Automating Windows Updates in Microsoft Autopilot

 As enterprises look to streamline their device management processes, integrating automatic updates within the Microsoft Autopilot setup has become increasingly pivotal. The Autopilot process simplifies the setup and pre-configuration of new devices, making it a cornerstone of modern IT administration. However, one aspect that often remains manually managed is the installation of Windows updates during the initial setup phase. Here, I propose a method that not only automates this process but does so in a robust and efficient manner, leveraging PowerShell and the PSWindowsUpdate module. It's been tested upgrading feature packs like Windows 11 22H2 to 23H2 as well.

Why Automate Windows Updates During Autopilot?

Integrating Windows updates into the Autopilot process ensures that devices are fully patched and secure from the first time they are powered on. This reduces the administrative overhead and enhances security by closing potential vulnerabilities from outdated software.

Despite the extensive discussions by experts like Michael Niehaus and other contributors in the field, a practical, ready-to-deploy PowerShell script that fully automates this process is seldom seen. The script I've developed addresses this gap, providing a comprehensive solution that installs all prerequisites and patches automatically.

The PowerShell Script Explained

Here’s a breakdown of the PowerShell script that can be wrapped into a Win32 application, where the command line is set to:

powershell.exe -ex bypass -file InstallUpdates.ps1.

 # Install Windows Updates
# If we are running as a 32-bit process on an x64 system, re-launch as a 64-bit process
if ("$env:PROCESSOR_ARCHITEW6432" -ne "ARM64") {
    if (Test-Path "$($env:WINDIR)\SysNative\WindowsPowerShell\v1.0\powershell.exe") {
        & "$($env:WINDIR)\SysNative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -NoProfile -File "$PSCommandPath"
        Exit $lastexitcode
    }
}


Start-Transcript "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\$($myinvocation.mycommand.name -replace '\..*$').log"

# Install latest NuGet package provider

$PackageProvider = Install-PackageProvider -Name "NuGet" -Force -ErrorAction Stop -Verbose:$false
    
# Ensure default PSGallery repository is registered
Register-PSRepository -Default -ErrorAction SilentlyContinue

# Attempt to get the installed PowerShellGet module
$PowerShellGetInstalledModule = Get-InstalledModule -Name "PowerShellGet" -ErrorAction SilentlyContinue -Verbose:$false
if ($PowerShellGetInstalledModule -ne $null) {
        # Attempt to locate the latest available version of the PowerShellGet module from repository
        $PowerShellGetLatestModule = Find-Module -Name "PowerShellGet" -ErrorAction Stop -Verbose:$false
        if ($PowerShellGetLatestModule -ne $null) {
                if ($PowerShellGetInstalledModule.Version -lt $PowerShellGetLatestModule.Version) {
                        Update-Module -Name "PowerShellGet" -Scope "AllUsers" -Force -ErrorAction Stop -Confirm:$false -Verbose:$false
                }
        }
        else {

        }
}
else {
        # PowerShellGet module was not found, attempt to install from repository
        Install-Module -Name "PackageManagement" -Force -Scope AllUsers -AllowClobber -ErrorAction Stop -Verbose:$false
        Install-Module -Name "PowerShellGet" -Force -Scope AllUsers -AllowClobber -ErrorAction Stop -Verbose:$false
}
    
Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers -AllowClobber
Import-Module PSWindowsUpdate -Scope Global
Get-WindowsUpdate
Install-WindowsUpdate -AcceptAll -IgnoreReboot

Stop-Transcript

Key Components:

• Environment Check and Re-launch: Ensures the script runs in the correct architecture environment for compatibility.

• Transcript Logging: Starts a log in the specified directory, crucial for tracking and debugging.

• Module Installation and Updates: Ensures that all necessary PowerShell modules and updates are installed and up to date.

• Windows Updates Installation: Fetches and installs available Windows updates, with an option to accept all updates and ignore prompts for reboots.

Adding to Microsoft Intune

To deploy this script via Microsoft Intune:

  1. Wrap the script into a Win32 app with Microsoft Win32 Content Prep Tool
  2. Set up the command line for execution as described.
  3. Use a detection rule to check for the existence of the log file at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\InstallUpdates.log. This confirms whether the script has run on the device.
  4. Configure Intune to enforce a mandatory device restart: This ensures that all installed updates are properly applied, securing the device before it is handed over to the end-user.
  5. Add it to your ESP page as blocking app.

Conclusion

Automating the installation of Windows updates during the Autopilot setup process significantly streamlines device management and enhances security posture. The provided PowerShell script facilitates this automation, ensuring that new devices are ready and secure for deployment with minimal manual intervention. By incorporating these practices into your IT strategy, you can achieve a higher standard of operational efficiency and security.

Comments

Post a Comment

Popular posts from this blog

4 Most common Issues while registering devices with Microsoft Intune MDM

Image
  The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports. During implementation or deployment, there are some common issues which occur in many of the environment  1-   Windows Update Sometimes you will notice that Windows Update is showing-Up-To-Date but in actual, the version needed for the MDM Registration is not updating automatically and eventually fails every time in the loop Solution Suggested Go to this  link  upgrade your Windows 10 to the latest version You will find a home page like the screenshot below. Click on UPDATE Now button. It will download a .exe file. Run the file and click on UPDATE Now button and press YES. Here it will update your Windows 10 to the Latest Version Note:  You can still work during downloading a...
Read more

Managing Windows Updates with Intune: Best Practices with Update Rings

Image
  Keeping Windows devices up to date is one of the most critical, and often most overlooked, aspects of endpoint security. With Microsoft Intune, you can manage Windows updates centrally using Update Rings , giving you control over when updates install, how users experience restarts, and how you test updates before broad deployment. In this guide, I’ll walk you through: What update rings are Why they’re essential for patch compliance How to configure them in Intune Best practices for rollout and user experience 1. What Are Windows Update Rings in Intune? Update rings in Intune allow you to: Define when and how Windows updates are delivered Set deadlines for installation and restarts Delay feature updates (e.g., to test before production) Control user experience during updates They apply to Windows 10 and 11 devices enrolled in Intune, including those provisioned via Autopilot. 2. Why Update Management Matters Without structured update management, you risk: Devices missing crit...
Read more

The Intune Device Lifecycle: From Onboarding to Retirement (Best Practices)

  Managing endpoints isn’t just about deployment, it’s about handling the entire device lifecycle : from onboarding and day-to-day management to secure deprovisioning when a device is no longer in use. Microsoft Intune provides a streamlined, policy-driven approach to each phase of this lifecycle, and when done right, it reduces IT overhead, increases security, and improves the user experience. In this post, I’ll walk you through the key stages of managing a device in Intune from start to finish, and how to handle each one effectively. Stage 1: Provisioning & Onboarding This is where the device journey begins, and it sets the tone for everything that follows. Tools and features to use: Windows Autopilot for zero-touch setup Enrollment Status Page (ESP) to control setup sequence Dynamic groups to assign configurations automatically Baseline security policies (compliance, Defender, encryption) Goal: Make the first experience smooth, secure, and consistent for every user. Sta...
Read more