locked
MDT 8456 - Windows 10 1903 + Windows Updates ~ Deployment pauses for almost an hour! HELP! RRS feed

  • General discussion

  • I am trying to deploy an updated Windows 10 1903 (Build 10.0.18362.239) image using MDT 8456 / ADK 1903 / PS Addon 1903. I am able to deploy an image without the updates and also can deploy this updated version to legacy bios (non UEFI) without any issues.

    Any suggestions?

    Events From BDD.log

    Event 41001 sent: ZTIWinRE processing completed successfully. ZTIWinRE 7/29/2019 2:05:50 PM 0 (0x0000)
    Property PHASE is now = STATERESTORE ZTINextPhase 7/29/2019 2:05:50 PM 0 (0x0000)
    ZTINextPhase COMPLETED.  Return Value = 0 ZTINextPhase 7/29/2019 2:05:50 PM 0 (0x0000)
    ZTINextPhase processing completed successfully. ZTINextPhase 7/29/2019 2:05:50 PM 0 (0x0000)

    Event 41001 sent: ZTINextPhase processing completed successfully. ZTINextPhase 7/29/2019 2:05:50 PM 0 (0x0000)

    << PAUSE FOR ABOUT AN HOUR >> Then it will carry on as if nothing is wrong.

    ZTIUtility!GetAllFixedDrives (False) LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    New ZTIDisk : \\WUPDATES-FTW1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    New ZTIDiskPartition : \\WUPDATES-FTW1\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"    \\WUPDATES-FTW1\root\cimv2:Win32_LogicalDisk.DeviceID="C:" LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    New ZTIDisk : \\WUPDATES-FTW1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    New ZTIDisk : \\WUPDATES-FTW1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    ZTIUtility!GetAllFixedDrives =   C: LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    Found existing task sequence state information in C:\_SMSTaskSequence, will continue LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    Property LTIDirtyOS is now = FALSE LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)
    Creating startup folder item to run LiteTouch.wsf once the shell is loaded. LiteTouch 7/29/2019 2:58:41 PM 0 (0x0000)

    Here is the link to the entire BDD.log if you need it.


    - Bob


    Monday, July 29, 2019 8:03 PM

All replies

  • Can you share the setupact.log from C:\Windows\panther as well?

    https://ccmcache.wordpress.com/ | @kevmjohnston

    Monday, July 29, 2019 8:14 PM
  • Sure thing... Here it is.

    - Bob

    Monday, July 29, 2019 8:17 PM
  • This looks very similar to a problem I detailed in this thread:

    https://social.technet.microsoft.com/Forums/en-US/dff409b8-7909-4130-a72b-637715d7d956/unusual-osd-delay-black-screen-cursor?forum=ConfigMgrCBOSD#b255a948-df21-4ff3-85b2-28c5c2510960

    But in your case, the items causing the hash mismatch appear to be related to "windows-defender-management-powershell".


    https://ccmcache.wordpress.com/ | @kevmjohnston

    Monday, July 29, 2019 8:25 PM
  • Thanks for the info... maybe something included in the latest Windows updates causing it?

    I do see in the setupact.log from lines 3816 on... timestamp matches the "pause/delay"

    2019-07-29 14:07:43, Info                  CSI    0000001b@2019/7/29:18:07:43.950 CSI Transaction @0x2b342fd2990 destroyed
    2019-07-29 14:07:43, Info                  CBS    Repr: CSI Store check completes
    2019-07-29 14:07:43, Info                  CBS    Exec: Download qualification evaluation, business scenario: Manual Corruption Repair

    2019-07-29 14:10:19, Info                  CBS    WU: PSF is available and preferred for the update.
    2019-07-29 14:10:21, Info                  CBS    FC:   FCAcquirerWUClient: WULib DownloadProgress: [0 / 100]
    2019-07-29 14:10:23, Info                  CBS    FC:   FCAcquirerWUClient: WULib DownloadProgress: [0 / 100]
    2019-07-29 14:10:25, Info                  CBS    FC:   FCAcquirerWUClient: WULib DownloadProgress: [0 / 100]
    2019-07-29 14:10:27, Info                  CBS    FC:   FCAcquirerWUClient: WULib DownloadProgress: [0 / 100]
    2019-07-29 14:10:29, Info                  CBS    FC:   FCAcquirerWUClient: WULib DownloadProgress: [0 / 100]

    "CBS    FC:   FCAcquirerWUClient: WULib DownloadProgress: [0 / 100]"

    this seems to consume all the time of the pause/delay.

    How did you conclude that this is Defender Powershell?




    - Bob



    Monday, July 29, 2019 8:36 PM
  • In setupact.log there are several lines that say

    "Unable to repair payload file <filename> for component ...amd64_windows-defender-management-powershell...

    Hashes for file member <filename> do not match"

    What method are you using to apply the updates to your OS install media? If not already using it, I suggest giving OSDBuilder a try: https://www.osdeploy.com/osdbuilder


    https://ccmcache.wordpress.com/ | @kevmjohnston


    Monday, July 29, 2019 8:43 PM
  • I see it...

    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpComputerStatus.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpThreat.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpThreatCatalog.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpThreatDetection.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpPreference.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpScan.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpWDOScan.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpSignature.cdxml
    2019-07-29 14:07:43, Info                  CBS    Repr: Add missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\Defender.psd1

    How do I tell it to stop reaching out to Windows Updates? I do not have it enabled in the Task Sequence.

    - Bob



    Monday, July 29, 2019 8:45 PM
  • So I should use OSDUpdate  19.7.10.0 instead of Windows Update to prep the image ?

    - Bob

    Monday, July 29, 2019 9:02 PM
  • I don't know of a way to get it to stop during that part of the process aside from removing the components that are causing the hash mismatch. It's Windows setup itself doing it, not anything in the MDT task sequence.

    https://ccmcache.wordpress.com/ | @kevmjohnston

    Monday, July 29, 2019 9:07 PM
  • No, that's something different. For OSDBuilder, start here: https://www.osdeploy.com/osdbuilder/docs/quick-start

    https://ccmcache.wordpress.com/ | @kevmjohnston

    Monday, July 29, 2019 9:07 PM
  • Thanks for all the information.

    I looked over OSDbuilder and it looks great but seems to complicate something simple. MS should really sort this out or at least give us the ability to remove the conflicting application. Seems MS has dropped the ball. For now we will just stick with running windows updates in the task sequence and next time I rebuild the image I will give OSDbuilder a try.

    Thanks again for your time and help identifying this, I appreciate it.


    - Bob


    • Edited by Bob K Brown Tuesday, July 30, 2019 12:15 PM
    Tuesday, July 30, 2019 10:35 AM
  • OK now to throw some fun into this... I tested the image on a VM.
    When I test the WU image on VMware it works fine; without issues. Works perfectly.
    >> EFI >> Secure Boot enabled.
    When I test the image on Hardware (HP Elitedesk / Prodesk) it fails.
    >> EFI >> Secure Boot enabled.

    So underlying issue maybe network drivers? Digging in now. Seems silly. 

    - Bob


    Tuesday, July 30, 2019 1:26 PM
  • Fixed! A co-worker suggested removing all the drivers from MDT... sounds silly right? Hail Mary?

    I removed all drivers from Out-of-Box Drivers in MDT Workbench and then Updated the deployment share / replaced the Images. I have since tested on 2 HP machines and is working as expected.

    Now I am sure there is a logical reason why that fixed it... but it's working so that may just be over-analyzing things.

    I suggest maybe others that have this issue try the same... go minimal and re-add them slowly one by one as needed.

    Thanks again!


    - Bob

    Tuesday, July 30, 2019 3:13 PM
  • i just experienced the same exact issue, about 1.25 hrs waiting for the new deployed machine to complete.

    i had to create a new gold image without installing KB4052623.

    https://borncity.com/win/2019/07/11/windows-july-9-2019-updates-breaks-sfc/

    after deploying the new image my deployments are now @ 25min

    thanks for the wasted week microsoft

    Friday, August 2, 2019 11:08 AM
  • Having this exact same issue on our end. Server 2019 and Windows 10 1903. Didn't have this issue with 1809. It works fine on some older model Dell computers. New 7400 and 7490 series Dell laptops I get a hour plus long pause.
    Tuesday, August 6, 2019 4:55 PM
  • Ripped out all drivers from MDT and added just the drivers for a Dell Latitude 7400 and its still having the pause.
    Tuesday, August 6, 2019 4:56 PM
  • Ditto here... almost an hour delay, largely due to this:
    2019-08-14 14:52:40, Info                  CBS    FC:   FCAcquirerWUClient: WULib DownloadProgress: [0 / 100]

    Other lines of note:
    2019-08-14 14:03:34, Info                  CSI    00000006 Warning: Unable to repair payload file ([l:27]'MSFT_MpComputerStatus.cdxml') for component ([l:96 ml:140]'amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c') from backups directory with disposition (2). A backup file may not exist or may be corrupt. Falling back to WU.
    2019-08-14 14:03:34, Info                  CSI    00000007 Hashes for file member [l:19]'MSFT_MpThreat.cdxml' do not match.
     Expected: {l:32 ml:33 b:ae595236832a3884d2aa3f913454ac6ff4c735f55e819c7f391c94b653281f92}.
     Actual: {l:32 b:041682c406c44fddb981da12eb58f767ff4dc73c7422a04649153acd691ade61}.

    2019-08-14 14:56:34, Info                  CBS    Not able to read BranchName [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2019-08-14 14:56:34, Info                  CBS    Not able to read ContentType [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2019-08-14 14:56:34, Info                  CBS    Not able to read Ring [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2019-08-14 14:56:34, Info                  CBS    Not able to read IsBuildFlightingEnabled [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2019-08-14 14:56:34, Info                  CBS    Windows Insider Program: Current settings: Content type: (null), Build branch: (null), Ring: (null), Build Flighting Enabled: No
    2019-08-14 14:56:34, Info                  CBS    WU: Windows update server selection group policy not set [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
    2019-08-14 14:56:34, Info                  CBS    DWLD: Current product search criteria: (Product='Adobe.Flash.amd64' and CurrentVersionOnly=1)
    2019-08-14 14:56:35, Info                  CBS    DWLD: Unexpected WU result code 2
    2019-08-14 14:56:35, Info                  CBS    DLWD: Expecting search returns 1 update, actual:0 [HRESULT = 0x800f0950 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT]
    2019-08-14 14:56:35, Info                  CBS    DWLD:Failed to do Windows update search [HRESULT = 0x800f0950 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT]
    2019-08-14 14:56:35, Info                  CBS    FC:   FCAcquirerWUClient: WindowsUpdateDownloadFromUUP returns. [0x800F0950]
    2019-08-14 14:56:35, Error                 CBS    FC:   CFCAcquirerWUClient::Download(133): Result = 0x800F0950
    2019-08-14 14:56:35, Error                 CBS    FC:   CFCAcquirerWrapper::Execute(148): Result = 0x800F0950
    2019-08-14 14:56:35, Info                  CBS    Failed to search WU for Adobe.Flash.amd64 [HRESULT = 0x800f0950 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT]
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpComputerStatus.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpThreat.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpThreatCatalog.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpThreatDetection.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpPreference.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpScan.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpWDOScan.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\MSFT_MpSignature.cdxml in the sandbox
    2019-08-14 14:56:35, Info                  CBS    Repr: Could not find component missing payload:amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.18362.1_none_b620cb061e8a941c\Defender.psd1 in the sandbox

    I didn't have any issues during test deployments to a single laptop model or a VM, but now that the PC build team is rolling out a bunch of HP devices, they're getting a 1+ hour black screen delay during the LTI process.

    Monday, August 19, 2019 8:18 PM
  • The issue goes away if I repair the component store before capturing the reference image by using our original Windows 10 1903 installation media as the source. Does anyone see any problems doing this, other than we shouldn't have to?

    Anyhow, as A.martel reported, it appears the issue was caused by Windows Defender patch KB4052623 and is resolved in Windows Defender version 4.18.1908 which doesn't appear to have been released yet.

    I still don't understand why drivers for some models trigger the issue, possibly related to unsigned drivers?

    Wednesday, August 21, 2019 9:27 PM