scripting Windows Update without SUS

G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

This is dead easy on other operating systems, but I can't find the
simple way to do it on Windows.

All I want to do is run a script that will force Windows to immediately
download and install all available critical updates. I don't want to
have to run a sus server, a wsus server, or any local cache of the
updates.

I just want to have one command line to run like I can do on Red Hat,
Mandriva, SuSE, Fedora, CentOS, Debian, Mac OS X, etc. Something like:

winupdate /update /force /critical

Any ideas?

Thanks,
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Description of the Automatic Updates feature in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;294871

How to configure and use Automatic Updates in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;306525

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

"jd142" wrote:

| Hi,
|
| This is dead easy on other operating systems, but I can't find the
| simple way to do it on Windows.
|
| All I want to do is run a script that will force Windows to immediately
| download and install all available critical updates. I don't want to
| have to run a sus server, a wsus server, or any local cache of the
| updates.
|
| I just want to have one command line to run like I can do on Red Hat,
| Mandriva, SuSE, Fedora, CentOS, Debian, Mac OS X, etc. Something like:
|
| winupdate /update /force /critical
|
| Any ideas?
|
| Thanks,
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:1119116869.326012.20810@g49g2000cwa.googlegroups.com,
jd142 <jd142@hotmail.com> typed:
> Hi,
>
> This is dead easy on other operating systems, but I can't find the
> simple way to do it on Windows.
>
> All I want to do is run a script that will force Windows to
> immediately download and install all available critical updates. I
> don't want to have to run a sus server, a wsus server, or any local
> cache of the updates.
>
> I just want to have one command line to run like I can do on Red Hat,
> Mandriva, SuSE, Fedora, CentOS, Debian, Mac OS X, etc. Something
> like:
>
> winupdate /update /force /critical
>
> Any ideas?
>
> Thanks,

Not possible that I know of. Why not just set up automatic updates to run
at, say, 3AM?

You might want to post in m.p.windowsupdate for more suggestions.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

jd142 wrote:

> This is dead easy on other operating systems, but I can't find the
> simple way to do it on Windows.
>
> All I want to do is run a script that will force Windows to immediately
> download and install all available critical updates. I don't want to
> have to run a sus server, a wsus server, or any local cache of the
> updates.
>
> I just want to have one command line to run like I can do on Red Hat,
> Mandriva, SuSE, Fedora, CentOS, Debian, Mac OS X, etc. Something like:
>
> winupdate /update /force /critical
>
> Any ideas?
Hi,

Command line, no, but it has a COM interface so you can use e.g.
a VBScript:

Windows Update Agent API
http://msdn.microsoft.com/library/en-us/wua_sdk/wua/portal_client.asp



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Those all seem to involve using the Automatic Updates feature or going
through Windows Update by hand, which isn't what I want. I know you
can force an automatic updates regime via gpo, and I do, but that isn't
quite the same.

AU runs on a schedule, and unless the computer is on at the scheduled
time, the updates aren't installed, they are just downloaded and the
user has to install them by hand.

I want something that is more robust and user controllable like I have
with other Operating Systems
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

jd142 wrote:
> AU runs on a schedule, and unless the computer is on at the scheduled
> time, the updates aren't installed, they are just downloaded and the
> user has to install them by hand.

Then your settings are wrong and/or you have given the user too much power.

--
Shenan Stanley
MS-MVP
--
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hmm. The GPO settings are normally just for setting when the updates
are downloaded and installed. If the computer is off at the scheduled
time, updates are downloaded on the next network connection but are not
automatically installed.

Which in some cases is a good thing because the install would interrupt
computer use during presentations and you'd get that annoying window
that pops up every 10 minutes saying "Updates have been installed.
Restart now or Later." and there's no button that says Later, no leave
me alone.

You have to kill wuauclt to get the message to go away. Not a big
problem at work, but annoying as hell when I'm at home and it pops up
in the middle of a game. ;)
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On 20 Jun 2005 06:55:52 -0700, "jd142" <jd142@hotmail.com> wrote:

>Hmm. The GPO settings are normally just for setting when the updates
>are downloaded and installed. If the computer is off at the scheduled
>time, updates are downloaded on the next network connection but are not
>automatically installed.

>Which in some cases is a good thing because the install would interrupt
>computer use during presentations and you'd get that annoying window
>that pops up every 10 minutes saying "Updates have been installed.
>Restart now or Later." and there's no button that says Later, no leave
>me alone.

>You have to kill wuauclt to get the message to go away. Not a big
>problem at work, but annoying as hell when I'm at home and it pops up
>in the middle of a game. ;)

What I'd *really* like is a "download auto, do not install" that
works, i.e. stores the updates in a form I can find and apply at any
time, without nagging to install them or installing them on shutdown
unless I "click the small print link to shutdown without installing".

The present SP2 logic applies so much UI pressure to install, that I'm
tempted to retreat to "notify, do not download or install", and that
means I might have to mission around the update site to find what I
need and download manually. I'm quite likely to lapse on that.

The ideal UI for "download auto, do not install" would store
downloaded updates in the location of my choosing (i.e. in my case, a
subdir within HD volume F:) with a GUI front-end that lists them,
indicates whether they're installed, and has links to the /kb article
associated with each. There, I could checkbox a bunch of them to
either install, or export to USB or CDR etc.

If I export to USB, CDR etc. it would create a GUI front-end that goes
with them, than is also checkboxable, and that will install them in
the correct sequence. I could use that on arbitrary PCs, or my own PC
should I ever need to "just" re-install Windows, and so lose patches.

Each patch would be in a form that is tamper-resistant; no infectable
code (so both these and the GUI front-end would not be .EXE), and some
way of determining the integrity. There'd also be a copy of the
relevant /kb documentation within each (plain text is "cheap") that
the GUI could display, even when dealing with loose patches.

The code that operates on these would be within the system applying
the patches, not bouncing around with the patches themselves.

That leaves one conundrum; what to compare with, when it comes to
integrity checking. If the comparison data is with the patch, it can
be co-spoofed by malware invading or faking the patch. If it's on the
'net, I can't get it if offline, and malware could spoof the DNS to
redirect me to fake integrity data.

Perhaps a private/public key infrastructure would be useful here?

If serious about getting ppl to patch, that IMO is how to do it. If
you'd rather be anal about licensing, well... we reap what you sow.


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -