Some Notes on the Machines

It’s built into the latest builds of Windows 10 and 11 and Server, and can be installed into many. One good way to try it, is to install Microsoft .NET framework (SDK) 6, thus, from administrative Powershell:

winget install --id Microsoft.DotNet.Runtime.6 --silent --accept-source-agreements

I learned just now that if you add other seemingly valuable options to the one above, e.g., --scope machine, at least while running as SYSTEM, it will fail citing package not found. So you’ll want to test carefully.

Here’s one proven just now for 7zip (there’s a “search” option in winget to get the ID):

winget install --exact --id 7zip.7zip --accept-package-agreements --silent --scope machine

Here’s one for Google Chrome, needs a bit of extra:

winget.exe install --exact --id Google.Chrome --silent --accept-package-agreements --accept-source-agreements --scope machine

If you do want to use it from the SYSTEM account, in scripting, it gets interesting. You’ll want to first run this:

$ResolveWingetPath = Resolve-Path "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe"
    if ($ResolveWingetPath){
           $WingetPath = $ResolveWingetPath[-1].Path
    }

$config
Set-Location $wingetpath

and then run your install command with a dot-slash before the command, i.e., starting with .\winget.

If your system is Windows 10/2016/2019 build 1809 or higher, we can add winget if it’s not already there. Go to the Microsoft Store, and search for “App Installer” by Microsoft. Attempts to script this can be found, but none have worked persistently yet.

We have machines that we want kept on Windows 10, we don’t want users urged over and over again to upgrade to 11. Run this Powershell, reboot (probably), and we’re good:

# Exit script if this is not Windows 10
If ((Get-ComputerInfo | Select OSName).OSName -notlike "Microsoft Windows 10*")
	{ 
	"This is not Windows 10. Exiting..."
	Exit 
	}
# Proceed
Set-Location -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows
If (-Not (Test-Path -Path WindowsUpdate)) { MKDIR WindowsUpdate }
Set-Location -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
New-ItemProperty -Path . -Name "ProductVersion" -Value "Windows 10"
"Done!"

Note that many so-called solutions out there set things so no further updates, including Windows 10 build upgrades, will happen at all. The above simply limits things to Windows 10.

There are only three methods for Windows, which appear to work reliably for Adobe Reader DC (among many others) at this time:

Ninite Pro – not free

Chocolatey – large community

RuckZuck – very interesting, based in Switzerland

This method uses Powershell module PsWindowsUpdate.

1. Run this in administrative Powershell:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate

2. Then check the list of available updates:

Get-WindowsUpdate

3. The next step is to actually do the updates. There are good reasons and multiple methods to be careful. Alas, thus far, there does not appear to be a way to install updates a given number of days after release, e.g., 30, so as to give Microsoft time to respond to issues. Here is a glancing overview of what we do have:

Install-WindowsUpdate -NotCategory "Drivers","Service Packs","FeaturePacks" -NotTitle "preview" -AcceptAll 

Install-WindowsUpdate -NotCategory "Drivers","Service Packs","FeaturePacks" -NotTitle "preview" -AcceptAll -IgnoreReboot

Install-WindowsUpdate -AcceptAll -AutoReboot

Install-WindowsUpdate -NotKBArticleID KB1234567 -AcceptAll

Install-WindowsUpdate -NotKBArticleID KB1234567 -AcceptAll -IgnoreReboot

Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB1234567,KB7654321"

Reset-WUComponents

Get-Command -Module PSWindowsUpdate

This scenario is common, though not necessarily obviously so:

• Windows 8.1/2012R2 through 11/2022 is corrupt.
• DISM (DISM /Online /Cleanup-Image /RestoreHealth) won’t fix it, it reports needed data not available.
• The above DISM adding /Source:...INSTALL.WIM, where INSTALL.WIM resides on a mounted ISO of that Windows, even a freshly downloaded ISO, still fails due to needed data not available.

The fact is that #3 above occurs because freshly downloaded ISOs lack many Windows updates. This is not quickly resolvable, but it is very resolvable given some time. Using this method, we will fix corrupt Windows images. You’ll need many gigabytes of disk space to work with.

So. The first step is to decide which Windows version we’re going to create an up-to-date INSTALL.WIM for, to be used by DISM. For this example we’ll say 64-bit Windows Server 2016. The ISO can be had (at this writing) at this page.

Download that ISO, and unpack it. In the SOURCES folder at the root, there is a large file called INSTALL.WIM, 5.6 gigs at this writing. Create folder D:\Server2016WIM (or whatever works for you) and move that WIM into it.

You will need to go to the Properties of the INSTALL.WIM file, and uncheck “Read-Only”, for some reason.

Now we need a tool called wsusoffline. It downloads the updates which we are going to put in that INSTALL.WIM file. It comes from www.wsusoffline.net. Unpack the zip file and run UpdateGenerator.exe. Set it up like this:

Make sure the “USB medium” target directory is useful and handy, We’re not using USB for this, just a different folder on the same drive that the WIM is in. Click Start, and it will download, verify, and store a whole lot of Windows updates in that folder. The above setup does make a repository for every 64-bit Windows 10-class OS, including Server 2016 and 2019. 2022 isn’t available here yet, we can expect it to be in the next edition of wsusoffline.

Once that download is done, we need to see which install(s) are in that WIM file. We do this thusly:

CD \SERVER2016WIM
DISM /Get-WimInfo /wimFile:install.wim

In the ISO I just downloaded, there are four installs, Server 2016 Standard without (1) and with (2) GUI, and Server 2016 Datacenter without (3) and with (4). Because our server to be repaired is not bare-bones, we want to update 2 and 4 just in case. So we prepare,

D:
CD \SERVER2016WIM
MKDIR Mounted-WIM

and mount the WIM in index 2:

DISM /Mount-WIM /WimFile:INSTALL.WIM /index:2 /MountDir:Mounted-WIM

The above will take a little while. We study D:\wsusoffline-output (see the wsusoffline image above), and we find that the Windows 10-class updates are here:

D:\wsusoffline-output\w100-x64\glb

So when the mount is done, we run the updates, still with current directory as above:

DISM /image:Mounted-Wim /Add-Package /PackagePath:D:\wsusoffline-output\w100-x64\glb

and a lot of nonapplicable updates are reported as errors, and a lot of successful updates are also reported, in a long report stream. This happens because every patch for every build of 10, 2016, and 2019 are all in that one folder. DISM knows which ones it needs, and will report success for those. But it often does not get them all on the first pass. So it can be helpful to run it again. Successful DISM fixes have been had without the second run, and the second run does take time, but the second is necessary for full completion.

Then we unmount and commit the changes:

DISM /Unmount-Wim /MountDir:Mounted-Wim /Commit

And it’s done! That WIM is ready to be used to de-corrupt a Server 2016 machine. We just have to get that file (6.5 gigabytes just now) onto a folder on the server or a network share, make that folder or share the current directory, and run:

DISM /Online /Cleanup-Image /RestoreHealth /Source:wim:Install.wim:2 /limitaccess

That’s index 2, index 4 may be needed if servers have roles only found in Datacenter. And after the DISM, some machines will need SFC /SCANNOW, because although DISM will bring in the needed items, it will not always put them everywhere they are needed.

If power is lost during the WIM procedures, you will probably have to run a cleanup and start over again. Check thus:

dism /get-MountedWiminfo

and cleanup thus:

dism /cleanup-wim

Reportedly, you may need to run those more than once. You may also have to delete subkeys in the registry here:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WIMMount\Mounted Images

and reboot, and then delete and recreate the folder Mounted-WIM.

See:

www.winhelponline.com/blog/slipstream-windows-10-integrate-updates-setup-media-iso/

Don’t know yet if it works with Server, or even how well it works yet, but this looks very interesting, most especially for DISMing an existing machine.

This command:

wmic product where name="Application Name" call uninstall /nointeractive

appears to do it. Put the whole long name from the software list in Control Panel, within those double parentheses. This works in at least some cases where msiexec /x does not. And it is not version-specific.

To get a full list of names with GUIDs, try this:

get-wmiobject Win32_Product | sort-object -property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

The Microsoft Update Health Tools appears to be an optional add-on which helps Windows do updates. Beyond that all of my searching has come up with vagueness. But Microsoft recommends it and often installs it without informing us, so probably it helps fairly often.

Microsoft Update Health Tools comes in KB4023057. To install KB4023057, we can use PSWindowsUpdate:

www.business.com/articles/install-windows-patches-powershell/

Here’s a complete run-anywhere command paste for preparing to use the module (administrative shell only please):

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate

and the command for just KB4023057:

Install-WindowsUpdate -KBArticleID KB4023057

PSWindowsUpdate is a very interesting module all by itself, it can do lots of things, e.g., install all updates available from Microsoft. Another nice function is:

Reset-WUComponents

To get a full list of functions:

Get-Command -Module PSWindowsUpdate

Get-Help works for all of them.

One can install all updates available from Microsoft, though this can be dangerous, there are huge ones and drivers and BIOS too. So this simple command won’t be here :-)

To just see the list of available updates:

Get-WindowsUpdate

To install all available updates except one KB:

Install-WindowsUpdate -AcceptAll -NotKBArticleID KB000000

and except a list (here of two) KBs:

Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB000000,KB000001"

where KB000000 is a KB to be excepted. There’s also -NotCategory and -NotTitle for items without KB articles.

This one works very well indeed. It does need a bit more technical intervention:

https://www.bcuninstaller.com

Mike Hunsinger, who has been addressing Windows Update issues with considerable success over time, recently provided for the following writeup. It is useful when:

• Windows is running slowly or generally unreliably, needs rebooted frequently.
• The Windows Update service spikes CPU usage over 70% when it runs.
• When you check for new updates, it just hangs endlessly on “checking for updates”.
• The last successful update was years ago.

Steps:

1. Clean up the system drive.
   • Before Server 2012, use Disk Cleanup (cleanmgr.exe). Be sure to check “service pack backup files” and “windows update”, if the version of Windows you are running gives these as options.
   • Server 2012 and after, use DISM (dism.exe). Run this in administrative CMD:
     dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
     If it reports “The operation could not be completed due to pending operations.”, you have just been told that a server reboot is necessary and you’ll need to do this again afterwards. After it succeeds, do this:
     dism.exe /online /Cleanup-Image /SPSuperseded
2. Run the following as a .bat file to reset Windows Updates caches and working spaces, rereg some dll’s, It works on all versions of windows, may skip some dll’s depending on the OS version:

@ECHO OFF
echo Simple Script to Reset / Clear Windows Update
echo.
PAUSE
echo.
attrib -h -r -s %windir%\system32\catroot2
attrib -h -r -s %windir%\system32\catroot2\*.*
net stop wuauserv
net stop CryptSvc
net stop BITS
ren %windir%\system32\catroot2 catroot2.old
ren %windir%\SoftwareDistribution sold.old
ren "%ALLUSERSPROFILE%\application data\Microsoft\Network\downloader" downloader.old
regsvr32 /s wuaueng.dll 
regsvr32 /s wuaueng1.dll 
regsvr32 /s atl.dll 
regsvr32 /s wups.dll 
regsvr32 /s wups2.dll 
regsvr32 /s wuweb.dll 
regsvr32 /s wucltui.dll 
net Start BITS
net start CryptSvc
net start wuauserv
echo.
echo Task completed successfully...
echo.
PAUSE

3. Install .net 4.5.1 from here: https://www.microsoft.com/en-us/download/details.aspx?id=40779
4. If it says that an =/> version is already installed, run the .net repair tool from here: https://support.microsoft.com/en-us/kb/2698555
5. Download the latest version of Windows Update from here: https://support.microsoft.com/en-us/kb/949104
6. Next update IE or Edge to the latest version using a redist, here’s the one for EI11, https://support.microsoft.com/en-us/help/18520/download-internet-explorer-11-offline-installer
7. Open IE11 or Edge, add update.microsoft.com to trusted sites, popup blocker exceptions, privacy exceptions.
8. Finally, try re-running Windows Update. The “Checking for Updates” may run quickly, or it may take 4-6 hours to populate results.

We have had the best results by updating in batches after this, first any critical SP’s or major Platform Updates. Then security, Office and the others as deemed necessary. Once you’ve completed a couple rounds of updates, the difference should start exhibiting itself with regards to the symptoms named.