Trigger Windows updates from comman line

AndrewTTT 2020-09-22 15:15:08 UTC #1

Hi,
im generating Windows Golden Images from a CI/CD pipeline.
im new to bigfix, and i wonder if i can install the agent in a new machine and trigger the windows update via bigfix, check status and deliver the machine as new Windows with latest updates.

can i trigger that fro, by example, powershell?

MMosley 2020-09-23 13:24:34 UTC #2

I’ve utilized pstools and the right click options in the console for something similar.
"psexec -s \\"& name of current computer &" powershell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()"
This will simulate “Check for updates”

dakota 2020-09-27 02:44:18 UTC #3

You can also copy the pswinupdate module to “C:\Program Files\WindowsPowerShell\Modules\PSWindowsUpdate” - (https://www.powershellgallery.com/packages/PSWindowsUpdate/2.0.0.4) on machines and run updates from it.

I would highly advise setting TargetReleaseVersionInfo to the the current OS version before doing so. this setting prevents the machine from picking up “Feature Updates” even when someone runs windows updates manually.

Pre-req Task:
Example Relevance:
exists matches(regex"(\(1809\))") of (operating system as string)
Example Action:
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "TargetReleaseVersionInfo"="1809"

Task to run Windows updates (timeout after 1 hour):

Relevance:
exists value "TargetReleaseVersionInfo" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" of registry

Something like this for the Action.:

// Delete possible WSUS registry entries that may prevent windows update from working if gpo is set.
    regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "WUServer"
    regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "WUStatusServer"

// Run Updates
delete __createfile
delete "c:\windows\temp\win_updates.ps1"
createfile until EOF
import-module PSWindowsUpdate
# Windows update advanced options > enable Receive updates for other Microsoft products when you update Windows.
Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -Confirm:$false

# Set filename + todays date.log
$filenameformat = "win_updates$(Get-Date -Format "yyyyMMdd").log"
# Run windows updates and exclude feature updates or "Upgrades"
Get-WUList -MicrosoftUpdate -NotCategory "Upgrade" -Install -AcceptAll -IgnoreReboot | Out-File "C:\Windows\Temp\$filenameformat" -Append
EOF

copy __createfile "c:\windows\temp\win_updates.ps1"

override wait
hidden=true
timeout_seconds=3600
disposition=terminate
wait powershell.exe -ExecutionPolicy Bypass "c:\windows\temp\win_updates.ps1"

the log ends up looking something like:

machinename    Accepted    KB4570505    2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window...

machinename    Accepted   KB2267602    Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...

machinename    Accepted   KB4565349    2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....

machinename    Downloaded    KB4570505    2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window...

machinename    Downloaded   KB2267602    Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...

machinename    Downloaded   KB4565349    2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....

machinename    Installed    KB4570505    2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window.

machinename    Installed   KB2267602    Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...

machinename   Installed   KB4565349    2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....

AndrewTTT 2020-09-28 13:07:03 UTC #4

Hi,
thanks for the answer, but does this trigger the updates via bigfix of the usual windows updates?

dakota 2020-09-28 14:19:58 UTC #5

It triggers windows updates on the machine. the pswindowsupdate script uses the windows update api to check for updates or install the updates.

cmcannady 2020-09-28 16:59:48 UTC #6

@AndrewTTT, any Windows patches would not be triggered without a corresponding action that includes the endpoint in question. Have you issued a baseline policy action or patch policy in WebUI that would push/install the requisite patches on your newly imaged endpoints?

AndrewTTT 2020-09-28 17:54:17 UTC #7

We have bigfix infrastructure and mostly is setup automatically for lower environments, and by a push for the bigfix admin.
In my case, i dont want to install windows updates in a new template machine (generated with packer) (it takes too much time), and try to install all updates that are already on bigfix from the pipeline.

I could probably register that new vm and call an endpoint on bigfix to trigger the update asynchronously, but from packer i wont know when the update or reboots are finished.

AndrewTTT 2020-12-08 18:24:50 UTC #8

Hi @cmcannady
So i got a new machine with packer, install bigfix client, set some settings for the client and the update works.
The problem is how to handle restarts, because packer believe the process faild when BigFIx restart the machine to apply windows updates.

i was thinking to disable restart from bigfix after apply windows updates, but, is there a way to query (log files, API request) that updates are ready and we should restart? Then i will handle windows restarts from Packer.

cmcannady 2020-12-11 13:56:27 UTC #9

@AndrewTTT, you can utilize the pending restart inspector to create a restart process that’s divorced from the Windows patching process.

I have an example fixlet named BPS - BESClient - Pending Restart available in my personal GitHub to draw inspiration.

AndrewTTT 2020-12-17 18:36:02 UTC #10

Thanks, i will check your fixlet.

Now i query BESPendingRestart registry entry, but i need to do around 7-8 restarts. Im not sure why BigFix add this entry in the registry while is still installing other updates.

IM very close to have a

is there a way to check that all the updates are complete? windows registry? rest call to bigfix api?

JasonWalker 2020-12-17 19:15:31 UTC #11

BigFix will add a value for each Action that requests a restart. They should all be cleared with a single reboot, if the updates appear to be clear after a reboot.