Solved

Installing Hotfixes through Group Policies

Posted on 2006-07-12
32
3,107 Views
Last Modified: 2012-05-05
How do I install and distribute the hotfix 888254 using Group Policy for Server 2003?

I have installed the hotfix 888254 to correct my issues with Folder Redirection and No Internet Access on a couple of computers in my network.  Instead of touching every single computer and increasing the number of mistakes that can be made during the registry edits...I need to know if there is a way to install this hotfix and distribute it to all of my client machines (Windows XP), using Group Policies in Server 2003.

Any assitance would be great!

Thank you,

Michele
0
Comment
Question by:mickantone
  • 13
  • 13
  • 3
  • +2
32 Comments
 
LVL 3

Expert Comment

by:valrog
ID: 17093275
Instead of using group policies, have you tried installing a WSUS (Windows System Update Server) server?  
0
 

Author Comment

by:mickantone
ID: 17093351
I was looking at SUS, and from what I have read...it cannot be installed on the Domain Controller, is this correct? And then is SUS the same thing as WSUS?
0
 
LVL 3

Expert Comment

by:valrog
ID: 17093372
WSUS and SUS used to be two different things.  Not sure if it can be installed on a DC.  But it should run fine on an older dedicated workstation.
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17093836
WSUS can be installed on a domain controller.  

I would suggest installing it.  The setup can be a little wiggy, depending on your existing setup, but once fixed up, it works like a charm and greatly improves speed of hotfix/patch deployment.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 17094036
WSUS is the new version of SUS.  This new version can be installed on a Domain Controller.  However, if this is a hotfix supplied by MS it will not be available for install through WSUS as you have to obtain it special from MS.

Is the update you have in .msi format or .exe?
0
 

Author Comment

by:mickantone
ID: 17094595
The hotfix I have has been supplied by Microsoft, and it is in the form of a .exe file.  
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17096065
You can deploy it with a Startup script from a GPO.

To determine how to run the exe, goto a CMD prompt and CD to where the patch is.  Type in the patch name and add /? to the end of the line.  Your switch option will be displayed.

You probably have the ability to run it with /quiet /norestart which would allow you to install it on bootup.

0
 

Author Comment

by:mickantone
ID: 17104016
I followed your instructions for the command prompt, and the following is what I received:

AVAILABLE SWITCHES:
[/help] [/quiet] [/passive] [/uninstall] [/norestart] [/forcerestart] [/l] [/n] [/o] [/f] [/integrate:]

SETUP MODES:
/quiet                 Quiet mode (no user interaction or display)
/passive             Unattended mode (progress bar only)
/uninstall            Unistalls the package

RESTART OPTIONS:
/norestart           Do not restart when installation is complete
/forcerestart       Restart after installation


SPECIAL OPTIONS:
/l                       Lists installed Windows hotfixes or update packages
/o                      Overwrite OEM files without prompting
/n                      Do not backup files needed for uninstall
/f                       Foce other programs to close when the computer shuts down
/integrate: <fullpath> Integrate this software update into <fullpath>

So now then where do I go from here.  I am fairly new at the whole GPO topic along with the scripts.  Plus this script has the need to have the registry edit changed for each computer, can we get this to change the registry edit automatically as well?

Thank you!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17104989
Yes, you can change the registry too.

This sounds like a one time patch from MS PSS that needs to be deployed - is that correct?

In your startup script you need something like this:

regedit /s regfile.reg
patch.exe /quiet /forcereboot


Where regfile.reg is the registry modification file and patch.exe is the patch name.

If you don't have the reg file then you need to make the mod on a reference machine then export the key to the reg file.  Remove all entries except the top header and the key you are attempting to modify then resave it.

0
 

Author Comment

by:mickantone
ID: 17108486
This is a one time patch that does need to be deployed.  This patch is to allow folder redirection and policies for Internet Explorer to co-exist in the same environment.  

So if I understand right this is what I need to do.

Create a startup script, can this be done through Group Policy (add a new GPO)? Or is this something I create in Wordpad and save it as a .bat file?

In the script I will have two lines:

regedit /s regfile.reg

I do not have the reg file so I will need to modify the registry settings on the reference machine (the server?), and then export the key and save it somewhere on my server.  I will remove evertyhing except for the top header and the key I have modified and resave the file.  However I name/save the file is what will replace the "regfile.reg".  

Example: IEregfile.reg = regedit /s IEregfile.reg

My next line in the script will be:

patch.exe /quiet /forcereboot

The "patch.exe" will me the name of my hotfix.

Example: WindowsXP-KB888254-x86-ENU.exe = WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

Once I have my startup script written, what do I do from here to automate it with every new user sign-in to the network?

I don't know if this helps or not...but here are the registry changes that need to be made:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\

We are creating a new Key:
         FEATURE_GPO_BRANDING_WITH_FOLDER_REDIRECTION_KB888254
Create a new DWORD Value:
         *
Edit the DWORD Value:
         1
and then it says to restart your computer.

I hope this gives you more of an understanding.

Thank you for all your help!

 
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17109595
I think you understand this quite well.

Create a new GPO somewhere high enough in the Directory so that all Computers are affected.

Use a Startup script under Computer Configuration.

The script, the patch AND the regfile should be location on a share that Authenticated Users has read access to.  The NTFS permissions should also be the same.

The regfile can be named whatever you like, just ensure it matches in the script.

The script should be a .cmd file.

To create the regfile, manually patch and modify one PC then import the key from that PC.

This should do it.

0
 
LVL 21

Expert Comment

by:mcsween
ID: 17131886
The script can be .cmd or .bat.  The problem with deploying through a startup script is it will install this patch every time a computer is restarted.  You might want to use vbscript where you can flag the registry somewhere that this patch has been installed and do a check for the registry entry at the beginning of the script.  If you need a script to do this I can write a quick one for you but don't have time now.  If you need it post and ask for it.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132052
If you builld logic into the script it should only run once.

if exist c:\patch.flg goto END
regedit /s IEregfile.reg
copy \\server\share\patch.flg c:\patch.flg
patch.exe /quiet /forcereboot

:END
0
 
LVL 21

Expert Comment

by:mcsween
ID: 17132101
There ya go...Netman wrote it all out for you.
0
 

Author Comment

by:mickantone
ID: 17132166
Okay, I understand the redgedit line and the patch.exe line.  I don't understand the 1st and 3rd lines of the script though.  The 1st line is saying if this file exist then go to the end.  (does patch.flg need to be replaced with the name of my patch?)

Here is what I have so far.... I just added the 1st and 3rd line!

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\server\share\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END


Thank you,

Michele
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132260
Create a new text file on a share that is accessible to all computers (Authenticated Users).  Call the file patch.flg.  There doesn't need to be any content in this file - it's simply a "flag" so that if the script finds it on the C: drive of the local computer when running the script it will "goto" the end and will not run the reg file or patch.

If it doesn't find the patch.flg file, then it will run the reg file, copy the flag file then run the patch.  The next reboot it will skip the script since the "flag" file exists.

Make sure you replace \\server\share with your servername and sharename.

Example:  \\Server1\Files <= would mean your server name is Server1 and the share name is Files.

Make sure you use an existing share if you already have one that is accessible both with Share and NTFS permissions for the Authenticated Users group.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:mickantone
ID: 17132484
Okay, lets see if this is it:

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\amserver\CommomShares\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END

However this is where everything is located on my server, does this make a difference?  Is my 3rd line still correct?

U:\CommonShares\Scripts\Hotfix B888254
         Contains: Hotfix.cmd file, Hotfix.reg file, Hotfix.exe file, and my patch.flg file

Thank you!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17132516
Yep, that looks about right.

0
 

Author Comment

by:mickantone
ID: 17132576
I have everything setup to test next Wednesday morning.  I will let you know how it goes:) Wish me luck!  Again thank you for all your help.
0
 

Author Comment

by:mickantone
ID: 17190068
Okay, so I did some testing on my GP and startup script.  When I run the GP, then nothing happens, the Registry Edit is not in the file, the flag file does not get placed into the C: drive, and I am not sure that the hotfix is being run.  I even took the GP out of the picture and just tried to run the script by itself on the computer and it did not work.  If I double click on the regedit file then it ask me if I am sure I want to make these changes, I say yes, and then it updates my registry.  

Here is what my script says:

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\amserver\CommomShares\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END

Here is where my files are located:

 \\Amserver\CommonShares\Scripts\Hotfix B888254

Here is what is located in that file listed above:

HotfixB888254.reg
HotfixB888254.cmd
patch.flg
WindowsXP-KB888254-x86-ENU.exe

Where have I gone wrong?

Thank you,

Michele
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17191896
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

You'll need to do 3 things with this:

1)  Rename it to KB888254.exe - the other name is too long.  Rename the actual patch on the share.
2)  The line above should read:  "\\Amserver\CommonShares\Scripts\Hotfix B888254\KB888254 /quiet /forcereboot"  <= you may need to experiment with this as sometimes the switches for the exe must be outside the quotes.
3)  The line "regedit /s HotfixB888254.reg" should also have the path in it: regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"

Looking at the script you posted then it wouldn't work.  It would copy the flag file, but not run the patch or reg file since there was no path to the files.  Once it ran once, the flag would copy down to the local C drive and then never run again.  You'll need to delete the flag file from C drive after each test until you manage to get it working properly.

If this ran in production, then all PCs will very likely have the flag file on their C drive.  Rather than running around manually deleting this, then simply rename the flag file in the script so it's looking for a different flag filename.

Do not role this into production until you can manually run the .cmd file and it works.

So your script should look something like this:

if exist c:\KB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommonShares\Scripts\Hotfix B888254\patch.flg" c:\KB888254.flg
"\\Amserver\CommonShares\Scripts\Hotfix B888254\KB888254 /quiet /forcereboot"

:END


0
 

Author Comment

by:mickantone
ID: 17193399
Here is where my files are located:

 \\Amserver\CommonShares\Scripts\Hotfix B888254

Here is what is located in that file listed above:

HotfixB888254.reg
HotfixB888254.cmd
HotfixB888254.flg
HotfixB888254.exe

Here is my script:

if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\patch.flg" c:\HotfixB888254.flg
"\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe /quiet /forcereboot"

:END

We are making improvements...I now apply the group policy to my test group and I know for sure that my registry edit is being completed.  Am I suppose to see the new .flg file in the C: Drive?  I do a search for any .flg file in the C: Drive on the local computer and cannot find anything.  Also, I am assuming if the .exe file runs correctly the computer will be forced to reboot, mine is not.  I tried putting /quiet /forcereboot outside of the quotes and that did not make a difference either.  

Any suggestions would be great...Thank you!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17195524
if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\HotfixB888254.flg" c:\HotfixB888254.flg
start /w "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe" /quiet /forcereboot

:END


Try that.


You renamed the flag file on the source but didn't rename it in the script.

0
 

Author Comment

by:mickantone
ID: 17223169
Okay,  I have been testing this and I think we are almost there...

I got the registry edit to change whenever I apply the GP to the computer, I can see the .flg file in the C:\ drive as long as I have administrative rights.  I cannot however seem to figure out if my hotfix is being executed or not.  Is there a way that I can test this or a place to look on the PC?  When I run the .cmd file locally, I don't see the computer restart like I beleive we have written in the script.

Thank you,

Michele
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17226888
If you run regedit, the hotfixes should be listed in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\WindowsXP

You should find a key for the KB888254 hotfix.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 17226922
You can also see it in Add Remove Programs with the "Show Updates" box checked.

Your computer probably didn't reboot if the patch was already installed.

Check it against a PC that does not have the patch already.

Again, open up a CMD prompt and run the batch file from there so you can see any errors.

0
 

Author Comment

by:mickantone
ID: 17228406
Okay I looked in the "Show Updates" in the Add Remove Programs...the update was not listed.  I also looked in the registry edit...the update was not listed there either.  I have changed my flag file so that the actual script will run...and that does not seem to have helped either.  My Registry file gets changed and the .flg file gets posted to the C:/ drive.  I also tried to put the "/quiet /reboot" inside and out of the quotes...this is not making a difference either.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 17229523
Try this:

if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\HotfixB888254.flg" c:\HotfixB888254.flg
copy "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe" %systemroot%\Temp\KB888254.exe
%systemroot%\Temp\KB888254.exe /quiet /forcereboot

:END
0
 

Author Comment

by:mickantone
ID: 17234065
Okay, I went to my test machine and removed all of my changes from previous attempts...so we were going from a fresh start.

I tried your last script:
   My flag file worked, it was in the C:\ Drive
   My registry file worked, it was changed in the regedit
   My copy of the .exe file worked and it was placed into the Temp folder as Kb888254.exe
   However, the hotfix did not run...it did not reboot, it did not get listed in Add/Remove Programs, and it did not get
            listed in the regedit under Updates

Sorry to be so difficult....Thank you!

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 17234594
Ok, then here is what to do:

Open a CMD window and CD into the \Windows\Temp folder.
Do a DIR to make sure the file is there.
Type KB888254.exe /? and hit ENTER
Make sure the /quiet and /forcereboot switches are valid.
If they are, then go into the Temp folder using Explorer and double click the patch file to run it manually.  

Tell me what happens when you run it that way.
0
 

Author Comment

by:mickantone
ID: 17235251
Okay here is what the KB888254 Setup had to say:

AVAILABLE SWITCHES:
[/help][/quiet][/passive][/uninstall][/norestart][/forcerestart][/l][/n][/o][/f][/integrate:]

/help                        Displays this message

SETUP MODES

/quiet                       Quiet mode (no user interaction or display)
/passive                    Unattended mode (progress bar only)
/uninstall                   Uninstalls the package

RESTART OPTIONS

/norestart                  Do not restart when installation is complete
/forcerestart              Restart after installation

SPECIAL OPTIONS

/l                             Lists installed Windows hotfixes or update packages
/o                            Overwrite OEM files without prompting
/n                            Do not backup files needed for unistall
/f                             Force other programs to close when the computer shuts  
                                       down
/integrate:<fullpath> Integrate this software update into <fullpath>

So it looks like I need to replace my "forcereboot" with "forcerestart".

Okay, so I made my change on my script and guess what...it worked:)  I tested it through my Group Policies and it got deployed properly and the .exe file is in the update list for both the regedit and the Add/Remove programs.

Thank you so much for your time and your help....!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17235454
No problem!  That was totally my fault - I gave you the wrong switch.  Glad you got it sorted and I hope it didn't cost you too many lost cycles.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now