I was searching for a way to further automate new Windows system deployments. One thing I kept running into was Windows updating.

I have refined and added automation to my process over the past several years. For Windows 10 clients, my current deployment process involves an MDT/WDS server that has a stock Windows 10 wim file. To customize the deployments, I have a collection of GPOs and PDQDeploy packages for software installation and some other GPOs for policies.

I recognized that one of the consistent pain points was related to getting Windows updates going. I had previously just had a GPO to specify some of the settings for Windows updates, such as, the WSUS server URL/port number and how often to check for updates. I reorganized my WSUS server from quite a few groups, to a much simpler grouping by OS version. With that, I created GPOs that applied to systems based on OS version, using WMI filtering that would automatically add the computer to the respective WSUS OS group.

That helped... but I still had a considerable wait for Windows to start its automatic check-in with WSUS. I also found that even logging directly into the new system and forcing a check for updates would yield a lot of waiting and false reporting that there were no updates available. I found that if you deleted the C:\Windows\SoftwareDistribution folder, it would almost always force the client to recognize that there were new updates to install, although the check seemed to take a considerable amount of time. After all that, I still had to wait for the installations to finish and reboot and recheck.

All that to say, I started down a rabbit hole of PowerShell commandlets and scripts to try and trigger Windows to check for updates, install the approved updates and reboot the system. I came up with 3 scripts that can be run in sequence or used separately, depending on if it is a completely new deployment or you just want to trigger Windows updates to install on established systems.

First, this will speed up the new system deployment process by deleting the contents of the Software Distribution folder-

Stop-Service -Name wuauserv
Get-ChildItem C:\Windows\SoftwareDistribution -Recurse | Remove-Item -Recurse -Force
Start-Service -Name wuauserv

Second, install PSWindowsUpdate (Learn more here: https://www.powershellgallery.com/packages/PSWindowsUpdate/2.1.1.2). Essentially, PSWindowsUpdate allows you to run windows update and control certain parameters of how updates are downloaded and applied and if reboots are performed and even rechecks for updates after the first round of updates have been installed.

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module PSWindowsUpdate -Force

Third, run PSWindowsUpdate. This command tells it to accept (download and install) all approved updates from the WSUS server, automatically reboot, and repeat.

Import-Module PSWindowsUpdate
Get-WindowsUpdate -Install -AcceptAll -RecurseCycle 2 -AutoReboot

There are several parameters to allow you to customize how you want to handle the updates. For instance, you can have it download only, or don't have it automatically reboot.

I added these scripts as packages in my PDQ Deploy server and into the sequences that are run during the initial setup of my newly-deployed systems. I have also started using them on servers cloned from VM templates in vCenter Server. Next, I will be using the 2nd and 3rd to help with automating my routine server patching processes. No more logging into each server, wasting nights and weekends, to check for updates, download and install and reboot; just a couple clicks via PDQ Deploy, the rest is machine time.

EDIT: I should also add, it looks like you need to have PowerShell 5.1.

EDIT-2: If you have problems with Server 2016 (maybe even 2019) going out to Microsoft's public update server on the internet, instead of your WSUS server, you can see this post (https://mangolassi.it/topic/19993/server-2016-force-default-update-server-to-wsus-server) on how to make sure your GPO will force the system to use your WSUS server as its default.

If I could, I would throw all of our printers into the recycle bin, after taking a bat, Office Space-style, to every last mother effing one of them.

@dafyre said in Group Policy isn't working after Ransomware Attack:

This sounds like the AD Servers were restored from a backup and got out of sync... Could that be the case?

Yeah, it does. I am pretty sure that if you have an issue that you need to restore AD, you would bring down all DCs and restore a single DC, then add new DCs. But, I am thinking this would be better to do a completely new AD environment. Too many ghosts.

@tim_g said in What Are You Doing Right Now:

@thwr said in What Are You Doing Right Now:

Hit by a truck - that's how I feel like. Guess I catched a cold.

Rebuilding a patch panel, looks like the incarnation of the spaghetti monster right now. Should look like this when it's done:

Patch panel
48 port switch
Patch panel
Cable management panel
Patch panel
48 port switch
Patch panel

... and so on. A lot of work, but it's worth the effort.

You don't have a full rack of patch panels, then a full rack of switches?

I do it that way now too...

I thought this was interesting. I received a notification from the CentOS team about some infra downtime. I would have thought they would have redundant servers/cluster hosting this stuff. They don't even have hot-swappable HDDs.

I have to carve out an hour and a half to watch the two SAM presentations posted earlier in this thread...

Wondering why this Dell SMB rep took it upon himself (without asking) to use my reward dollars to send me a monitor I don't want or need. He did it a month ago and sent me a printer. I am sending this one back and demanding a refund.

I have been using the hosted version of Snipe-IT for almost a year. Currently, I am on v4.2.0 build 3479. I am adding assets as I get them and back-filling as time permits/necessary. In adding licenses, I am having trouble with the how I should manage the added maintenance agreements for software, subscription-based software licensing (especially, Office 365, as mid-term adds will push the renewal date for the entire license class back) and SaaS,

Should I create a new license instance each time I renew? Or would I just modify the dates on the existing license instance?How would you recommend doing it?

Also, is anyone using it to track domain registrations?

@WrCombs said in Windows 10 goes to sleep outside listed sleep times:

@wrx7m said in Windows 10 goes to sleep outside listed sleep times:

@scottalanmiller said in Windows 10 goes to sleep outside listed sleep times:

@wrx7m said in Windows 10 goes to sleep outside listed sleep times:

For the record, at home, I use the actual hibernation on 3 desktops ALL THE TIME. I never actually use shutdown. I can wake them up using my phone from anywhere. When I am done, I hibernate. That isn't to say that I don't reboot them from time to time.

While I generally hate it, I can make somewhat obvious cases for why actual hibernate would exist. I don't want it in any business because Windows seems unstable with it. It creates all kinds of support issues. But there is a reason for it to exist. But this weird half assed hibernation where the apps are shut down? That's useless.

Exactly. I disable hibernation at work. Sleep also creates all sorts of issues that a reboot will fix. All desktops have any type of sleep/hibernate disabled because there is no need and it potentially introduces all sorts of issues.

sleep and hibernation cause issues with My current Job.

Lack of sleep causes issues with my current job.

Hi all,

Just wanted to post that l was in Ireland last month for a fantastic vacation (first real vacation since I started this job almost 7 years ago)! While there, I spotted a Ubiquiti WAP at the Guinness brewery in Dublin. I thought that was kinda cool, so I am posting a pic

@nadnerb I thought Macs were immune to viruses #sarcasm

@johnhooks said:

@wrx7m said:

Should I create a new thread for this? Got through the installation and when I ran zerotier-cli /controller to verify installation, I got "missing authentication token and authtoken.secret not found (or readable) in /var/lib/zerotier-one". I tried restarting the zerotier service and also a full reboot of the ubuntu server.

EDIT: I did check the contents of the aforementioned directory and did see the authtoken.secret file but not sure what the other would be if it weren't the same thing...

did you run as sudo?

Son of a ... You got me.

That was it.

Finished Ozark Season 2 and Jack Ryan. Both great shows.

TurboTax Hit with Cyberattack, Tax Returns Compromised
https://www.darkreading.com/threat-intelligence/turbotax-hit-with-cyberattack-tax-returns-compromised/d/d-id/1333954?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

"The incident was discovered during a system security review, Intuit reported in a breach disclosure letter filed with the Office of the Vermont Attorney General and shared with affected users. Officials explain how an unauthorized party targeted TurboTax users by taking usernames and passwords "from a non-Intuit source," which they used in a credential stuffing attack.

If their login was successful, attackers may have accessed data contained in a prior year's tax return or current tax returns in progress. This includes name, Social Security number, address(es), birthdates, driver's license number, and financial data (salary, deductions), as well as information belonging to other individuals included in the victim's tax return, they report."

@scottalanmiller Thanks, I did have them assigned as dedicated resources/DCs.

It was definitely a bug in the Pertino client (build 520):
So after dealing with Pertino support, they recommended I try the previous build (510) and that seems to have corrected the issue. They mentioned there were some other problems that led them to pull down the 520 build from the site and replace it with the 510. Support said that a new build (526) should be released soon.

@scottalanmiller said in Random Thread - Anything Goes:

That is the guy who comes to me/IT claiming he dropped it in the sink and hands it to you. You later find out from someone else what really happened. #HappenedToMe

@mlnews said in Miscellaneous Tech News:

Google’s second Android Q Beta brings us “Bubbles” multitasking

Minimize apps to a floating, always-on-top bubble.

Google is releasing the second Android Q Beta today. As we learned with the first release, Android Q is bringing support for foldable smartphones, better privacy and permissions controls, and a grab bag of other features. We've yet to install the second beta on one of our own devices, but Google's release blog post promises "bug fixes, optimizations, and API updates," as well as a crazy new multitasking feature and an emulator for foldables.

That is my least favorite thing about facebook messenger and some other app started doing that today. I don't need a floating icon always on my screen getting in the way of all the things.

@LAH3385 said:

We have Veeam Endpoint 1.1.2.119. How do we upgrade it to 1.5? Reinstall? Will that break the backup sequence?

I just ran the installer and it upgraded the existing installation, in place.

Quick shot from when I first got home.

@mlnews said in Miscellaneous Tech News:

YouTube TV adds channels and raises price—you can’t opt out of either change

YouTube TV raises price from $40 to $50 for new and existing customers.
YouTube launched its competitor to cable TV two years ago, charging $35 a month, but it's now over 40 percent more expensive.

A move away from what people who want to cut the cord (or already have) want. I don't want predetermined bundles that some random execs constructed. I want a la carte, with the ability to get a discount when creating my own bundles. Sort of like tiered volume licensing; 10 is 3% off, 20 is 7% off, etc.