Windows Server 2019 Unattended Install Windows Updates

0

When performing an unattended installation of Windows Server, one of the great things you can do is also install any available Windows Updates that may be available for the install. In playing around with Packer recently, I have been working on a build process for the home lab that allows having an up-to-date Windows Server build in the form of a template always available for use in deploying workloads in the lab. Let’s take a quick look at Windows Server 2019 Unattended Install Windows Updates and how this can easily be accomplished with the autologon functionality and the ability to run scripts during the first logon session of an unattended installation.

Configuring AutoLogon in the Unattend Answer File

Using the Uattended Answer File in the Windows Server 2019 automated installation, we can both set the password for the administrator user as well as set the AutoLogon flag to allow the account to be autologged in for the configured number of times during the unattended installation. To do that, let’s look at the code. Below, you will see the password being configured for the Administrator account and enabled. This can be set to whatever account you wish.

Additionally, the section powershell -ExecutionPolicy Bypass -File a:\configuration.ps1 is setting a script file to execute after the autologon takes place.

<settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <AutoLogon>
                <Password>
                    <Value>password</Value>
                    <PlainText>true</PlainText>
                </Password>
                <LogonCount>3</LogonCount>
                <Username>Administrator</Username>
                <Enabled>true</Enabled>
            </AutoLogon>
            <FirstLogonCommands>
                <SynchronousCommand wcm:action="add">
                    <Order>1</Order>
                    <!-- Configure the Machine -->
                    <CommandLine>powershell -ExecutionPolicy Bypass -File a:\configuration.ps1</CommandLine>
                    <RequiresUserInput>true</RequiresUserInput>
                </SynchronousCommand>
		</FirstLogonCommands>
            <UserAccounts>
                <AdministratorPassword>
                    <Value>password</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>
        </component>
    </settings>

Windows Server 2019 Unattended Windows Server Install Windows Updates

The configuration.ps1 file can contain any number of useful PowerShell or other command line statements to customize or configure various aspects of the system. One of those commands and sections of configuration we can add is the following:

#Install PS Windows Update Module

Get-PackageProvider -name nuget -force
Install-Module PSWindowsUpdate -confirm:$false -force
Get-WindowsUpdate -MicrosoftUpdate -install -IgnoreUserInput -acceptall -AutoReboot | Out-File -filepath 'c:\windowsupdate.log' -append

This command is pulling down the PSWindowsUpdate PowerShell module which allows easily installing Windows Updates using PowerShell. The first line installs the Nuget provider which is needed for the PSWindowsUpdate installation.

Get-Package Provider nuget -force

In the next line the PSWindows Update module is used to get the available Windows Updates from the MicrosoftUpdate server, install them, ignoreuserinput, and accept any prompts. The server is directed to AutoReboot which will automatically reboot the server after the installation is finished. All of this is logged to the ‘c:\windowsupdate.log’ file.

Get-WindowsUpdate -MicrosoftUpdate -install -IgnoreUserInput -acceptall -AutoReboot | Out-File -filepath 'c:\windowsupdate.log' -append

I haven’t seen a graceful way to trigger another start of the script if a reboot is needed in between installing updates. However, one thing I have been experimenting with that seems to be working is add a RunOnce script to kick off another PowerShell script to run the command once again.

The code below adds a RunOnce entry that directs it to run a batch file that runs a snippet of PowerShell code to run the Get-WindowsUpdate command once again.

#Add Phase Two script
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' -Name Phase2 -Value 'c:\windows\tools\setup\phase2.bat'

The below runs the command once again. This time, it ignores the reboot and then sets the AutoLogonCount to 0.

#Second Round of updates
Get-Wulist -MicrosoftUpdate -install -acceptall -IgnoreReboot

# Reset auto logon count
# https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-autologon-logoncount#logoncount-known-issue
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoLogonCount -Value 0

You can literally add any number of directives here with configuring your Windows Server unattended installations. I have added many registry customizations as well as custom tools. You can run ansible configuration scripts for WinRM, or chef configuration tools to have all of these types of things available already in the box housed in the virtual machine template file.

Using Packer to drive the unattended installation of Windows Server 2019 allows scheduling and controlling the process so that your virtual machine can be built totally “hands off” in an automated way and then automatically turned into a virtual machine template. All you have to do is feed it an ISO file from Microsoft and the other relevant configuration in the unattend answer file.

Benefits of Windows Server 2019 Unattended Install Windows Updates installation

Building up a new Server using the unattended approach is vastly beneficial since it is automated. This takes out the possibility of human error and you know it is done the same way each time it is ran, identically. Also, all of the time waiting on updates is happening outside of when you need the template. This can be scheduled during the night to perform a new build of the server, pulling all the available updates at the time. With these and many other benefits, there is much value that can be seen from the unattended Windows Server install.

Wrapping Up

Hopefully this look at Windows Server 2019 Unattended Install Windows Updates will help some who may want to accomplish this in their automated builds of Windows Server. Using Packer the full process can be automated from beginning to end.