Installing Hotfixes through Group Policies

I was looking at SUS, and from what I have read...it cannot be installed on the Domain Controller, is this correct? And then is SUS the same thing as WSUS?

WSUS and SUS used to be two different things.  Not sure if it can be installed on a DC.  But it should run fine on an older dedicated workstation.

WSUS can be installed on a domain controller.  

I would suggest installing it.  The setup can be a little wiggy, depending on your existing setup, but once fixed up, it works like a charm and greatly improves speed of hotfix/patch deployment.

WSUS is the new version of SUS.  This new version can be installed on a Domain Controller.  However, if this is a hotfix supplied by MS it will not be available for install through WSUS as you have to obtain it special from MS.

Is the update you have in .msi format or .exe?

The hotfix I have has been supplied by Microsoft, and it is in the form of a .exe file.  

You can deploy it with a Startup script from a GPO.

To determine how to run the exe, goto a CMD prompt and CD to where the patch is.  Type in the patch name and add /? to the end of the line.  Your switch option will be displayed.

You probably have the ability to run it with /quiet /norestart which would allow you to install it on bootup.

I followed your instructions for the command prompt, and the following is what I received:

AVAILABLE SWITCHES:
[/help] [/quiet] [/passive] [/uninstall] [/norestart] [/forcerestart] [/l] [/n] [/o] [/f] [/integrate:]

SETUP MODES:
/quiet                 Quiet mode (no user interaction or display)
/passive             Unattended mode (progress bar only)
/uninstall            Unistalls the package

RESTART OPTIONS:
/norestart           Do not restart when installation is complete
/forcerestart       Restart after installation


SPECIAL OPTIONS:
/l                       Lists installed Windows hotfixes or update packages
/o                      Overwrite OEM files without prompting
/n                      Do not backup files needed for uninstall
/f                       Foce other programs to close when the computer shuts down
/integrate: <fullpath> Integrate this software update into <fullpath>

So now then where do I go from here.  I am fairly new at the whole GPO topic along with the scripts.  Plus this script has the need to have the registry edit changed for each computer, can we get this to change the registry edit automatically as well?

Thank you!

Yes, you can change the registry too.

This sounds like a one time patch from MS PSS that needs to be deployed - is that correct?

In your startup script you need something like this:

regedit /s regfile.reg
patch.exe /quiet /forcereboot


Where regfile.reg is the registry modification file and patch.exe is the patch name.

If you don't have the reg file then you need to make the mod on a reference machine then export the key to the reg file.  Remove all entries except the top header and the key you are attempting to modify then resave it.

This is a one time patch that does need to be deployed.  This patch is to allow folder redirection and policies for Internet Explorer to co-exist in the same environment.  

So if I understand right this is what I need to do.

Create a startup script, can this be done through Group Policy (add a new GPO)? Or is this something I create in Wordpad and save it as a .bat file?

In the script I will have two lines:

regedit /s regfile.reg

I do not have the reg file so I will need to modify the registry settings on the reference machine (the server?), and then export the key and save it somewhere on my server.  I will remove evertyhing except for the top header and the key I have modified and resave the file.  However I name/save the file is what will replace the "regfile.reg".  

Example: IEregfile.reg = regedit /s IEregfile.reg

My next line in the script will be:

patch.exe /quiet /forcereboot

The "patch.exe" will me the name of my hotfix.

Example: WindowsXP-KB888254-x86-ENU.exe = WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

Once I have my startup script written, what do I do from here to automate it with every new user sign-in to the network?

I don't know if this helps or not...but here are the registry changes that need to be made:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\

We are creating a new Key:
         FEATURE_GPO_BRANDING_WITH_FOLDER_REDIRECTION_KB888254
Create a new DWORD Value:
         *
Edit the DWORD Value:
         1
and then it says to restart your computer.

I hope this gives you more of an understanding.

Thank you for all your help!

 

I think you understand this quite well.

Create a new GPO somewhere high enough in the Directory so that all Computers are affected.

Use a Startup script under Computer Configuration.

The script, the patch AND the regfile should be location on a share that Authenticated Users has read access to.  The NTFS permissions should also be the same.

The regfile can be named whatever you like, just ensure it matches in the script.

The script should be a .cmd file.

To create the regfile, manually patch and modify one PC then import the key from that PC.

This should do it.

The script can be .cmd or .bat.  The problem with deploying through a startup script is it will install this patch every time a computer is restarted.  You might want to use vbscript where you can flag the registry somewhere that this patch has been installed and do a check for the registry entry at the beginning of the script.  If you need a script to do this I can write a quick one for you but don't have time now.  If you need it post and ask for it.

If you builld logic into the script it should only run once.

if exist c:\patch.flg goto END
regedit /s IEregfile.reg
copy \\server\share\patch.flg c:\patch.flg
patch.exe /quiet /forcereboot

:END

There ya go...Netman wrote it all out for you.

Okay, I understand the redgedit line and the patch.exe line.  I don't understand the 1st and 3rd lines of the script though.  The 1st line is saying if this file exist then go to the end.  (does patch.flg need to be replaced with the name of my patch?)

Here is what I have so far.... I just added the 1st and 3rd line!

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\server\share\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END


Thank you,

Michele

Create a new text file on a share that is accessible to all computers (Authenticated Users).  Call the file patch.flg.  There doesn't need to be any content in this file - it's simply a "flag" so that if the script finds it on the C: drive of the local computer when running the script it will "goto" the end and will not run the reg file or patch.

If it doesn't find the patch.flg file, then it will run the reg file, copy the flag file then run the patch.  The next reboot it will skip the script since the "flag" file exists.

Make sure you replace \\server\share with your servername and sharename.

Example:  \\Server1\Files <= would mean your server name is Server1 and the share name is Files.

Make sure you use an existing share if you already have one that is accessible both with Share and NTFS permissions for the Authenticated Users group.

Okay, lets see if this is it:

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\amserver\CommomShares\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END

However this is where everything is located on my server, does this make a difference?  Is my 3rd line still correct?

U:\CommonShares\Scripts\Hotfix B888254
         Contains: Hotfix.cmd file, Hotfix.reg file, Hotfix.exe file, and my patch.flg file

Thank you!

Yep, that looks about right.

I have everything setup to test next Wednesday morning.  I will let you know how it goes:) Wish me luck!  Again thank you for all your help.

Okay, so I did some testing on my GP and startup script.  When I run the GP, then nothing happens, the Registry Edit is not in the file, the flag file does not get placed into the C: drive, and I am not sure that the hotfix is being run.  I even took the GP out of the picture and just tried to run the script by itself on the computer and it did not work.  If I double click on the regedit file then it ask me if I am sure I want to make these changes, I say yes, and then it updates my registry.  

Here is what my script says:

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\amserver\CommomShares\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END

Here is where my files are located:

 \\Amserver\CommonShares\Scripts\Hotfix B888254

Here is what is located in that file listed above:

HotfixB888254.reg
HotfixB888254.cmd
patch.flg
WindowsXP-KB888254-x86-ENU.exe

Where have I gone wrong?

Thank you,

Michele

WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

You'll need to do 3 things with this:

1)  Rename it to KB888254.exe - the other name is too long.  Rename the actual patch on the share.
2)  The line above should read:  "\\Amserver\CommonShares\Scripts\Hotfix B888254\KB888254 /quiet /forcereboot"  <= you may need to experiment with this as sometimes the switches for the exe must be outside the quotes.
3)  The line "regedit /s HotfixB888254.reg" should also have the path in it: regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"

Looking at the script you posted then it wouldn't work.  It would copy the flag file, but not run the patch or reg file since there was no path to the files.  Once it ran once, the flag would copy down to the local C drive and then never run again.  You'll need to delete the flag file from C drive after each test until you manage to get it working properly.

If this ran in production, then all PCs will very likely have the flag file on their C drive.  Rather than running around manually deleting this, then simply rename the flag file in the script so it's looking for a different flag filename.

Do not role this into production until you can manually run the .cmd file and it works.

So your script should look something like this:

if exist c:\KB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommonShares\Scripts\Hotfix B888254\patch.flg" c:\KB888254.flg
"\\Amserver\CommonShares\Scripts\Hotfix B888254\KB888254 /quiet /forcereboot"

:END

Here is where my files are located:

 \\Amserver\CommonShares\Scripts\Hotfix B888254

Here is what is located in that file listed above:

HotfixB888254.reg
HotfixB888254.cmd
HotfixB888254.flg
HotfixB888254.exe

Here is my script:

if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\patch.flg" c:\HotfixB888254.flg
"\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe /quiet /forcereboot"

:END

We are making improvements...I now apply the group policy to my test group and I know for sure that my registry edit is being completed.  Am I suppose to see the new .flg file in the C: Drive?  I do a search for any .flg file in the C: Drive on the local computer and cannot find anything.  Also, I am assuming if the .exe file runs correctly the computer will be forced to reboot, mine is not.  I tried putting /quiet /forcereboot outside of the quotes and that did not make a difference either.  

Any suggestions would be great...Thank you!

if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\HotfixB888254.flg" c:\HotfixB888254.flg
start /w "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe" /quiet /forcereboot

:END


Try that.


You renamed the flag file on the source but didn't rename it in the script.

Okay,  I have been testing this and I think we are almost there...

I got the registry edit to change whenever I apply the GP to the computer, I can see the .flg file in the C:\ drive as long as I have administrative rights.  I cannot however seem to figure out if my hotfix is being executed or not.  Is there a way that I can test this or a place to look on the PC?  When I run the .cmd file locally, I don't see the computer restart like I beleive we have written in the script.

Thank you,

Michele

If you run regedit, the hotfixes should be listed in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\WindowsXP

You should find a key for the KB888254 hotfix.

You can also see it in Add Remove Programs with the "Show Updates" box checked.

Your computer probably didn't reboot if the patch was already installed.

Check it against a PC that does not have the patch already.

Again, open up a CMD prompt and run the batch file from there so you can see any errors.

Okay I looked in the "Show Updates" in the Add Remove Programs...the update was not listed.  I also looked in the registry edit...the update was not listed there either.  I have changed my flag file so that the actual script will run...and that does not seem to have helped either.  My Registry file gets changed and the .flg file gets posted to the C:/ drive.  I also tried to put the "/quiet /reboot" inside and out of the quotes...this is not making a difference either.

Try this:

if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\HotfixB888254.flg" c:\HotfixB888254.flg
copy "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe" %systemroot%\Temp\KB888254.exe
%systemroot%\Temp\KB888254.exe /quiet /forcereboot

:END

Okay, I went to my test machine and removed all of my changes from previous attempts...so we were going from a fresh start.

I tried your last script:
   My flag file worked, it was in the C:\ Drive
   My registry file worked, it was changed in the regedit
   My copy of the .exe file worked and it was placed into the Temp folder as Kb888254.exe
   However, the hotfix did not run...it did not reboot, it did not get listed in Add/Remove Programs, and it did not get
            listed in the regedit under Updates

Sorry to be so difficult....Thank you!

Okay here is what the KB888254 Setup had to say:

AVAILABLE SWITCHES:
[/help][/quiet][/passive][/uninstall][/norestart][/forcerestart][/l][/n][/o][/f][/integrate:]

/help                        Displays this message

SETUP MODES

/quiet                       Quiet mode (no user interaction or display)
/passive                    Unattended mode (progress bar only)
/uninstall                   Uninstalls the package

RESTART OPTIONS

/norestart                  Do not restart when installation is complete
/forcerestart              Restart after installation

SPECIAL OPTIONS

/l                             Lists installed Windows hotfixes or update packages
/o                            Overwrite OEM files without prompting
/n                            Do not backup files needed for unistall
/f                             Force other programs to close when the computer shuts  
                                       down
/integrate:<fullpath> Integrate this software update into <fullpath>

So it looks like I need to replace my "forcereboot" with "forcerestart".

Okay, so I made my change on my script and guess what...it worked:)  I tested it through my Group Policies and it got deployed properly and the .exe file is in the update list for both the regedit and the Add/Remove programs.

Thank you so much for your time and your help....!