VBScript for Windows Updates
The scripting of Windows patching in a reliable, auditable fashion is fundamental to any automated Windows build process. The simplest way I've encountered for Altiris administrators to invoke the patch process is through a VBScript which invokes the Windows Updates process. This allows the machine to be scanned, an updates list created, and then a logged installation of those updates initiated.
The key here is that the process must allow us to know when it's complete; this is critical to permit us to continue with other tasks in a timely fashion such as a sysprep and image upload.
Today's download contains the script windowsupdates_v1.1.vbs. This script can be executed on Windows machines with the Windows Update Agent installed. To get the WindowsUpdateAgent, see Microsoft KB 949104 -How to obtain the latest version of the Windows Update Agent.
This script is based on a Microsoft script, with some changes by our Darren Collins here at Oxford to enable an entirely automated process suitable for Altiris deployments. We've been using this for a few years now, so it's pretty reliable.
Key points are,
- Script will exit with code 98 if updates were installed
- Script will exit with code 99 if no updates found
- All activity logged to c:\Logs
Normally, our implementation runs the script in a reboot loop until error code 99 is encountered. But, for those wanting an easy life you could just run the script with a reboot to follow twice.
Let's now look at some log outputs for the scenario of updates found/not found.
Log Extract for Update Found and Installed Scenario
Here is an example of a log entry from the log file, C:\Logs\WindowsUpdates-ALL.log for when a patch is found,
14/09/2012 09:19:43 - Start: Windows Updates All script starting. 14/09/2012 09:21:14 - 1 > Update for Office File Validation 2010 (KB2553065), 32-bit Edition 14/09/2012 09:21:14 - Applicable updates: 1 14/09/2012 09:21:55 - Updates found and installed. See %WinDir%\WindowsUpdate.log for details. 14/09/2012 09:21:55 - End: Windows Updates All script Complete.
Log Extract for No Updates Found Scenario
Here is an example of a log entry from the log file, C:\Logs\WindowsUpdates-ALL.log for when no updates are found,
14/09/2012 09:26:10 - Start: Windows Updates All script starting. 14/09/2012 09:26:17 - No Updates Found. 14/09/2012 09:26:17 - End: Windows Updates All script Complete.
In this case the script exits with return code 99. In your setup, you'd probably want to initiate a reboot and then simply continue with your task chain.
It's very important to have jobs preceding this script which ensure you have a suitable version of the MSI service and Windows Update agent installed.
Next, from time to time, you'll find that certain updates never get installed properly and result in you never getting a 99 return code to say all is now fine. If you find this happens for you, consider moving the problem update into it's own task. I've seen this for example with the Microsoft Office File Validation Add-in, and to resolve we just added the OFV.EXE install into our MS Office installation job directly.
Finally, this script will download updates from the Microsoft Updates server as configured on the client computer. In many organisations, the settings for the local WSUS server come down from GPO for your local server, and are not present when image building (before domain join). In this situation you have to be aware that these updates will therefore come down from Microsoft (unless you reg hack for otherwise).