Some Notes on the Machines

This command:

wmic product where name="Application Name" call uninstall /nointeractive

appears to do it. Put the whole long name from the software list in Control Panel, within those double parentheses. This works in at least some cases where msiexec /x does not. And it is not version-specific.

To get a full list of names with GUIDs, try this:

get-wmiobject Win32_Product | sort-object -property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

This is a skeleton, Powershell. Needs prerequisite setup added.

$Cred = Get-Credential
Connect-MSolService -Credential $Cred
Install-Module MSOnline
Get-MsolUser -ReturnDeletedUsers
# The list of users/mailboxes marked 'deleted', is visible, if there are any.
# Do the next step ONLY if you are certain. There is no going back after this.
Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

Here it is:

$BLVolume = Get-BitLockerVolume -MountPoint "C:"
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLVolume.KeyProtector[1].KeyProtectorId

This method uses Powershell module PsWindowsUpdate.

1. Run this in administrative Powershell:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate

2. Then check the list of available updates:

Get-WindowsUpdate

3. You may find some that you want to omit, e.g., build upgrades. If you found one marked KB1234567, you would install all and omit that one thus:

Install-WindowsUpdate -KBArticleID KB1234567 -AcceptAll

If you had two KBs to omit:

Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB1234567,KB7654321"

There are other noteworthy items. Lots of firmware is being sent by Microsoft now, and some of this is more up-to-date than that available from the vendor. But there is risk in firmware updates, don’t forget. Some of the items don’t have KBs, and there are two other command-line arguments to omit those, -NotTitle and -NotUpdateID.

PSWindowsUpdate is a very interesting module, it can do lots of things. One of them is:

Reset-WUComponents

To get a full list of functions:

Get-Command -Module PSWindowsUpdate

Get-Help works for all of them.

The Microsoft Update Health Tools appears to be an optional add-on which helps Windows do updates. Beyond that all of my searching has come up with vagueness. But Microsoft recommends it and often installs it without informing us, so probably it helps fairly often.

Microsoft Update Health Tools comes in KB4023057. To install KB4023057, we can use PSWindowsUpdate:

www.business.com/articles/install-windows-patches-powershell/

Here’s a complete run-anywhere command paste for preparing to use the module (administrative shell only please):

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate

and the command for just KB4023057:

Install-WindowsUpdate -KBArticleID KB4023057

PSWindowsUpdate is a very interesting module all by itself, it can do lots of things, e.g., install all updates available from Microsoft. Another nice function is:

Reset-WUComponents

To get a full list of functions:

Get-Command -Module PSWindowsUpdate

Get-Help works for all of them.

One can install all updates available from Microsoft, though this can be dangerous, there are huge ones and drivers and BIOS too. So this simple command won’t be here :-)

To just see the list of available updates:

Get-WindowsUpdate

To install all available updates except one KB:

Install-WindowsUpdate -AcceptAll -NotKBArticleID KB000000

and except a list (here of two) KBs:

Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB000000,KB000001"

where KB000000 is a KB to be excepted. There’s also -NotCategory and -NotTitle for items without KB articles.

This will log off all users, whether console or RDP:

logoff console
quser /server:localhost | ForEach-Object {
		logoff $_.ID
		}

Run these in an administrative or SYSTEM-level command prompt.

In Windows 8.1/2012R2/10/2016 and later, we set a scheduled task, we do have to specify the actual full date:

schtasks /create /tn "schtasks_REBOOT" /tr "C:\Windows\System32\shutdown.exe -f -r -t 0" /sc once /st 04:00 /sd 01/01/2016 /ru System

In 8/2012R1, we have to have a “/Y on the very end:

schtasks /create /tn "schtasks_REBOOT" /tr "C:\Windows\System32\shutdown.exe -f -r -t 0" /sc once /st 04:00 /sd 01/01/2016 /ru System /Y

Under 7/2008R2 and before, it was easier, we could schedule for 4:00 AM tomorrow:

AT 4:00 c:\windows\system32\shutdown.exe -f -r -t 0

and we could schedule for 4:00 AM next Monday:

AT 4:00 /next:Monday c:\windows\system32\shutdown.exe -f -r -t 0

Version overview:

docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

For 10:

netsh advfirewall firewall set rule group="remote desktop" new enable=yes
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

For 7:

netsh firewall Set service REMOTEDESKTOP ENABLE
netsh firewall set service REMOTEAdmin ENABLE
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

For XP:

netsh firewall set service remotedesktop enable
netsh firewall set service remoteadmin enable
reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v  fDenyTSConnections /t REG_DWORD /d 0

When we install new group policy templates from Microsoft, e.g., the Windows 10 set by which we may upgrade existing networks, they now come in the newer ADMX format. Do this on every domain controller:

1. The package is downloaded as a self-installing EXE which requires you to specify a folder. Do not try to manually unpack this, for some reason the contents are in small pieces which the installer assembles. Just run the EXE and give a useful path, e.g., C:\IT.
2. Open an administrative CMD, and CD to the extraction point. Then CD into the folder “admx”, one level down.
3. Run the following. If your language is not en-us, replace it in the last two lines. If your servers have multiple languages, you’ll need to replicate lines with multiple language specifications.

xcopy *.admx \\%userdnsdomain%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions /Y /I
xcopy *.admx %SystemRoot%\PolicyDefinitions /Y /I
xcopy en-US\*.adml \\%userdnsdomain%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions\en-us /Y /I
xcopy en-US\*.adml %SystemRoot%\PolicyDefinitions\en-us /Y /I

Another very common set needing this install, is the Office Administrative Templates.

Multiple versions of Office templates coexist nicely. But the same cannot be said for Windows OS templates. It appears that when a complete refresh of OS templates is required, good results obtain by removing all of the OS templates and then installing new.