Solved

Installing Hotfixes through Group Policies

Posted on 2006-07-12
32
3,095 Views
Last Modified: 2012-05-05
How do I install and distribute the hotfix 888254 using Group Policy for Server 2003?

I have installed the hotfix 888254 to correct my issues with Folder Redirection and No Internet Access on a couple of computers in my network.  Instead of touching every single computer and increasing the number of mistakes that can be made during the registry edits...I need to know if there is a way to install this hotfix and distribute it to all of my client machines (Windows XP), using Group Policies in Server 2003.

Any assitance would be great!

Thank you,

Michele
0
Comment
Question by:mickantone
  • 13
  • 13
  • 3
  • +2
32 Comments
 
LVL 3

Expert Comment

by:valrog
Comment Utility
Instead of using group policies, have you tried installing a WSUS (Windows System Update Server) server?  
0
 

Author Comment

by:mickantone
Comment Utility
I was looking at SUS, and from what I have read...it cannot be installed on the Domain Controller, is this correct? And then is SUS the same thing as WSUS?
0
 
LVL 3

Expert Comment

by:valrog
Comment Utility
WSUS and SUS used to be two different things.  Not sure if it can be installed on a DC.  But it should run fine on an older dedicated workstation.
0
 
LVL 16

Expert Comment

by:AdamRobinson
Comment Utility
WSUS can be installed on a domain controller.  

I would suggest installing it.  The setup can be a little wiggy, depending on your existing setup, but once fixed up, it works like a charm and greatly improves speed of hotfix/patch deployment.
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
WSUS is the new version of SUS.  This new version can be installed on a Domain Controller.  However, if this is a hotfix supplied by MS it will not be available for install through WSUS as you have to obtain it special from MS.

Is the update you have in .msi format or .exe?
0
 

Author Comment

by:mickantone
Comment Utility
The hotfix I have has been supplied by Microsoft, and it is in the form of a .exe file.  
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You can deploy it with a Startup script from a GPO.

To determine how to run the exe, goto a CMD prompt and CD to where the patch is.  Type in the patch name and add /? to the end of the line.  Your switch option will be displayed.

You probably have the ability to run it with /quiet /norestart which would allow you to install it on bootup.

0
 

Author Comment

by:mickantone
Comment Utility
I followed your instructions for the command prompt, and the following is what I received:

AVAILABLE SWITCHES:
[/help] [/quiet] [/passive] [/uninstall] [/norestart] [/forcerestart] [/l] [/n] [/o] [/f] [/integrate:]

SETUP MODES:
/quiet                 Quiet mode (no user interaction or display)
/passive             Unattended mode (progress bar only)
/uninstall            Unistalls the package

RESTART OPTIONS:
/norestart           Do not restart when installation is complete
/forcerestart       Restart after installation


SPECIAL OPTIONS:
/l                       Lists installed Windows hotfixes or update packages
/o                      Overwrite OEM files without prompting
/n                      Do not backup files needed for uninstall
/f                       Foce other programs to close when the computer shuts down
/integrate: <fullpath> Integrate this software update into <fullpath>

So now then where do I go from here.  I am fairly new at the whole GPO topic along with the scripts.  Plus this script has the need to have the registry edit changed for each computer, can we get this to change the registry edit automatically as well?

Thank you!
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Yes, you can change the registry too.

This sounds like a one time patch from MS PSS that needs to be deployed - is that correct?

In your startup script you need something like this:

regedit /s regfile.reg
patch.exe /quiet /forcereboot


Where regfile.reg is the registry modification file and patch.exe is the patch name.

If you don't have the reg file then you need to make the mod on a reference machine then export the key to the reg file.  Remove all entries except the top header and the key you are attempting to modify then resave it.

0
 

Author Comment

by:mickantone
Comment Utility
This is a one time patch that does need to be deployed.  This patch is to allow folder redirection and policies for Internet Explorer to co-exist in the same environment.  

So if I understand right this is what I need to do.

Create a startup script, can this be done through Group Policy (add a new GPO)? Or is this something I create in Wordpad and save it as a .bat file?

In the script I will have two lines:

regedit /s regfile.reg

I do not have the reg file so I will need to modify the registry settings on the reference machine (the server?), and then export the key and save it somewhere on my server.  I will remove evertyhing except for the top header and the key I have modified and resave the file.  However I name/save the file is what will replace the "regfile.reg".  

Example: IEregfile.reg = regedit /s IEregfile.reg

My next line in the script will be:

patch.exe /quiet /forcereboot

The "patch.exe" will me the name of my hotfix.

Example: WindowsXP-KB888254-x86-ENU.exe = WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

Once I have my startup script written, what do I do from here to automate it with every new user sign-in to the network?

I don't know if this helps or not...but here are the registry changes that need to be made:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\

We are creating a new Key:
         FEATURE_GPO_BRANDING_WITH_FOLDER_REDIRECTION_KB888254
Create a new DWORD Value:
         *
Edit the DWORD Value:
         1
and then it says to restart your computer.

I hope this gives you more of an understanding.

Thank you for all your help!

 
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
I think you understand this quite well.

Create a new GPO somewhere high enough in the Directory so that all Computers are affected.

Use a Startup script under Computer Configuration.

The script, the patch AND the regfile should be location on a share that Authenticated Users has read access to.  The NTFS permissions should also be the same.

The regfile can be named whatever you like, just ensure it matches in the script.

The script should be a .cmd file.

To create the regfile, manually patch and modify one PC then import the key from that PC.

This should do it.

0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
The script can be .cmd or .bat.  The problem with deploying through a startup script is it will install this patch every time a computer is restarted.  You might want to use vbscript where you can flag the registry somewhere that this patch has been installed and do a check for the registry entry at the beginning of the script.  If you need a script to do this I can write a quick one for you but don't have time now.  If you need it post and ask for it.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
If you builld logic into the script it should only run once.

if exist c:\patch.flg goto END
regedit /s IEregfile.reg
copy \\server\share\patch.flg c:\patch.flg
patch.exe /quiet /forcereboot

:END
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
There ya go...Netman wrote it all out for you.
0
 

Author Comment

by:mickantone
Comment Utility
Okay, I understand the redgedit line and the patch.exe line.  I don't understand the 1st and 3rd lines of the script though.  The 1st line is saying if this file exist then go to the end.  (does patch.flg need to be replaced with the name of my patch?)

Here is what I have so far.... I just added the 1st and 3rd line!

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\server\share\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END


Thank you,

Michele
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Create a new text file on a share that is accessible to all computers (Authenticated Users).  Call the file patch.flg.  There doesn't need to be any content in this file - it's simply a "flag" so that if the script finds it on the C: drive of the local computer when running the script it will "goto" the end and will not run the reg file or patch.

If it doesn't find the patch.flg file, then it will run the reg file, copy the flag file then run the patch.  The next reboot it will skip the script since the "flag" file exists.

Make sure you replace \\server\share with your servername and sharename.

Example:  \\Server1\Files <= would mean your server name is Server1 and the share name is Files.

Make sure you use an existing share if you already have one that is accessible both with Share and NTFS permissions for the Authenticated Users group.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:mickantone
Comment Utility
Okay, lets see if this is it:

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\amserver\CommomShares\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END

However this is where everything is located on my server, does this make a difference?  Is my 3rd line still correct?

U:\CommonShares\Scripts\Hotfix B888254
         Contains: Hotfix.cmd file, Hotfix.reg file, Hotfix.exe file, and my patch.flg file

Thank you!
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Yep, that looks about right.

0
 

Author Comment

by:mickantone
Comment Utility
I have everything setup to test next Wednesday morning.  I will let you know how it goes:) Wish me luck!  Again thank you for all your help.
0
 

Author Comment

by:mickantone
Comment Utility
Okay, so I did some testing on my GP and startup script.  When I run the GP, then nothing happens, the Registry Edit is not in the file, the flag file does not get placed into the C: drive, and I am not sure that the hotfix is being run.  I even took the GP out of the picture and just tried to run the script by itself on the computer and it did not work.  If I double click on the regedit file then it ask me if I am sure I want to make these changes, I say yes, and then it updates my registry.  

Here is what my script says:

if exist c:\patch.flg goto END
regedit /s HotfixB888254.reg
copy \\amserver\CommomShares\patch.flg c:\patch.flg
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

:END

Here is where my files are located:

 \\Amserver\CommonShares\Scripts\Hotfix B888254

Here is what is located in that file listed above:

HotfixB888254.reg
HotfixB888254.cmd
patch.flg
WindowsXP-KB888254-x86-ENU.exe

Where have I gone wrong?

Thank you,

Michele
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
WindowsXP-KB888254-x86-ENU.exe /quiet /forcereboot

You'll need to do 3 things with this:

1)  Rename it to KB888254.exe - the other name is too long.  Rename the actual patch on the share.
2)  The line above should read:  "\\Amserver\CommonShares\Scripts\Hotfix B888254\KB888254 /quiet /forcereboot"  <= you may need to experiment with this as sometimes the switches for the exe must be outside the quotes.
3)  The line "regedit /s HotfixB888254.reg" should also have the path in it: regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"

Looking at the script you posted then it wouldn't work.  It would copy the flag file, but not run the patch or reg file since there was no path to the files.  Once it ran once, the flag would copy down to the local C drive and then never run again.  You'll need to delete the flag file from C drive after each test until you manage to get it working properly.

If this ran in production, then all PCs will very likely have the flag file on their C drive.  Rather than running around manually deleting this, then simply rename the flag file in the script so it's looking for a different flag filename.

Do not role this into production until you can manually run the .cmd file and it works.

So your script should look something like this:

if exist c:\KB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommonShares\Scripts\Hotfix B888254\patch.flg" c:\KB888254.flg
"\\Amserver\CommonShares\Scripts\Hotfix B888254\KB888254 /quiet /forcereboot"

:END


0
 

Author Comment

by:mickantone
Comment Utility
Here is where my files are located:

 \\Amserver\CommonShares\Scripts\Hotfix B888254

Here is what is located in that file listed above:

HotfixB888254.reg
HotfixB888254.cmd
HotfixB888254.flg
HotfixB888254.exe

Here is my script:

if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\patch.flg" c:\HotfixB888254.flg
"\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe /quiet /forcereboot"

:END

We are making improvements...I now apply the group policy to my test group and I know for sure that my registry edit is being completed.  Am I suppose to see the new .flg file in the C: Drive?  I do a search for any .flg file in the C: Drive on the local computer and cannot find anything.  Also, I am assuming if the .exe file runs correctly the computer will be forced to reboot, mine is not.  I tried putting /quiet /forcereboot outside of the quotes and that did not make a difference either.  

Any suggestions would be great...Thank you!
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\HotfixB888254.flg" c:\HotfixB888254.flg
start /w "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe" /quiet /forcereboot

:END


Try that.


You renamed the flag file on the source but didn't rename it in the script.

0
 

Author Comment

by:mickantone
Comment Utility
Okay,  I have been testing this and I think we are almost there...

I got the registry edit to change whenever I apply the GP to the computer, I can see the .flg file in the C:\ drive as long as I have administrative rights.  I cannot however seem to figure out if my hotfix is being executed or not.  Is there a way that I can test this or a place to look on the PC?  When I run the .cmd file locally, I don't see the computer restart like I beleive we have written in the script.

Thank you,

Michele
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
If you run regedit, the hotfixes should be listed in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\WindowsXP

You should find a key for the KB888254 hotfix.

0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You can also see it in Add Remove Programs with the "Show Updates" box checked.

Your computer probably didn't reboot if the patch was already installed.

Check it against a PC that does not have the patch already.

Again, open up a CMD prompt and run the batch file from there so you can see any errors.

0
 

Author Comment

by:mickantone
Comment Utility
Okay I looked in the "Show Updates" in the Add Remove Programs...the update was not listed.  I also looked in the registry edit...the update was not listed there either.  I have changed my flag file so that the actual script will run...and that does not seem to have helped either.  My Registry file gets changed and the .flg file gets posted to the C:/ drive.  I also tried to put the "/quiet /reboot" inside and out of the quotes...this is not making a difference either.

0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Try this:

if exist c:\HotfixB888254.flg goto END
regedit /s "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.reg"
copy "\\Amserver\CommomShares\Scripts\Hotfix B888254\HotfixB888254.flg" c:\HotfixB888254.flg
copy "\\Amserver\CommonShares\Scripts\Hotfix B888254\HotfixB888254.exe" %systemroot%\Temp\KB888254.exe
%systemroot%\Temp\KB888254.exe /quiet /forcereboot

:END
0
 

Author Comment

by:mickantone
Comment Utility
Okay, I went to my test machine and removed all of my changes from previous attempts...so we were going from a fresh start.

I tried your last script:
   My flag file worked, it was in the C:\ Drive
   My registry file worked, it was changed in the regedit
   My copy of the .exe file worked and it was placed into the Temp folder as Kb888254.exe
   However, the hotfix did not run...it did not reboot, it did not get listed in Add/Remove Programs, and it did not get
            listed in the regedit under Updates

Sorry to be so difficult....Thank you!

0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
Ok, then here is what to do:

Open a CMD window and CD into the \Windows\Temp folder.
Do a DIR to make sure the file is there.
Type KB888254.exe /? and hit ENTER
Make sure the /quiet and /forcereboot switches are valid.
If they are, then go into the Temp folder using Explorer and double click the patch file to run it manually.  

Tell me what happens when you run it that way.
0
 

Author Comment

by:mickantone
Comment Utility
Okay here is what the KB888254 Setup had to say:

AVAILABLE SWITCHES:
[/help][/quiet][/passive][/uninstall][/norestart][/forcerestart][/l][/n][/o][/f][/integrate:]

/help                        Displays this message

SETUP MODES

/quiet                       Quiet mode (no user interaction or display)
/passive                    Unattended mode (progress bar only)
/uninstall                   Uninstalls the package

RESTART OPTIONS

/norestart                  Do not restart when installation is complete
/forcerestart              Restart after installation

SPECIAL OPTIONS

/l                             Lists installed Windows hotfixes or update packages
/o                            Overwrite OEM files without prompting
/n                            Do not backup files needed for unistall
/f                             Force other programs to close when the computer shuts  
                                       down
/integrate:<fullpath> Integrate this software update into <fullpath>

So it looks like I need to replace my "forcereboot" with "forcerestart".

Okay, so I made my change on my script and guess what...it worked:)  I tested it through my Group Policies and it got deployed properly and the .exe file is in the update list for both the regedit and the Add/Remove programs.

Thank you so much for your time and your help....!
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
No problem!  That was totally my fault - I gave you the wrong switch.  Glad you got it sorted and I hope it didn't cost you too many lost cycles.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now