Dynamic Provisioning with VMM: Proxy, Windows Updates, and Scripts

  • Article

In our environment, there are two things that are critical to success of an environment that is dynamically built from scratch – Updates & Internet connectivity.  This might seem odd since most would believe that we would utilize WSUS & the Software Update Points in Configuration Manager to do our patching and truth be known we do.  However, non-compliant servers with specific hot-fixes are not allowed to come on the network and to avoid big delays we do not push the ConfigMgr clients to our servers “immediately.”  Thus, we depend on Windows Update connectivity for our servers and also proxies as we can’t get to the internet without them.

In today’s post, I’m going to share a settings configuration we use in our unattend.xml to ensure that our automated scripts effectively reach the internet and secondly the script itself.  The script is shared as-is and credit goes to Ben Shy & Michael Schmidt on my team for the actual building of the script though I’m consuming it in my design of dynamic provisioning.

Setting Proxy Settings to work during Dynamic Provisioning Servers

In some situations, you will have the following settings in your unattend.xml file though upon completion you will not have any proxy settings set.  This is very troublesome and I couldn’t locate much of any data or information regarding how to correct this on the internet and had to use internal resources to troubleshoot (Thanks Eric!).  For the longest time, I had the following settings in my unattend XML:

Code Snippet

  1.   <settings pass="oobeSystem">

  2.     <component name="Microsoft-Windows-IE-ClientNetworkProtocolImplementation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State">

  4.       <HKLMProxyEnable>true</HKLMProxyEnable>

  5.       <HKLMProxyServer>itgproxy</HKLMProxyServer>

  6.     </component>

  7.   </settings>

This is all that is discussed in the WAIK unattended help file and thus should just work, right?  Wrong!  Unfortunately, there was a little unknown (to me) key called ProxySettingsPerUser that needed to get set though this wasn’t outlined anywhere in the documentation.  I can’t, unfortunately, provide you a lot of insight as to what is so important other than what is covered in TechNet.  It basically changes the Windows behavior where proxy settings are per machine rather than per user.  However, I had no idea this was needed nor that I could include it in my unattend.xml file.  However, with a little digging, some help, and testing we found that it was absolutely possible to include this in the WAIK’s unattend.xml and it would be honored.  Thus, my working XML is the following that sets my proxy settings so that scripts running on the server but not as a user would honor the proxy settings:

Code Snippet

  1. <settings pass="oobeSystem">
  2.     <component name="Microsoft-Windows-IE-ClientNetworkProtocolImplementation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State">
  3.       <POLICYProxySettingsPerUser>0</POLICYProxySettingsPerUser>
  4.       <HKLMProxyEnable>true</HKLMProxyEnable>
  5.       <HKLMProxyServer>OurProxy</HKLMProxyServer>
  6.     </component>
  7.   </settings>

After testing, the script ran successfully and completely thus ensuring that our virtual machines were compliant quickly after they hit the network.

Scripting Critical Updates for Windows Server from Windows Update

In this section, we will focus on the script itself that does the work of connecting to Windows update, providing the appropriate client-based information, and installing the updates.  The first thing to note that is critical is the error message received when you do not have a viable connection to the internet.

Using Windows Update vs. Microsoft Update:  That is the question…

A great number of folks don’t quite know the reason that Microsoft has two viable update engines, Windows (WU) and Microsoft update (MU).  The former focuses only on the Windows platform and will only serve the core Windows operating system binaries.  The latter, though, is an opt-in service, that offers the ability for servers to get updated and patched that are not only running Windows but additional Microsoft software such as Office, etc.  In order for the Microsoft update engine to work, the Windows update agent client is replaced with the Microsoft update agent in Windows Vista & above.  For older operating systems, a different ActiveX control is installed in Internet Explorer.

For our environment, we wanted to ensure that we downloaded only critical updates from Windows Update at the time of server creation.  In order to do this, we utilized the following sample script:

Code Snippet

  1. '================================================================================

  2. ' Microsoft Update

  3. '================================================================================

  4. ' Authors: BENSHY/OTHERS/MSDN

  5. ' Comments/Cleanup: MICHS 5.14.09

  6. '

  7. '================================================================================

  10. '#############################

  11. ' Create Session

  12. '#############################

  13. wscript.echo "-------------------------- Create Session --------------------------"

  14. Set UpdateSession = CreateObject("Microsoft.Update.Session")

  15. Set UpdateSearcher = UpdateSession.CreateUpdateSearcher()

  17. '#############################

  18. ' Register Microsoft Update

  19. '#############################

  20. RegisterMu

  21. updateSearcher.ServerSelection = 2

  22. updateSearcher.ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"

  25. '#############################

  26. ' Create List of Updates to Download

  27. '#############################

  28. wscript.echo "-------------------------- Create List --------------------------"

  29. Set UpdatesToDownload = CreateObject("Microsoft.Update.UpdateColl")

  33. '#############################

  34. ' Search for Updates

  35. '#############################

  36. wscript.echo "-------------------------- Search for Updates ---------------Start: " & Now()

  37. Set SearchResult = UpdateSearcher.Search("Isinstalled=0")

  38. wscript.echo "---------------------------Search for Updates Complete-------End:   " & Now()

  41. '#############################

  42. ' Quit if No Updates Found

  43. '#############################

  44. If SearchResult.Updates.Count = 0 Then

  45.     WScript.Quit

  46.     WScript.Echo "No updates found."

  47. End If

  49. Dim strSpacer

  50. For I = 0 To SearchResult.Updates.Count-1

  51.     Set Update = SearchResult.Updates.Item(I)

  52.     

  53.     ' formatting helper

  54.     If I < 10 Then

  55.         strSpacer = " "

  56.     Else

  57.         strSpacer = ""

  58.     End If

  59.     

  60.     ' write to console

  61.     WScript.Echo "[" & strSpacer & I & "]  Found Update, Marking For Download:  " & update.Title

  63.     UpdatesToDownload.Add(Update)

  64. Next

  66. '#############################

  67. ' Download Updates

  68. '#############################

  69. wscript.echo "-------------------------- Downloading Updates ----------------------Start: " & Now()

  70. Set Downloader = UpdateSession.CreateUpdateDownloader()

  71. Downloader.Updates = UpdatesToDownload

  73. On Error Resume Next

  74. Downloader.Download()

  76. If Err.number <> 0 Then

  77.     Wscript.Echo "An error occurred in  Downloader.Download() of updates"

  78.     Wscript.Echo "Number: " & err.number

  79.     Wscript.Echo "Description:  " & err.Description

  80.     Wscript.Quit (Err.number)

  81. End If

  83. On Error Goto 0

  84. wscript.echo "-------------------------- Downloading Complete ----------------------End: " & Now()

  87. '#############################

  88. ' Create List of Updates to Install

  89. '#############################

  90. wscript.echo "-------------------------- Create List of Updates to Install --------------------------"

  91. Set UpdatesToInstall = CreateObject("Microsoft.Update.UpdateColl")

  92. For I = 0 To SearchResult.Updates.Count-1

  93.     set Update = SearchResult.Updates.Item(I)

  94.     If Update.IsDownloaded = true Then

  95.         UpdatesToInstall.Add(Update)

  96.         WScript.Echo "Marking update for install: [" & Update.Title & "]"

  97.     End If

  98. Next

  100. '#############################

  101. ' Install Updates

  102. '#############################

  103. wscript.echo "-------------------------- Installing Updates --------------------------"

  104. Set Installer = UpdateSession.CreateUpdateInstaller()

  105. Installer.Updates = UpdatesToInstall

  107. Set InstallationResult = Installer.Install()

  108. wscript.Echo "Installation Result: " & InstallationResult.ResultCode

  109. wscript.Echo "Reboot Required: " & InstallationResult.RebootRequired

  110. wscript.Echo "Listing of updates installed and individual installation results:"

  111.     

  112.     For I = 0 to UpdatesToInstall.Count - 1

  113.         WScript.Echo I + 1 & "> " & _

  114.         UpdatesToInstall.Item(I).Title & ": " & TranslateMuCode(InstallationResult.GetUpdateResult(i).ResultCode)

  115.     Next

  119. '#############################

  120. ' Quit

  121. '#############################

  122. WScript.Quit

  125. '================================================================================

  126. ' Translate Microsoft Update Installation Results

  127. '================================================================================

  128. Function TranslateMuCode(theCode)

  130.   TranslateMuCode = "[" & theCode & "] "

  131.   if (theCode = 0) Then TranslateMuCode = TranslateMuCode & "Not Started"

  132.   if (theCode = 1) Then TranslateMuCode = TranslateMuCode & "In Progress"

  133.   if (theCode = 2) Then TranslateMuCode = TranslateMuCode & "Succeeded"

  134.   if (theCode = 3) Then TranslateMuCode = TranslateMuCode & "Succeeded with Errors"

  135.   if (theCode = 4) Then TranslateMuCode = TranslateMuCode & "Failed"

  136.   if (theCode = 5) Then TranslateMuCode = TranslateMuCode & "Aborted"

  138. End Function

  141. '================================================================================

  142. ' Register Microsoft Update (if never registered)

  143. '================================================================================

  144. Function RegisterMu

  145.     Dim fso

  146.     Dim file

  147.     Dim WshShell

  148.     Dim updateService

  149.     Dim updateServiceManager

  150.     

  151.     found = false

  152.     

  153.     Set fso = CreateObject("Scripting.FileSystemObject")    

  154.     Set WshShell = WScript.CreateObject ("WScript.Shell")

  155.     

  156.     Set updateServiceManager = CreateObject("Microsoft.Update.ServiceManager")

  157.     Set updateService = updateServiceManager.Services

  158.     

  159.     If err <> 0 Then

  161.         WScript.Echo "CreateObject(Microsoft.Update.ServiceManager) failed with error 0x" & Hex(err.Number)  & err.Description

  162.         WScript.Quit(2)

  164.     End If

  166.     For I=0 to updateService.Count - 1

  167.         Set item = updateService.Item(i)

  168.         If item.ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d" Then

  169.             found = true

  170.         End IF

  171.     Next    

  173.       

  174.     IF found = false Then

  175.         updateServiceManager.AddService2 "7971f918-a847-4430-9279-4a52d1efe18d", 2, ""

  176.         

  177.         If err <> 0 Then

  178.             WScript.Echo "updateServiceManager.AddService() failed with error 0x" & Hex(err.Number) & err.Description

  179.         Else

  180.             WScript.Echo "MU is registered with WU Agent"

  181.         End IF

  183.     End IF

  185. END Function

Using Microsoft Update instead of Windows Update

In the above script, the updateSearcher.ServerSelection option can be modified to instead use Microsoft update.  This depends on your scenario and your goal.  For our environment, we didn’t need to focus on Microsoft update rather just Windows update.  For example, if i set server selection to 1 then I would get a ton of Microsoft updates including items like Windows Live Essentials (ouch!) and other bogus updates.  I corrected this behavior changing the value for ServerSelection to 2 which uses Windows Update and only gets Critical Updates.

Summary

In this post, I shared how I modified our unattend.xml file that is used with our provisioning of new virtual machines to ensure that the servers not only were ready to serve clients but also they were correctly patched.  This is very important for the security of the network and your sanity.  In order to do this, I used a unknown setting in my unattend.xml file that is called PolicyProxySettingsPerUser and set this value to 0 that forced the proxy settings per machine.

Lastly, I shared a sample script managed and maintained by my team for patching clients using MU and I altered it to use WU instead. 

Enjoy!

-Chris

Digg This