I am wondering, what is the best way to automatically update a new installation of Windows (Windows 7)?
When I manually update a new install of Windows 7 SP1, I get about 45 updates. Installing those is not the problem, but after installing those, up come new updates. One installs them and then again: new updates and so on. All together it takes a long time - and you have to come back every few minutes to check for new updates and install them.
So, how is that done in business / how to automate this? Is WSUS a good way for this or does it only cache updates locally?
Using WSUS, is it possible to force immediate install of updates, reboot and install more updates automatically?
WSUS wouldn't help me, if updates are only installed when the system is shutdown, because then it again would require user interaction (shutting down the system, wait for reboot, shutdown again...).
Thanks for any hint!
If you are starting from a bare metal install, you can slipstream updates into your installer disc so it already has updates in it (this depends on how many installs you're doing to make it worth it).
WSUS will not reboot your computer for you. It only keeps track of your updates and will act as a repo for updates so that rather than updating 300+ meg of updates from your Internet connection, they'll come from the local network. It can also control which systems get updates (I want to update IE for all the computers in HR, but restrict it from Marketing...) and give you reports on what updates your systems in the network have. The update mechanism sucks in terms of giving feedback of what is happening, but that's a shortcoming of Windows Updates. It also won't prevent the constant "You're updated! No, wait, you're not..." reboot cycles. Through group policy, you can have the system update with Windows Updates automatically on a scheduled basis just like regular Windows can be set to do individually if you don't mind becoming fully updated over a few days and leaving it on overnight to regularly check for updates and reboot.
Another method is to use the Windows Deployment Services (if you have, say, a lab of systems to update.) You take one of the systems, fully update and configure it, then sysprep it and upload that to the WDS server. Then netboot the subsequent systems and install the full image, fully updated. You have a lot of time invested in the first system but save time when you have 30 systems to install straight from the WDS server. Even if you don't create and auto-deployment script to finish the post-sysprep state you'll save a lot of time not having to do service packs, MS Office, custom installed software, etc. plus you can re-deploy the image when a system gets screwed up.
Otherwise you will have to do the updates repeatedly by hand, which as you've found, takes quite a bit of time. But at least you know that it was done without issues or errors.
I can highly recommend
WSUS Offline Update
. You can use it to create an USB stick or DVD which you can use afterwards to automatically install all critical updates for every currently supported Windows or Office version.It will automatically restart and continue the update process, so you just need time but can let it work unattended.
Businesses do two things:
They have an image with core drivers etc. that they maintain and regularly update. For example, we have a machine with Windows and the drivers that just updates and is not used, and every 3-6 months we use it as the base for a new image. Plus after every service pack.
A new machine gets the image and all updates since then. Not that many.
One of the problems you face is that it is not possible to install all the updates in one go because some are dependant on others and they may not be applied until the machine has rebooted. This is why you have to go through the update, reboot, update, reboot, etc. Using WSUS makes no difference as it's merely a distribution point for the updates and doesn't directly affect how those updates are applied, other then whether or not they are approved.
There are settings for Windows Update to install and reboot if necessary, although in my opinion it's ill advised as it's known to be troublesome. Have a look at either GPO or local policies for the relevant settings.
I am using with great success the free version of WuInstall alongside with a GPO assigned startup script.
One way (there are others) to fast update a fresh windows install from WSUS
Approving needed updates
At this point you shall have all needed updates for new machines approved.
Its time to automatize installation and reboot.
Assign this startup script using GPO create on step 1.
Add more machines to domain as in step 7.
Perform instructions below at your own risk: To automate windows update these instructions may or may not work for your system however it appears to work to an extent for Windows 7 as these instructions were tested on Windows 7.
MUST READ: 1. If the step below does not work verify then you are most likely part of a domain and your security policy may not allow you to perform steps below! 2. UAC prompts were also disabled for the duration of the windows updates so the batch files can run without interruption; be careful to restore this to default when done
Caution this step will make your computer less secure, immediately remove this after your computer is completely up to date. Set a reminder for 24 hours later if need be:
1. First you will have to make sure your computer automatically logs into a user. You can do this by clicking start menu, type "netplwiz", press enter or open the wizard, under the users tab, select your username, and un-check "require password", type your password, close this window.
2. Create 3 batch files to start the automated process. (Open notepad paste each code into a separate notepad and perform a save as corresponding_file_name.bat)
One. Save as: any_name.bat then copy this batch file to your startup folder for the user you made auto login. (Click start > All Programs > Startup)
Two. Save as: autoupdate1.bat then copy this to C:\ drive
Three. Save as: autoupdate2.bat then copy this to C:\ drive
Restart or open the batch file in the startup folder and watch the magic begin!
3. When it is completely done updating just delete the batch files from the startup folder & c:\ drive
Once again follow these instructions at your own risk as it can create an endless loop if you do not know how to stop this process by removing it from the startup folder or going into windows under safe-mode to remove the batch files
Final notes: If you run into issues running the batch files chances are you may have to look up how to disable UAC prompts for your Windows version
To my knowledge there has to be a level of user interaction.. you can set the computer to automatically install updates but it will still prompt you to restart the computer. I dont believe wsus has the power to remotely reboot for you.
I'd be interested to know if anyone does have a solution to this, could save me a lot of time!
WSUS can't force updates, but you can use Group Policy to do some of this:
http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx
You could probably find the associated Registry entries, too and just do it manually as required. Or, set it on the local machine policy.
I realise I'm a bit late but there were a couple of unlisted cases here. Setting up a WSUS group with all updates with a past deadline and a GPO set up for automatic installs and updates works very well.
There are also auto update scripts for use with MDT / WDS which eliminate the need for slipstream or imaging (at the cost of deploying each update to an imaged system). This is the route my company uses. It avoids the time requirements of maintaining images at the cost of an extra 30 to 45 minutes per deployment.
I used WSUS to get the list of updates in one folder, then used Batchpatch to generate a multiple install batch of ALL of them WITHOUT any intervention. Set it and forget it and when it finihes, reboot. NICE.. NO MORE SVCHOST pegging out the CPU at 100% so installing takes an eternity!