Hi,
im generating Windows Golden Images from a CI/CD pipeline.
im new to bigfix, and i wonder if i can install the agent in a new machine and trigger the windows update via bigfix, check status and deliver the machine as new Windows with latest updates.
can i trigger that fro, by example, powershell?
I’ve utilized pstools and the right click options in the console for something similar.
"psexec -s \\"& name of current computer &" powershell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()"
This will simulate “Check for updates”
You can also copy the pswinupdate module to “C:\Program Files\WindowsPowerShell\Modules\PSWindowsUpdate” - (https://www.powershellgallery.com/packages/PSWindowsUpdate/2.0.0.4) on machines and run updates from it.
I would highly advise setting TargetReleaseVersionInfo to the the current OS version before doing so. this setting prevents the machine from picking up “Feature Updates” even when someone runs windows updates manually.
Pre-req Task:
Example Relevance:
exists matches(regex"(\(1809\))") of (operating system as string)
Example Action:
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "TargetReleaseVersionInfo"="1809"
Task to run Windows updates (timeout after 1 hour):
Relevance:
exists value "TargetReleaseVersionInfo" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" of registry
Something like this for the Action.:
// Delete possible WSUS registry entries that may prevent windows update from working if gpo is set.
regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "WUServer"
regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "WUStatusServer"
// Run Updates
delete __createfile
delete "c:\windows\temp\win_updates.ps1"
createfile until EOF
import-module PSWindowsUpdate
# Windows update advanced options > enable Receive updates for other Microsoft products when you update Windows.
Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -Confirm:$false
# Set filename + todays date.log
$filenameformat = "win_updates$(Get-Date -Format "yyyyMMdd").log"
# Run windows updates and exclude feature updates or "Upgrades"
Get-WUList -MicrosoftUpdate -NotCategory "Upgrade" -Install -AcceptAll -IgnoreReboot | Out-File "C:\Windows\Temp\$filenameformat" -Append
EOF
copy __createfile "c:\windows\temp\win_updates.ps1"
override wait
hidden=true
timeout_seconds=3600
disposition=terminate
wait powershell.exe -ExecutionPolicy Bypass "c:\windows\temp\win_updates.ps1"
the log ends up looking something like:
machinename Accepted KB4570505 2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window...
machinename Accepted KB2267602 Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...
machinename Accepted KB4565349 2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....
machinename Downloaded KB4570505 2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window...
machinename Downloaded KB2267602 Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...
machinename Downloaded KB4565349 2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....
machinename Installed KB4570505 2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window.
machinename Installed KB2267602 Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...
machinename Installed KB4565349 2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....Hi,
thanks for the answer, but does this trigger the updates via bigfix of the usual windows updates?
It triggers windows updates on the machine. the pswindowsupdate script uses the windows update api to check for updates or install the updates.
@AndrewTTT, any Windows patches would not be triggered without a corresponding action that includes the endpoint in question. Have you issued a baseline policy action or patch policy in WebUI that would push/install the requisite patches on your newly imaged endpoints?
We have bigfix infrastructure and mostly is setup automatically for lower environments, and by a push for the bigfix admin.
In my case, i dont want to install windows updates in a new template machine (generated with packer) (it takes too much time), and try to install all updates that are already on bigfix from the pipeline.
I could probably register that new vm and call an endpoint on bigfix to trigger the update asynchronously, but from packer i wont know when the update or reboots are finished.
Hi @cmcannady
So i got a new machine with packer, install bigfix client, set some settings for the client and the update works.
The problem is how to handle restarts, because packer believe the process faild when BigFIx restart the machine to apply windows updates.
i was thinking to disable restart from bigfix after apply windows updates, but, is there a way to query (log files, API request) that updates are ready and we should restart? Then i will handle windows restarts from Packer.
@AndrewTTT, you can utilize the pending restart inspector to create a restart process that’s divorced from the Windows patching process.
I have an example fixlet named BPS - BESClient - Pending Restart available in my personal GitHub to draw inspiration.
Thanks, i will check your fixlet.
Now i query BESPendingRestart registry entry, but i need to do around 7-8 restarts. Im not sure why BigFix add this entry in the registry while is still installing other updates.
IM very close to have a
is there a way to check that all the updates are complete? windows registry? rest call to bigfix api?
BigFix will add a value for each Action that requests a restart. They should all be cleared with a single reboot, if the updates appear to be clear after a reboot.
You should check the updates if any found you should update.
