33

I am wondering, what is the best way to automatically update a new installation of Windows (Windows 7)?

When I manually update a new install of Windows 7 SP1, I get about 45 updates. Installing those is not the problem, but after installing those, up come new updates. One installs them and then again: new updates and so on. All together it takes a long time - and you have to come back every few minutes to check for new updates and install them.

So, how is that done in business / how to automate this? Is WSUS a good way for this or does it only cache updates locally?

Using WSUS, is it possible to force immediate install of updates, reboot and install more updates automatically?

WSUS wouldn't help me, if updates are only installed when the system is shutdown, because then it again would require user interaction (shutting down the system, wait for reboot, shutdown again...).

Thanks for any hint!

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
stefan.at.wpf
  • 885
  • 3
  • 12
  • 20

10 Answers10

18

If you are starting from a bare metal install, you can slipstream updates into your installer disc so it already has updates in it (this depends on how many installs you're doing to make it worth it).

WSUS will not reboot your computer for you. It only keeps track of your updates and will act as a repo for updates so that rather than updating 300+ meg of updates from your Internet connection, they'll come from the local network. It can also control which systems get updates (I want to update IE for all the computers in HR, but restrict it from Marketing...) and give you reports on what updates your systems in the network have. The update mechanism sucks in terms of giving feedback of what is happening, but that's a shortcoming of Windows Updates. It also won't prevent the constant "You're updated! No, wait, you're not..." reboot cycles. Through group policy, you can have the system update with Windows Updates automatically on a scheduled basis just like regular Windows can be set to do individually if you don't mind becoming fully updated over a few days and leaving it on overnight to regularly check for updates and reboot.

Another method is to use the Windows Deployment Services (if you have, say, a lab of systems to update.) You take one of the systems, fully update and configure it, then sysprep it and upload that to the WDS server. Then netboot the subsequent systems and install the full image, fully updated. You have a lot of time invested in the first system but save time when you have 30 systems to install straight from the WDS server. Even if you don't create and auto-deployment script to finish the post-sysprep state you'll save a lot of time not having to do service packs, MS Office, custom installed software, etc. plus you can re-deploy the image when a system gets screwed up.

Otherwise you will have to do the updates repeatedly by hand, which as you've found, takes quite a bit of time. But at least you know that it was done without issues or errors.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • thanks for your reply! if one uses the slipstreaming way, where to get all required updates? I know tools like WSUS Offline update [it's not from Microsoft], but I am wondering, if there is an official way? – stefan.at.wpf Oct 12 '11 at 11:10
  • 1
    This is probably as official as you'll get for Win7 http://support.microsoft.com/kb/913086 – Bart Silverstrim Oct 12 '11 at 12:26
  • @stefan.at.wpf When I package updates with my thin image using `DISM` I just install a reference computer, check for windows updates and write down the KB number. You can find that on the Microsoft support site easily and download the MSU files for the update. Lather, rinse, repeat. – MDMarra Oct 12 '11 at 14:55
8

I can highly recommend WSUS Offline Update. You can use it to create an USB stick or DVD which you can use afterwards to automatically install all critical updates for every currently supported Windows or Office version.

It will automatically restart and continue the update process, so you just need time but can let it work unattended.

Sven
  • 97,248
  • 13
  • 177
  • 225
4

Businesses do two things:

  • First, have internal WSUS which makes updates faster.
  • Second, they DO NOT INSTALL A FRESH WINDOWS.

They have an image with core drivers etc. that they maintain and regularly update. For example, we have a machine with Windows and the drivers that just updates and is not used, and every 3-6 months we use it as the base for a new image. Plus after every service pack.

A new machine gets the image and all updates since then. Not that many.

sinping
  • 2,055
  • 14
  • 12
TomTom
  • 50,857
  • 7
  • 52
  • 134
3

One of the problems you face is that it is not possible to install all the updates in one go because some are dependant on others and they may not be applied until the machine has rebooted. This is why you have to go through the update, reboot, update, reboot, etc. Using WSUS makes no difference as it's merely a distribution point for the updates and doesn't directly affect how those updates are applied, other then whether or not they are approved.

There are settings for Windows Update to install and reboot if necessary, although in my opinion it's ill advised as it's known to be troublesome. Have a look at either GPO or local policies for the relevant settings.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
3

I am using with great success the free version of WuInstall alongside with a GPO assigned startup script.

One way (there are others) to fast update a fresh windows install from WSUS

  1. Pre-create new machine accounts on AD and a group to contain those new machines and a GPO assigned to that group.
  2. "Specify Intranet Microsoft update service location" on that GPO.
  3. Create a new group in WSUS to contain the new machines (named staging, perhaps?).

Approving needed updates

  1. Start by approving latest Service Pack for that group.
  2. Add one of the new machines to domain using the account name create on step 1.
  3. After reboot, open Windows Update and search for new updates. Select the Service Pack approved on step 1 for installation.
  4. After installation, search for new updates again, but do not install yet.
  5. Now, you shall have the list of needed updates for that machine on WSUS. Start by approving and installing all needed not superseded updates. Later approve superseded ones, if needed.

At this point you shall have all needed updates for new machines approved.

Its time to automatize installation and reboot.

  1. Download wuinstall.exe to a network location accessible to new machines.
  2. Assign this startup script using GPO create on step 1.

    set path_to_wuinstall=\\server\path\wuinstall.exe
    set path_to_log=\\server\path\WU-%computername%.txt        
    
    %path_to_wuinstall /install >> %path_to_log%
    
    if %errorlevel% EQU 10 goto reboot
    if %errorlevel% EQU 2 goto done
    
    goto end
    
    :reboot
    shutdown -r
    goto end
    
    :done
    echo Updating completed. >> %path_to_log%
    
    :end
    
  3. Add more machines to domain as in step 7.

  4. As said in Brazil: Agora é só correr pro abraço. (Something like "seat back and relax watching machines being updated").
motobói
  • 1,571
  • 11
  • 17
2

Perform instructions below at your own risk: To automate windows update these instructions may or may not work for your system however it appears to work to an extent for Windows 7 as these instructions were tested on Windows 7.

MUST READ: 1. If the step below does not work verify then you are most likely part of a domain and your security policy may not allow you to perform steps below! 2. UAC prompts were also disabled for the duration of the windows updates so the batch files can run without interruption; be careful to restore this to default when done

Caution this step will make your computer less secure, immediately remove this after your computer is completely up to date. Set a reminder for 24 hours later if need be:

1. First you will have to make sure your computer automatically logs into a user. You can do this by clicking start menu, type "netplwiz", press enter or open the wizard, under the users tab, select your username, and un-check "require password", type your password, close this window.

2. Create 3 batch files to start the automated process. (Open notepad paste each code into a separate notepad and perform a save as corresponding_file_name.bat)

One. Save as: any_name.bat then copy this batch file to your startup folder for the user you made auto login. (Click start > All Programs > Startup)

start "" c:\autoupdate1.bat
exit    

Two. Save as: autoupdate1.bat then copy this to C:\ drive

wuauclt /detectnow
wuauclt /updatenow
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" > nul && shutdown -r -t 0
start "" c:\autoupdate2.bat
exit

Three. Save as: autoupdate2.bat then copy this to C:\ drive

ping 127.0.0.1 -n 61 > nul
start "" c:\autoupdate1.bat
exit

Restart or open the batch file in the startup folder and watch the magic begin!

3. When it is completely done updating just delete the batch files from the startup folder & c:\ drive

Once again follow these instructions at your own risk as it can create an endless loop if you do not know how to stop this process by removing it from the startup folder or going into windows under safe-mode to remove the batch files

Final notes: If you run into issues running the batch files chances are you may have to look up how to disable UAC prompts for your Windows version

EzR
  • 36
  • 1
1

To my knowledge there has to be a level of user interaction.. you can set the computer to automatically install updates but it will still prompt you to restart the computer. I dont believe wsus has the power to remotely reboot for you.

I'd be interested to know if anyone does have a solution to this, could save me a lot of time!

  • 3
    With Group Policy, you can configure Automatic Updates to trigger a restart (if required) without user interaction after a timeout period. See [this TechNet blog](http://blogs.technet.com/b/mu/archive/2008/10/02/windows-update-and-automatic-reboots.aspx) for some relevant information. – jscott Oct 12 '11 at 12:22
  • excellent, thanks for that. I'll have a look in to it – Tommy Whitmore Oct 14 '11 at 11:01
0

WSUS can't force updates, but you can use Group Policy to do some of this:

http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx

You could probably find the associated Registry entries, too and just do it manually as required. Or, set it on the local machine policy.

Dan
  • 15,280
  • 1
  • 35
  • 67
0

I realise I'm a bit late but there were a couple of unlisted cases here. Setting up a WSUS group with all updates with a past deadline and a GPO set up for automatic installs and updates works very well.

There are also auto update scripts for use with MDT / WDS which eliminate the need for slipstream or imaging (at the cost of deploying each update to an imaged system). This is the route my company uses. It avoids the time requirements of maintaining images at the cost of an extra 30 to 45 minutes per deployment.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
0

I used WSUS to get the list of updates in one folder, then used Batchpatch to generate a multiple install batch of ALL of them WITHOUT any intervention. Set it and forget it and when it finihes, reboot. NICE.. NO MORE SVCHOST pegging out the CPU at 100% so installing takes an eternity!