Windows Vista Update Guide

  1. Run WSUS Offline Update 9.2.5 ESR on any machine to download Vista x64 updates. Uncheck "Service Packs" and download the updates.
  2. Install a clean Windows Vista SP2 x64. Do not use a vLite ISO!
  3. Add these 4 important updates from winclient5270 to the updates folder:
  4. Install those 4 updates, then reboot.
  5. Run the WSUS Update installer. Check all the boxes. Each time you reboot, rerun the installer. Do this until IE9 successfully installs.
  6. Install Windows Ultimate Extras:

    Use this batch script to install the CAB updates. Put it in the same folder as the CABs and run as admin:

    @echo off
    setlocal
    cd "%~dp0"
    Set "TempDir=cabtmp"
    Set "Log=Log.txt"
    mkdir "%TempDir%"
    For %%i In (*.cab) Do (
    expand "%%i" -f:* "%TempDir%" && Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" expansion - OK || Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" expansion - FAIL
    Echo - - - - - - - - - - - - - - -
    Echo Installing %%i%. Please wait.
    pkgmgr /ip /m:"%TempDir%" && Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" installation - OK || Echo>> "%Log%" %Time:~0,-3%^>^> "%%i" installation - FAIL
    del /f /s /q "%TempDir%"
    )
    rd /s /q "%TempDir%"
    Echo - - - - - - - - - - - - - - -
    Echo Operation completed
    Echo Log file created as %Log%
    Echo System log can be found at %WINDIR%\logs\cbs\Cbs.log
    Echo Now you may close this window
    pause
    
    @Echo Off
    Title Installing Windows Vista Updates
    For %%F In (MSU\*.msu) Do Call :msin %%F
    For %%A In (CAB\*.cab) Do Call :kbin %%A
    Shutdown.exe -r -t 1
    Exit
    :msin
    Start /Wait %1 /quiet /norestart
    :kbin
    Start /Wait pkgmgr /ip /m:%1 /quiet /norestart
    GoTo :EOF
    Exit
    			
  7. Install the Server 2008 updates from Greenhillmaniac's Windows Server 2008 Update Repository.
  8. Run the following registry script (ssltls.reg) to disable SSL 2.0 and SSL 3.0 (insecure and obsolete) and enable TLS 1.2 in IE9 (you may consider making this part of your startup or setup/runonce scripts):
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
    "OSVersion"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
    "OSVersion"=-
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "DisabledByDefault"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    "DisabledByDefault"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
    "ServerMinKeyBitLength"=dword:00000800
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    "Enabled"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    "Enabled"=dword:00000000
    
    
    			
  9. Open gpedit.msc and navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support and choose "Enable", then "Use TLS 1.0, TLS 1.1, and TLS 1.2" (or a more stringent setting, such as only 1.1 and 1.2, or only 1.2).