none
How to create Packages with Windows Updates msu file RRS feed

  • Question

  • Hi There,

    My question is can I create Packages which contains .msu files which were downloaded from Microsoft Catalog site? Basically I dont want to install these updates through Task Sequence, which is post OS installation. I want to have these updates in LiteTouchPEx64.iso file which should be injected in the image itself.

    Thanks,

    Sourav


    Born to Learn

    Wednesday, January 31, 2018 12:25 PM

All replies

  • You can import them into Packages in MDT and they are applied when the OS is deployed just after the drivers are injected. But honestly you should build your reference image with the latest updates and only add a package if not having prevents the OS from running properly then let Windows update get anything that came out after your built your reference image.

    If you do import them into MDT, create a folder in Packages for example Windows 10v1709. Then you will need to create a selection profile and check the box for that folder.

    Then in your task sequence in the Preinstall phase look for "Apply Patches" and select your selection profile.


    Daniel Vega

    Wednesday, January 31, 2018 5:12 PM
  • Hi Daniel,

    Thank you for your reply. It was really helpful. As suggested I have injected the Patches through Task Sequence, just right after the Driver Inject. 

    But one issue is when I try to update the Deployment Share to create a refference image, it does create the image successfully but it showed errors in the logs.

    Deployment Image Servicing and Management tool
    Version: 10.0.14393.0

    Image Version: 10.0.14393.0

    Processing 1 of 1 - Adding package Package_for_KB4025376~31bf3856ad364e35~amd64~~10.0.1.0

    [==========================100.0%==========================] 

    Error: 0x800f081e

    The specified package is not applicable to this image.

    The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

    Exit code = -2146498530

    DISM /Add-Package failed, rc = -2146498530.
    Injected package Package_for_KB4025376 neutral amd64 10.0.1.0

    Deployment Image Servicing and Management tool
    Version: 10.0.14393.0

    Image Version: 10.0.14393.0

    Processing 1 of 1 - Adding package Package_for_KB4056887~31bf3856ad364e35~amd64~~10.0.1.0

    [==========================100.0%==========================] 

    Error: 0x800f081e

    The specified package is not applicable to this image.

    The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

    Exit code = -2146498530

    DISM /Add-Package failed, rc = -2146498530.
    Injected package Package_for_KB4056887 neutral amd64 10.0.1.0
    Injected package Package_for_RollupFix neutral amd64 14393.1944.1.3

    Deployment Image Servicing and Management tool
    Version: 10.0.14393.0

    Image Version: 10.0.14393.0

    Processing 1 of 1 - Adding package Package_for_RollupFix_Wrapper~31bf3856ad364e35~amd64~~14393.1358.1.9

    [==========================100.0%==========================] 

    Error: 0x800f081e

    The specified package is not applicable to this image.

    The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

    Exit code = -2146498530

    DISM /Add-Package failed, rc = -2146498530.
    Injected package Package_for_RollupFix_Wrapper neutral amd64 14393.1358.1.9

    Deployment Image Servicing and Management tool
    Version: 10.0.14393.0

    Image Version: 10.0.14393.0

    Processing 1 of 1 - Adding package Package_for_RollupFix_Wrapper~31bf3856ad364e35~amd64~~14393.1480.1.15

    [==========================100.0%==========================] 

    Error: 0x800f081e

    The specified package is not applicable to this image.

    The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

    Exit code = -2146498530

    DISM /Add-Package failed, rc = -2146498530.
    Injected package Package_for_RollupFix_Wrapper neutral amd64 14393.1480.1.15

    Deployment Image Servicing and Management tool
    Version: 10.0.14393.0

    Image Version: 10.0.14393.0

    Processing 1 of 1 - Adding package Package_for_RollupFix_Wrapper~31bf3856ad364e35~amd64~~14393.953.1.2

    [==========================100.0%==========================] 

    Error: 0x800f081e

    The specified package is not applicable to this image.

    The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

    Exit code = -2146498530

    DISM /Add-Package failed, rc = -2146498530.
    Injected package Package_for_RollupFix_Wrapper neutral amd64 14393.953.1.2

    ************************************************************************

    Can you please check if this errors are expected?

    Thanks,

    Sourav


    Born to Learn

    Friday, February 2, 2018 8:51 AM
  • The specified package is not applicable to this image

    That's the answer, you are adding packages that do not apply to your image (version of Windows). Read the info about each package to make sure that they need to be applied to the build you are deploying. It could also be that you already applied a package that contained on of the other packages in which case it would no longer apply to your image.

    This is the biggest reason why injecting packages isn't a good way to update your image, it can be very difficult to keep track of which ones to use and which not to. It's much better to build your reference image and allow Windows update to update it during the creation of the image. If you do that in a VM, then maintaining your updates becomes even easier.


    Daniel Vega

    Friday, February 2, 2018 2:59 PM
  • Dan would it not be better to do the updates during the deploy, to WSUS, than to add the updates to the VM itself? Would that require updating the master VM often, to keep up with latest updates, vs getting them during the deployment with WSUS?
    I ask this because we use LanDesk which gives us selected patches after the initial WinUpdates. We run MS Updates once, and from then on we get patches from LanDesk. However, my org wishes that our VM's are mostly up to date with those LanDesk patches....and that means...installing Landesk on a Vm, running updates, uninstalling Landesk on the VM, then the next VM and so on. What a huge hassle. So I was wondering about MS Updates...just getting them from WSUS and leaving the VM alone.
    Friday, February 2, 2018 5:34 PM
  • The way I do it is this.

    1. Have an Admin deployment share configured for near 100% automation of building reference images.

    2. Use Hyper-V (free for Win10 enterprise or pro) to create a VM on which you will build and capture your reference image.

    3. Build task sequence that includes a suspend task sequence task. Add the suspend script just before Restore User State. (I also always enable the tasks to run windows update)

    4. When task is suspended, shut down VM and create a checkpoint.

    5. Resume TS and you have your reference image.

    During deployment to clients, rely on WSUS for additional updates released after you built your image.

    Every quarter or sometimes monthly I'll update the reference image by firing up the VM and reloading the checkpoint. I then run Windows update to get all the latest updates, maybe reboot and check updates again. Then shutdown VM and create a new checkpoint labeled with date. Resume the TS and when the new image is created all you have to do is replace the existing WIM on your production deployment share. There's no need to import it or make a new TS, just replace your existing WIM. It's a very easy process to keep an image updated using that method.

    Granted I'm leaving lots of details out but can provide them if needed.


    Daniel Vega

    Friday, February 2, 2018 5:59 PM
  • Dan would it not be better to do the updates during the deploy, to WSUS, than to add the updates to the VM itself? Would that require updating the master VM often, to keep up with latest updates, vs getting them during the deployment with WSUS?
    So yes and no. I like to reply on WSUS for always making sure the final deployment is fully patched before a user logs in the first time. That said I usually update the reference image quarterly if only to keep my deployment times down to the fastest possible. No sense in wasting time with lots of Office and Windows patches and reboots multiplied over many machines if I can update my reference image in less than an hour.

    Daniel Vega

    Friday, February 2, 2018 6:16 PM
  • That sounds doable to me. I'm not that techy or familiar with suspending my Capture and all that....but I can for sure update my VM quarterly to get the latest MS Updates. I'll just have to do it the old fashioned way...run MS Updates, capture my VM, move it into prod, and repeat.

    As far as LanDesk patches, I dread the idea of installing LD on a VM, running patches, uninstall LD. Next. Next. Every other month. I think most of LD patches are MSU and I found a script to silently install all MSU files in any specific folder.
    From what I hear, we are moving away from LD AV and going with Checkpoint/EndPoint. Job security I guess...

    Friday, February 2, 2018 6:28 PM
  • Suspending the TS is really easy since the script is included with MDT. There should be an LTIsuspend.wsf file in your scripts folder.

    You click on Add, General, Run Command Line

    Command line: cscript.exe "%SCRIPTROOT%\LTISuspend.wsf"


    Daniel Vega

    Friday, February 2, 2018 8:21 PM
  • So this is your Deploy TS. I thought you were referring to a Capture TS. In your previous post, you said you suspend the TS (the Deploy), then shut down your VM. I will have to read up on all of this...isn't the VM out of the picture at this point? It's already captured and now you're pushing out the WIM.

    I have separate Build and Capture Shares. Is that different than what you have set up?
    Friday, February 2, 2018 8:29 PM
  • So this is your Deploy TS. I thought you were referring to a Capture TS. In your previous post, you said you suspend the TS (the Deploy), then shut down your VM. I will have to read up on all of this...isn't the VM out of the picture at this point? It's already captured and now you're pushing out the WIM.

    I have separate Build and Capture Shares. Is that different than what you have set up?
    If you're replying to me this is my TS for creating a reference image. I have one task sequence that both builds and captures the image in one go. No need for two task sequences when you can do both parts with one.

    Daniel Vega

    Friday, February 2, 2018 9:19 PM
  • Hi Dan

    Would you happen to have detailed instructions on how to create that task sequence, right now when I capture a image I use a laptop to set it up and capture it. I would like to setup a VM and snapshot a image to make it easier to update and update the image, not sure what the best way to do it is.  how to you suspend the task to be able to run updates and then how do you resume that task sequence and capture it. How do you then update the existing image without having to add new images and task sequences.

    Thursday, January 2, 2020 2:10 PM
  • The answer to "how do you suspend the task" is in this thread just a few comments above. Creating an image using a VM is really no different than a physical machine. 

    Here's a full step by step guide - https:Building a Windows 10 v1809 reference image using Microsoft Deployment Toolkit (MDT)

    The only addition to the guide is adding the suspend task. You can find a lot of MDT help on the deploymentresearch site.


    Daniel Vega

    Monday, January 6, 2020 3:36 PM