Windows Vista Update Guide

  1. Run WSUS Offline Update 9.2.5 ESR on any machine to download Vista x64 updates. Uncheck "Service Packs" and download the updates.
  2. Install a clean Windows Vista SP2 x64. Do not use a vLite ISO!
  3. Add these 4 important updates from winclient5270 to the updates folder:
  4. Install those 4 updates, then reboot.
  5. Run the WSUS Update installer. Check all the boxes. Each time you reboot, rerun the installer. Do this until IE9 successfully installs.
  6. Install Windows Ultimate Extras:

    Use this batch script to install the CAB updates. Put it in the same folder as the CABs and run as admin:

    @echo off
setlocal
cd "%~dp0"
Set "TempDir=cabtmp"
Set "Log=Log.txt"
mkdir "%TempDir%"
For %%i In (*.cab) Do (
expand "%%i" -f:* "%TempDir%" && Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" expansion - OK || Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" expansion - FAIL
Echo - - - - - - - - - - - - - - -
Echo Installing %%i%. Please wait.
pkgmgr /ip /m:"%TempDir%" && Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" installation - OK || Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" installation - FAIL
del /f /s /q "%TempDir%"
)
rd /s /q "%TempDir%"
Echo - - - - - - - - - - - - - - -
Echo Operation completed
Echo Log file created as %Log%
Echo System log can be found at %WINDIR%\logs\cbs\Cbs.log
Echo Now you may close this window
pause

@Echo Off
Title Installing Windows Vista Updates
For %%F In (MSU\*.msu) Do Call :msin %%F
For %%A In (CAB\*.cab) Do Call :kbin %%A
Shutdown.exe -r -t 1
Exit
:msin
Start /Wait %1 /quiet /norestart
:kbin
Start /Wait pkgmgr /ip /m:%1 /quiet /norestart
GoTo :EOF
Exit
  7. Install the Server 2008 updates from Greenhillmaniac's Windows Server 2008 Update Repository.
  8. Run the following registry script (ssltls.reg) to disable SSL 2.0 and SSL 3.0 (insecure and obsolete) and enable TLS 1.2 in IE9 (you may consider making this part of your startup or setup/runonce scripts): 
    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
  9. Open gpedit.msc and navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support and choose "Enable", then "Use TLS 1.0, TLS 1.1, and TLS 1.2" (or a more stringent setting, such as only 1.1 and 1.2, or only 1.2).