none
Block Windows 10 CU during reference build RRS feed

  • Question

  • I have a task sequence to build my reference image.  When it runs through MS updates it of course tries to pull 1703.  I need every patch I can get in the reference build but I can't move to 1703 just yet.  Is there a way to block just the 1703 update during the reference task sequence?


    Wednesday, June 14, 2017 7:32 PM

Answers

  • You could use a registry to configure Windows Update and set branch readiness level to "Current Branch for Business". This way 1703 will not be installed.

    Or you could just add the latest W10 CU to MDT as a package and disable running Windows Update.

    • Marked as answer by Residualfail Tuesday, June 27, 2017 7:39 PM
    Wednesday, June 21, 2017 7:52 AM

All replies

  • The best solution is to use a WSUS Server.

    If you have one tell MDT to pull updates from it, if you don't have one see what it would take to spin one up.

    How do you currently stop your Production Workstations from getting 1703?

    I run my Reference Image against our WSUS Server.  That way it gets all of the Approved updates and nothing else.

    Wednesday, June 14, 2017 8:29 PM
  • It's unfortunately a very long story.  In a nutshell, the patch management is handled by another group through SCCM. I don't have access to, and can't request access to push patches myself.

    I may have found a solution but I'm not sure how viable it will be come the next big update.  I left the office with that testing so I'll find out tomorrow if it worked.

    Thursday, June 15, 2017 2:15 AM
  • Sounds like you should contact that group and ask them to assist you.  They should be able to help you get a good Reference Image with all the Company Approved Updates.

    Here is a link to an article, though slightly old should still be relevant, that you can read through that will help you explain what you are needing from them.  Since they are still in control of the Patches that get pushed to your image it should be a lot easier to get their help.

    https://richardjgreen.net/sccm-osd-part-1-building-reference-images/


    • Edited by TimWT12 Thursday, June 15, 2017 2:19 PM
    Thursday, June 15, 2017 2:14 PM
  • ZTIWindowsUpdate.wsf has the ability to skip over specific KB articles or update ID numbers, just place them in your customsettings.ini file. THe BDD.log file should show which updates are trying to get installed, otherwise you can run cscript.exe ZtiWindowsUpdate.wsf /query to see what it could be.

    WUMU_ExcludeKB01 = KB1234567


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Tuesday, June 20, 2017 5:13 AM
    Moderator
  • You could use a registry to configure Windows Update and set branch readiness level to "Current Branch for Business". This way 1703 will not be installed.

    Or you could just add the latest W10 CU to MDT as a package and disable running Windows Update.

    • Marked as answer by Residualfail Tuesday, June 27, 2017 7:39 PM
    Wednesday, June 21, 2017 7:52 AM
  • This is almost exactly what I did and it appears to be working.  The reference image built without 1703, and post OSD I'm mostly patched up.  In other words, it gets me close enough.  I'm no longer deploying a machine that pulls 1gb+ worth of patches at our bandwidth restricted sites.

    In my reference image task sequence, I disable Feature Updates, run updates, then re-enable Feature Updates before finishing the TS.

    Tuesday, June 27, 2017 8:02 PM