to a startup or login script to make sure Microsoft Update is always default.