none
MDT 2013 Issues applying windows updates RRS feed

  • Question

  • I am using the following software versions to deploy a Windows 7 SP1 x64 Lite-Touch Installation to a test machine that I am running:

    Windows Server Version:  Windows Server 2012 Enterprise 64-bit

    Microsoft Deployment Toolkit Version:  2013

    Windows ADK Version:  8.1

    I ran a default Task Sequence deployment and had no issues with the process and everything deployed fine. 

    However, I now wish to customize this installation and include the Windows updates that were released after SP1.  From my understanding I can accomplish this task three ways.  The first is to let the system go out and get the updates but I tried this process and the deployment time is around 2 hours.  The second way to is to add the packages into the task sequence and the the third is to inject them into the wim.

    I have imported a small group of updates into the packages folder.  Next I verified that the apply patch option in the preinstall phase was enabled and the selection was set to all packages.  The problem I run into is that none of the updates seemed to apply.  I then attempted it again by disabling the apply patch option and placing the task for install updates offline in the post-install phase and when that didn’t work I also created a custom task in the state restore phase.  No updates applied in any of these attempts.

    From what I can tell (but am uncertain) the updates were not being applied since the unattended.xml did not have the packages listed there.  I tried adding the packages to the unattended file and on my next attempt using each of the phases I receive a dism.exe error.

    My question is as follows:

    If I wish to add updates directly to the wim file or if I want to add them into the task sequence for deployment (I would like to complete things both ways for comparison) how should I go about accomplishing this task?

    Monday, February 24, 2014 5:27 PM

Answers

  • Hi,

    Updates can be injected during the Preinstall phase > Apply Patches step.

    Create a new folder under packages and call it Windows 7 x64 SecurityUpdates

    Import the Windows 7 update to this particular folder

    Create a selection profile and name it the same, and point only to this particular folder

    On the apply patches step, select the selection profile, instead of all packages, or all drivers and packages.

    That should be it!

    There's one big catch however, if you import the 'wrong' or unapplicable updates you will notice it right away when DISM is applying the updates to the system. Since your deployment will then fail. To investigate which updates causes this issue, please view the DISM.log on the machine that you are deploying with trace64.exe


    If this post is helpful please click "Mark for answer", thanks! Kind regards


    Tuesday, February 25, 2014 8:26 AM

All replies

  • Hi,

    Updates can be injected during the Preinstall phase > Apply Patches step.

    Create a new folder under packages and call it Windows 7 x64 SecurityUpdates

    Import the Windows 7 update to this particular folder

    Create a selection profile and name it the same, and point only to this particular folder

    On the apply patches step, select the selection profile, instead of all packages, or all drivers and packages.

    That should be it!

    There's one big catch however, if you import the 'wrong' or unapplicable updates you will notice it right away when DISM is applying the updates to the system. Since your deployment will then fail. To investigate which updates causes this issue, please view the DISM.log on the machine that you are deploying with trace64.exe


    If this post is helpful please click "Mark for answer", thanks! Kind regards


    Tuesday, February 25, 2014 8:26 AM
  • Hi,

    You also have the option to plug your MDT server to a WSUS using the WSUSServer variable.

    This will for sure take a while but this will be part of the task sequence process and you'll be able to control which updates you want by approving then on the unassigned comuters group in WSUS.


    Mickael,
    My technet galleries contributions :
    ConfigMgr driver injector
    SCCM Collection splitter

    Tuesday, February 25, 2014 8:40 AM
  • Agreed, but injecting the updates is less time consuming. And you still have the option to use WSUS afterwards. I always advise to do a batch of updates via the apply patches step. Certainly on Windows 7 it can service 70 to 80% of all the updates offline. The remaining updates can then be installed online via WSUS.

    So it's more like a two-stage rocket


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Tuesday, February 25, 2014 8:43 AM
  • Thank you all for your replies,

    I followed a tutorial similar to the answer your proposed for an other mdt version and thought I was missing something. It turned out that the test updates I was using were the 20-30% as indicated below that were not working.

    I'm testing updates in small batches now to try and figure out which ones will be successful and which ones will fail. Does any one know of a list posted anywhere that may posses this information. I started creating one in the meantime.

    Sincerely,

    Sean

    Monday, March 3, 2014 4:31 PM
  • Can somebody please a list off exclusions ?

    I already found that

    • KB2533552
    • KB2604521
    • KB2726535
    • KB2496898

    'breaks' deployment ...

    Are there other or is it trial and error ?


    Tuesday, May 27, 2014 5:14 PM
  • Hi,

    Usually it's trial and error, or a query upfront of which updates would have been or could have been installed. To find do this, put "/query" behind your ZTIWindowsUpdate.wsf script execution.

    I usually use the following exclusions in all my MDT deployments:

    ; EXCLUDED WSUS UPDATES for Windows 7
    ;Microsoft Browser Choice Screen Update for EEA Users of Windows 7 for x64-based Systems (KB976002)
    WUMU_ExcludeKB1=976002
    ;Microsoft Silverlight (KB2636927)
    WUMU_ExcludeKB2=2636927
    ;Windows Internet Explorer 9 for Windows 7 for x64-based Systems (KB982861)
    WUMU_ExcludeKB3=982861
    ;Windows Internet Explorer 10 for Windows 7 for x64-based Systems (KB2718695)
    WUMU_ExcludeKB4=2718695
    ;Bing Desktop (KB2694771)
    WUMU_ExcludeKB5=2694771
     
    ; EXCLUDED WSUS UPDATES for Windows 8/8.1
    ; Microsoft Silverlight (KB2668562)
    WUMU_ExcludeKB6=2668562
    ; Microsoft Browser Choice Screen Update for EEA Users of Windows 8 for x64-based Systems (KB976002)
    WUMU_ExcludeKB7=976002
    ; Update for Internet Explorer Flash Player for Windows 8 for x64-based Systems (KB2824670)
    WUMU_ExcludeKB8=2824670

    Copied from my blog: MDT2013 – Powershell ‘BESERK’ mode, configure everything with Powershell!!!

    Cheers!


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Tuesday, May 27, 2014 8:02 PM
  • Hi Chris,

    Its trial and error for the most part because some of the updates depreciate. It would definitely be awesome if there was a definitive list, or it you could just go to Microsoft and get the all of lets say win7x64 to date that are relevant. I moved on to another project, but these numbers all worked for win7x64.

    <style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style>

    2491683
    2564958
    2570947
    2619339
    2620704
    2621440
    2654428
    2655992
    2667402
    2690533
    2479943
    2506212
    2509553
    2511455
    2536276
    2544893
    2560656
    2579686
    2584146
    2585542
    2515325
    2836502
    2913152
    2631813
    2653956
    2690533
    2691422
    2698365
    2685939
    2705219
    2706045
    2712808
    2727528
    2743555
    2757638
    2758857
    2552343
    2563227
    2603229
    2640148
    2660075
    2506014
    2541014
    2545698
    2547666
    2699779
    2709630
    2718704
    2726535
    2506928
    2719857
    2729094
    2732059
    2732059
    2732487
    2732487
    2761217
    2763523
    2773072
    2750841
    2786081
    2786400
    2798162
    2799926
    2808679
    2813956
    2820331
    2647753
    2791765
    2846960
    2847077
    2852386
    2853952
    2868116
    2834140
    2888049
    2891804
    2893519
    2904266
    2913431
    2919469
    2929733
    982018
    2770660
    2785220
    2803821
    2807986
    2813347
    2813430
    2891804
    2918077
    Thursday, May 29, 2014 12:25 AM