Highlighted
DarkKnight41
2 Bronze

How to perform Windows security updates on WYSE D90D7 from WDM 5.0

Jump to solution

I have three WYSE D90D7 thin clients running Windows Embedded 7 Std that I am wanting to patch with the latest Windows security updates.  If I look at the security patches installed on the machines, Isee the latest were from 2013.  How would I go about downloading the patches from the WYSE support page and uploading them all to the devices?  I know it will go through WDM, but I can find no information on this in the Admin Guide.  Furthermore, there are literally hundreds of patches...do I need to download ALL of them and upload them all to each device??  Any information on this subject would be GREATLY appreciated, thanks.

0 Kudos
1 Solution

Accepted Solutions
karaziel
1 Copper

RE: How to perform Windows security updates on WYSE D90D7 from WDM 5.0

Jump to solution

@Darkknight - They lock down the factory images with local group policies to disable windows updates so that it doesn't conflict with writefilter and constantly try to download and apply the same updates (resetting with each reboot).  You can temporarily change this behavior on your box if electing option #2.  The registry you are looking for is: HKLM\SW\Microsoft\policies\windows\windowsupdate\DisableWindowsUpdateAccess=1 (set to 0 to enable window update access and logoff/on to take effect) 

Changing that registry should get you the access you need to fire off the windows updates but if it doesn't you may also need to change the groupPolicy to make sure windows doesn't reapply the change.

Start>run>gpedit.msc

Computer config>Administrative templates>windows components>windows update>configure automatic updates (set to enabled or not configured)

Remember to do that while WF is off (to make it stick) and when updates are finished on that gold box change these options back to factory defaults before re-enabling WF.

-k

0 Kudos
5 Replies
karaziel
1 Copper

RE: How to perform Windows security updates on WYSE D90D7 from WDM 5.0

Jump to solution

Caped Crusader - I have no great shortcut for you here.  Quick check on those release notes for b858 show it included updates through July 2013.  If you kept up with the few MS updates each month its not  bad, but as with a fresh Win7 desktop you've got to step through the updates.  They are all posted on wyse.com for download: https://appservices.wyse.com/pages/serviceandsupport/support/dlOraSecurityPatch.asp?which=159&Model=... Embedded (WES)) and it does appear to be a potential 216 updates in the last 2 years.  Good news is many of those will be duplicates of the same files so you'd only need the latest version.  Some research on those updates could save a lot of time. 

Another option you could consider if you've got considerable free space on your device is to login as Admin, disable Writefilter, and enable the windows update on one reference device and let it grab the appropriate updates for you as a one time catchup.  This isn't typically recommended as the Windows update service wastes a ton of space when it pushes updates down (download, extract, copy, rollback, etc...) and doesn't account for WriteFilter so normally the changes would revert after the next reboot.  As a one time thing it does have merits if you don't mind the extra prep work.

Once the MS updates are done you should delete the local "rollback/uninstall" folders that are just eating valuable freespace and disable windows update service again before re-enabling WriteFilter.  Upgrade the management agents as noted in previous thread (HAgent, BootAgent, WCM Agent) and capture the image as a new baseline for all other devices.  Deploy that beautifully updated image to your other devices and then keep an eye on those monthly security updates going forward so you don't encounter another 216 update lapse.

-k

0 Kudos
DarkKnight41
2 Bronze

RE: How to perform Windows security updates on WYSE D90D7 from WDM 5.0

Jump to solution

Ok, I think option #2 will be much more time-efficient for me.  A few things, however.  I can only receive updates "managed by your system administrator".  How do I go about forcing Windows to search the web for updates (this option exists in full Windows, but does it on embedded?)?  Second, I'm not sure how to delete the rollback/uninstall folders.  I know you can clean out the Software Distribution folder, but I am not aware of a way to delete uninstall folders in Windows 7 due to the fact is is HIGHLY suggested not to mess with the winsxs folder.  Can you please provide more clarity on this?

0 Kudos
DarkKnight41
2 Bronze

RE: How to perform Windows security updates on WYSE D90D7 from WDM 5.0

Jump to solution

Any more info on this?

0 Kudos
guerojose
2 Bronze

RE: How to perform Windows security updates on WYSE D90D7 from WDM 5.0

Jump to solution

With other vendors' thin client offerings, the general approach is to allow creating a "golden image", and using it to update all other thin clients.  So the sequence would be (1) disable write filter on one device, (2) install the desired updates, (3) enable the filter, (4) import the image, (5) export the image to other clients.  If this process was at all efficient and reliable, one could do it periodically as desired.

To date I have not had any success attempting to do this with WDM and the Wyse WES7 clients.  Captured images cannot be reliably used to image other devices, and as you've found there are many other steps required to update the several client components that WDM/WCM require.  I really do not understand what their intended approach is for updating clients, using a golden images, etc., or if such an approach is simply alien to the intended design of WDM.  I wish you luck, and will be interested to see if you find a workable approach.

0 Kudos
karaziel
1 Copper

RE: How to perform Windows security updates on WYSE D90D7 from WDM 5.0

Jump to solution

@Darkknight - They lock down the factory images with local group policies to disable windows updates so that it doesn't conflict with writefilter and constantly try to download and apply the same updates (resetting with each reboot).  You can temporarily change this behavior on your box if electing option #2.  The registry you are looking for is: HKLM\SW\Microsoft\policies\windows\windowsupdate\DisableWindowsUpdateAccess=1 (set to 0 to enable window update access and logoff/on to take effect) 

Changing that registry should get you the access you need to fire off the windows updates but if it doesn't you may also need to change the groupPolicy to make sure windows doesn't reapply the change.

Start>run>gpedit.msc

Computer config>Administrative templates>windows components>windows update>configure automatic updates (set to enabled or not configured)

Remember to do that while WF is off (to make it stick) and when updates are finished on that gold box change these options back to factory defaults before re-enabling WF.

-k

0 Kudos