Client Management Suite

So we're looking to roll out IE 11 via a software policy but I can't quite figure out a solution for dealing with the prerequisites.  I'd be happy to break them out into their own package but can't figure out how to write proper detection rules.  Apparently, there's no reliable registry entries for these updates and you have to query them via WMI.  I looked at the IE Administrative Kit which supposedly can support including the prerequisites but haven't had any luck getting that to work.

So what are you guys doing out there to roll out IE?

You should make each pre requisite its own package. You should be able to find a reg key that you can use, failing that Microsoft usually give file versions in the KB article for each patch so you cold use a File detection rule.

Hi, I am working on this too and hit the wall.

Apparently some (if not all) prerequisites are .msu and it is not possible to simply check for a registry key as normal installation package.

I've tried to add 2 updates in as "Depends on" in Association, but they can't work as the policy will complaints no installation command.

Appreciate if there are more suggestions.

If you look at each individual support article for each patch you can get the file information that you can use for detection and maybe applicability rules. The installation command is: wusa.exe Windows6.1-KB2533623-x64.msu /quiet /norestart

Indeed, the package import only seems to generate command lines for EXE and MSIs.  You can create your own command lines for them by calling wusa.exe.  You're still on the hook for the detection rules though which, as far as I know right now, would need to be based on the file versions of the KB article (as andykn101 points out).  I would really like to avoid that, there's a whole whack of files that are going to get changed or might already be updated on the machine.

Hey guys,

I've been following your thread in order to deliver IE10. Just like IE11, it needs a bunch of Windows updates installed. I was not able to create detection rules for each Windows updates, I did not manage how I was going to do that by detecting a registry key or a version file. 

So I managed to find a way around. I just inserted new success codes in the installation command line:

If the installation of the update returns code 3010, it means it installed successfully and it needs a Windows reboot. If the installation of the update returns code 2359302, it means it is already installed. 

If you guys did find a way to apply a good detection rule in these cases, I'd really appreciate if you inform me of such.

Thanks.

I'm sure if you look at each individual support article for each patch you can get the file information that you can use for detection and maybe applicability rules.

Sorry Andy, but how do I accomplish this? Is this a file version detection rule? Which directory I'm looking for that list of files?

Can you show me an example? Do you use this in your environment or not?

I was looking in %windir%\servicing and I see a some of those mentioned files, that's because it depends on your system. And that's the biggest problem, how do I create a generic detection rule for this? Because for what I'm seeing I will have to build a variety of rules and that's too much effort and time spent.

Every update will have an article online that will tell you what files are affected by the update and the details of the files included in the update.  For example, for KB2639308 you can go to http://support.microsoft.com/kb/2639308.  You can then create packages that use that info for detection and applicability rules.  In theory, it's certainly doable but it's not particularly practical ... it would takes weeks to properly test all that out.

I did some digging around and it looks like the IE 11 prerequisites are primarily hotfixes which  writes registry entries into the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect.  So I'm going to see if those are staticly named (there's an odd hex value in there) and can be used for detection.

 

Hi, this is what I'm doing based on the log file C:\Windows\ie11_main.log.

Not very robust but I think it is an easy way out. Otherwise deploy all the required Windows Update using the patch deployment from Altiris but your IE11 deployment will have to wait until the patch completion.

00:22.604: INFO:    Version Check for (KB2834140) of C:\Windows\System32\d3d11.dll: 6.2.9200.16492 >= 6.2.9200.16570 (False)
00:22.604: INFO:    Version Check for (KB2670838) of C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll: 6.2.9200.16492 >= 6.2.9200.16426 (True)
00:22.620: INFO:    Version Check for (KB2639308) of C:\Windows\System32\Ntoskrnl.exe: 6.1.7601.18409 >= 6.1.7601.17727 (True)
00:22.620: INFO:    Version Check for (KB2533623) of C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll: 6.1.7601.18229 >= 6.1.7601.17617 (True)
00:22.620: INFO:    Version Check for (KB2731771) of C:\Windows\System32\conhost.exe: 6.1.7601.18229 >= 6.1.7601.17888 (True)
00:22.620: INFO:    Checking for correct version of C:\Windows\Fonts\segoeui.ttf.
00:22.620: INFO:    Version Check for (KB2786081) of C:\Windows\System32\taskhost.exe: 6.1.7601.18010 >= 6.1.7601.18010 (True)
00:22.760: INFO:    Version Check for (KB2888049) of C:\Windows\System32\drivers\tcpip.sys: 6.1.7601.18438 >= 6.1.7601.18254 (True)
00:22.838: INFO:    Version Check for (KB2882822) of C:\Windows\System32\tdh.dll: 6.1.7600.16385 >= 6.1.7601.18247 (False)

I've actually had great luck deploying with a script.  If I remember correctly, there were 7 or 8 pre-req patches for a regular Windows 7 machine and I was able to do it all from within.

 

I simply put all of the patches shown below into a folder along with my powershell script and had Altiris download to C:\Windows\Temp\IE11. 

 

For the command line, use Powershell.exe -file "C:\Windows\Temp\IE11\IE11_install.ps1 .  That can be changed depending on where you want to put it.

 

The script is shown below..

 

 

<!  BEGIN POWERSHELL - COPY BELOW THIS LINE AND SAVE AS IE11_Install.ps1  !>

 

#######################################################################################
#                               Pre-Requisite Information
#######################################################################################

<#
Requisite updates for IE11 installation on Microsoft Windows 7 x86 and x64 (Please see http://support.microsoft.com/kb/2847882)

    1. KB2729094 (http://support.microsoft.com/kb/2729094)
    2. KB2731771 (http://support.microsoft.com/kb/2731771)
    3. KB2533623 (http://support.microsoft.com/kb/2533623)
    4. KB2670838 (http://support.microsoft.com/kb/2670838)
    5. KB2786081 (http://support.microsoft.com/kb/2786081)
    6. KB2834140 (http://support.microsoft.com/kb/2834140)

Optional updates for IE11 installation on Microsoft Windows 7 x86 and x64

    1. KB2639308 (http://support.microsoft.com/kb/2639308)
    2. KB2888049 (http://support.microsoft.com/kb/2888049)
    3. KB2882822 (http://support.microsoft.com/kb/2882822)
#>

########################################################################################

$fileroot = "c:\Windows\Temp\IE11"

IF (($os.OSArchitecture) -eq "32-Bit" -and (Test-Path $fileroot) -eq $true)
{

    Write-Host "Found 32-Bit Architecture...Please wait while we apply pre-requisite updates..."
    Write-Host "$date.....x86 File Validity Test, please standby"

    #Define Updates x86
    $KB132 = "$fileroot\Windows6.1-KB2533623-x86.msu"
    $KB232 = "$fileroot\Windows6.1-KB2888049-x86.msu"
    $KB332 = "$fileroot\Windows6.1-KB2670838-x86.msu"
    $KB432 = "$fileroot\Windows6.1-KB2729094-v2-x86.msu"
    $KB532 = "$fileroot\Windows6.1-KB2731771-x86.msu"
    $KB632 = "$fileroot\Windows6.1-KB2786081-x86.msu"
    $KB732 = "$fileroot\Windows6.1-KB2834140-v2-x86.msu"
    $KB832 = "$fileroot\Windows6.1-KB2882822-x86.msu"
    $KB932 = "$fileroot\Windows6.1-KB2639308-x86.cab"
    $ie32 = "$fileroot\IE11-Windows6.1-x86-en-us.exe" #Define App

    Write-Host "Installing Update 1..."
    Start-Process "wusa.exe" -ArgumentList "$kb132 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 2..."
    Start-Process "wusa.exe" -ArgumentList "$kb232 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 3..."
    Start-Process "wusa.exe" -ArgumentList "$kb332 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 4..."
    Start-Process "wusa.exe" -ArgumentList "$kb432 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 5..."
    Start-Process "wusa.exe" -ArgumentList "$kb532 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 6..."
    Start-Process "wusa.exe" -ArgumentList "$kb632 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 7..."
    Start-Process "wusa.exe" -ArgumentList "$kb732 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 8..."
    Start-Process "wusa.exe" -ArgumentList "$kb832 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 9..."
    Start-Process "dism.exe" -ArgumentList "/online /add-package /packagepath:$KB932 /quiet /norestart" -NoNewWindow -Wait -verbose

    Write-Host "Installing Internet Explorer 11, 32-bit...Please Wait"
    Start-Process "$ie32" -ArgumentList "/passive /norestart /update-no" -Wait -verbose

    Exit 0

}

Elseif ((Test-Path $fileroot) -eq $false)
{ Write-Host "$date.....Software can not be found, please contact your system administrator!"

Exit 1603}

 

#######################################################################################
#                                IE 64-bit Routine
#######################################################################################

IF (($os.OSArchitecture) -eq "64-Bit" -and (Test-Path $fileroot) -eq $true)
{
    Write-Host "Found 64-Bit Architecture...Please wait while we apply pre-requisite updates..."

    #Define Updates x64
    $KB164 = "$fileroot\Windows6.1-KB2533623-x64.msu"
    $KB264 = "$fileroot\Windows6.1-KB2888049-x64.msu"
    $KB364 = "$fileroot\Windows6.1-KB2670838-x64.msu"
    $KB464 = "$fileroot\Windows6.1-KB2729094-v2-x64.msu"
    $KB564 = "$fileroot\Windows6.1-KB2731771-x64.msu"
    $KB664 = "$fileroot\Windows6.1-KB2786081-x64.msu "
    $KB764 = "$fileroot\Windows6.1-KB2834140-v2-x64.msu"
    $KB864 = "$fileroot\Windows6.1-KB2882822-x64.msu"
    $KB964 = "$fileroot\Windows6.1-KB2639308-x64.cab"
    $ie64 = "$fileroot\IE11-Windows6.1-x64-en-us.exe " #Define App

    Write-Host "Installing Update 1..."
    Start-Process "wusa.exe" -ArgumentList "$kb164 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 2..."
    Start-Process "wusa.exe" -ArgumentList "$kb264 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 3..."
    Start-Process "wusa.exe" -ArgumentList "$kb364 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 4..."
    Start-Process "wusa.exe" -ArgumentList "$kb464 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 5..."
    Start-Process "wusa.exe" -ArgumentList "$kb564 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 6..."
    Start-Process "wusa.exe" -ArgumentList "$kb664 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 7..."
    Start-Process "wusa.exe" -ArgumentList "$kb764 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 8..."
    Start-Process "wusa.exe" -ArgumentList "$kb864 /quiet /norestart" -Wait -Verbose

    Write-Host "Installing Update 9..."
    Start-Process "dism.exe" -ArgumentList "/online /add-package /packagepath:$KB964 /quiet /norestart" -NoNewWindow -Wait -verbose

    Write-Host "Installing Internet Explorer 11, 64-Bit, Please wait..."
    Start-Process "$ie64" -ArgumentList "/passive /norestart /update-no" -Wait -verbose

    Exit 0
}
Elseif ((Test-Path $fileroot) -eq $false)
{
    Write-Host "$date.....Software can not be found, please contact your system administrator!"
    Exit 1603
}

 

 

 

Bdamn,

 

Have you had any luck with any of these ideas?

 

Paul

Try looking at my article I published on how we do it in our organization.

 

https://www-secure.symantec.com/connect/articles/deploy-internet-explorer-11-prerequisite-patches-swd-or-task

 

Thanks,

Clay

 

In the end, I just rolled my own pre-requisite package script.  Most of the KBs did end up writing registry keys, just in a different location.  If I had waited a bit longer I would have taken a stab at your PowerShell solution.

   Thanks all,

      Bryan

Team,

Can you please help me with the same.

I have followed AltirisJunki article but unable to do so.

Kindly help please.