Deploying 100% of available software updates during a task sequence
Hi,
Can somebody tell me if it actually possible to fully patch a computer via an SCCM 2012 task sequence using the install software updates task? If you have managed this can you shed some light on where I'm going wrong? For me, this behaviour is exactly
the same as ConfigMgr07... It simply doesn't work as it should.
I've integrated IE9 into my image and then added in all available updates via offline servicing. My task sequence installs windows, installs Adobe Reader, Office 2010 and Visio Viewer 2010. I then reboot the machine and perform all my patching via the Install
Software Updates task (with it set to 'all'), then reboot again. I do this four times in total.
It downloads and installs some 24 updates in the first instance. The second, third and fourth time it doesn't download or install anything.
When the task sequence completes and the OS first starts up there are 10 updates waiting to be installed (including updates for Adobe Reader and Flash that I have published to the WSUS server via SCUP). After installing those and rebooting there is a single
hotfix available (KB2533552). After installing that and rebooting, .NET4 Client Profile is waiting for me. After that there another nine more updates are available (mainly .NET4). Reboot, .NET4 Framework, reboot 5x .NET4 framework updates.
Why does the software update task not install 'all' updates when that is what I've selected? I have an automatic deployment rule targeted to my OSD and Unknown Computers collections. The rule is set to include Windows 7, Office 2010 and Adobe products with
all update classification types.
July 5th, 2012 6:05pm
The way I did it was to create a new software update group with all non expired or superseded updates and deployed that to the unknown computers collection. Then when the task ran the updates it pulled them all in. This also got them to show
up in the list when I scheduled and update for the wim file.
Hope that helps!
July 6th, 2012 8:08pm
Hi,
Thanks for the reply, sorry for getting back so late but I've been doing a fair bit of testing.
What you describe is the same as what I have now. I'm curious as to the method you approach this with? Do you just run the step once and it pulls in every update? Or do you have to run it two, three, four times in a row? Do you put add reboots
after each run. Do you patch everything after you've installed all your apps or patch the base OS first, install more apps, and then do some more patching?
I've checked my automatic deployment rule and can't find a way of excluding expired updates but fortunately there don't appear to be any in the list when I check the group members.
I've created a task sequence that runs the Install Software Updates
step but it only ever finds updates available to install twice. The first time I log in to Windows there are 34 more updates available to install. All but one of the 34 updates are members of the software update group that has been created by my Automatic Deployment
rule. The only update it doesn't have is a Visual C++ 2008 SP1 so I'm going to add that product class to my deployment rules and see whether that one update is holding up all the rest. I'm also wondering which products you have targetted? Just Windows
& Office or every product that's on the WSUS server?
Thanks,
James.
-
Edited by
fusiongroup
Tuesday, July 10, 2012 7:53 AM
July 10th, 2012 7:51am
Hi,
Thanks for the reply, sorry for getting back so late but I've been doing a fair bit of testing.
What you describe is the same as what I have now. I'm curious as to the method you approach this with? Do you just run the step once and it pulls in every update? Or do you have to run it two, three, four times in a row? Do you put add reboots
after each run. Do you patch everything after you've installed all your apps or patch the base OS first, install more apps, and then do some more patching?
I've checked my automatic deployment rule and can't find a way of excluding expired updates but fortunately there don't appear to be any in the list when I check the group members.
I've created a task sequence that runs the Install Software Updates
step but it only ever finds updates available to install twice. The first time I log in to Windows there are 34 more updates available to install. All but one of the 34 updates are members of the software update group that has been created by my Automatic Deployment
rule. The only update it doesn't have is a Visual C++ 2008 SP1 so I'm going to add that product class to my deployment rules and see whether that one update is holding up all the rest. I'm also wondering which products you have targetted? Just Windows
& Office or every product that's on the WSUS server?
Thanks,
James.
-
Edited by
fusiongroup
Tuesday, July 10, 2012 7:53 AM
July 10th, 2012 10:51am
Hi,
Thanks for the reply, sorry for getting back so late but I've been doing a fair bit of testing.
What you describe is the same as what I have now. I'm curious as to the method you approach this with? Do you just run the step once and it pulls in every update? Or do you have to run it two, three, four times in a row? Do you put add reboots
after each run. Do you patch everything after you've installed all your apps or patch the base OS first, install more apps, and then do some more patching?
I've checked my automatic deployment rule and can't find a way of excluding expired updates but fortunately there don't appear to be any in the list when I check the group members.
I've created a task sequence that runs the Install Software Updates
step but it only ever finds updates available to install twice. The first time I log in to Windows there are 34 more updates available to install. All but one of the 34 updates are members of the software update group that has been created by my Automatic Deployment
rule. The only update it doesn't have is a Visual C++ 2008 SP1 so I'm going to add that product class to my deployment rules and see whether that one update is holding up all the rest. I'm also wondering which products you have targetted? Just Windows
& Office or every product that's on the WSUS server?
Thanks,
James.
-
Edited by
fusiongroup
Tuesday, July 10, 2012 7:53 AM
July 10th, 2012 10:51am
Is the ConfigMgr 2012 client installed within your reference image and then did you fully patch it from Windows Update prior to capturing the image?
July 10th, 2012 12:16pm
Actually going back I was just targeting Windows 7 updates. I made a updates group and made it required for unknown computers. Then I built a reference PC and captured it. The only hting I changed in the task was to add my apps. (which it looks
like it limits you to 9 apps unless you use the variable name which is a real pain in the butt if you are troubleshooting. I ended up just setting dependencies on some of the apps to install other apps to get around that.) After I capture it I ran
the update OS and it showed all the patches were applied. I am not sure I'm a big fan of the reference image but it does speed up deployments. I don't like that there isn't an easy way to manually build you golden image then capture it but that is just
me I guess.
I will have to go back now and try it with the Office updates and all that and see if it works or not. I'll document what I'm doing and if it works I'll hit you back.
July 10th, 2012 3:12pm
I use a Virtual machine to build my reference image, built by ConfigMgr with Office 2010 but then patched to the hilt through Windows Update. I then snapshot the machine. I would then re-arm the Office 2010 and run the ConfigMgr capture media
ISO on it. Each time I need to update the image I just revert back to snapshot and repeat the process. Offline Servicing is a great time-saver for updates (if you have the disk space for it to run!), but you can't beat actually having a VM snapshot
to go back to, reconfigure, patch and recapture.
July 10th, 2012 5:29pm
Ive build 5 OSD enfiroments with software updates integration. I had no serious problems with those, but never used Adobe or other non-Microsoft updates.
Here are some facts:
- my .wim image is created from original Win7 SP1 installation media, without any external update installed.
- deployment for software updates in SCCM are not mondatory
- software update step has "all software updates" option selected, not just mandatory updates.
- the deloyment of software updates are target to a collection which has "unknown"-query, "unknown x86 record", "unknown x64 record" and a collection with workstation query. Deployment also pulled to a sub collections in this.
- I have 2-3 steps before MS Office installation step, and 2-3 step after, that OS and Office would be updated separatly.
Hope this helps! :)
-
Proposed as answer by
chockymonster
Thursday, August 07, 2014 5:40 PM
-
Unproposed as answer by
fusiongroup
Friday, August 08, 2014 7:39 AM
July 10th, 2012 8:08pm
Ive build 5 OSD enfiroments with software updates integration. I had no serious problems with those, but never used Adobe or other non-Microsoft updates.
Here are some facts:
- my .wim image is created from original Win7 SP1 installation media, without any external update installed.
- deployment for software updates in SCCM are not mondatory
- software update step has "all software updates" option selected, not just mandatory updates.
- the deloyment of software updates are target to a collection which has "unknown"-query, "unknown x86 record", "unknown x64 record" and a collection with workstation query. Deployment also pulled to a sub collections in this.
- I have 2-3 steps before MS Office installation step, and 2-3 step after, that OS and Office would be updated separatly.
Hope this helps! :)
-
Proposed as answer by
chockymonster
Thursday, August 07, 2014 5:40 PM
-
Unproposed as answer by
fusiongroup
Friday, August 08, 2014 7:39 AM
July 10th, 2012 11:08pm
Ive build 5 OSD enfiroments with software updates integration. I had no serious problems with those, but never used Adobe or other non-Microsoft updates.
Here are some facts:
- my .wim image is created from original Win7 SP1 installation media, without any external update installed.
- deployment for software updates in SCCM are not mondatory
- software update step has "all software updates" option selected, not just mandatory updates.
- the deloyment of software updates are target to a collection which has "unknown"-query, "unknown x86 record", "unknown x64 record" and a collection with workstation query. Deployment also pulled to a sub collections in this.
- I have 2-3 steps before MS Office installation step, and 2-3 step after, that OS and Office would be updated separatly.
Hope this helps! :)
-
Proposed as answer by
chockymonster
Thursday, August 07, 2014 5:40 PM
-
Unproposed as answer by
fusiongroup
Friday, August 08, 2014 7:39 AM
July 10th, 2012 11:08pm
Thanks for all the replies people!
I've had my head buried trying to get this working over the past week or so but it still doesn't want to play ball.
I like to keep my reference image as vanilla as possible and then dynamically install the apps later in the task sequence based on stuff like Make/Model/Location etc. I suppose I could always incorporate the standard apps into the reference image but I think
I'll find I'm having to update the image even more frequently then.
I did create my reference image a couple of months ago so there are updates now avilable that are not included in it. I was hoping that the 'offline servicing' would take care of the issue of having to rebuild the reference issue every month. I've found
that not all the updates are compatible with this method of updating the base image so references need to be taken anyway... Making the offline servicing completely pointless.
One thing I've have noticed recently is that my copy of Office is the RTM version. I'm going to update it to Office 2010 inc SP1 which is availabe for download through my VLSC and see if that helps matters at all.
If not then I will be reverting back to an old vbs script I wrote to perform all the Windows Updates through WSUS. I really wanted to ditch that this time round and just rely on the built in functions of SCCM so it would be easier for my coleagues to fix/get
support in the case of the updating aspect failing completely.
Thanks for all the help.
J.
July 19th, 2012 5:17pm
Hi,
Thanks for the suggestion, that's not something I've tried but I'll give it a go.
It's a shame the Install Software Updates step doesn't do what it says on the tin... In my mind it should check for available updates, download & install them, reboot and repeat until no more software updates are detected as available. After that does
it move on to the next step in the task sequence.
One step after Windows is installed, one after Apps are installed, job done. Simples.
J.
-
Proposed as answer by
RJ454ME
Thursday, September 20, 2012 6:33 PM
-
Unproposed as answer by
RJ454ME
Thursday, September 20, 2012 6:34 PM
July 23rd, 2012 2:39pm
Have you tried doing a build and capture but using the captured WIM as the install source? I did that to make sure all the patches were on there. So now I have 2 build and capture tasks. One that uses the install CD and one based off the golden WIM (basiclly
creates a new golden wim). Two steps but it seems to have fixed everything up for me.
July 23rd, 2012 5:21pm
Hi,
Thanks for the suggestion, that's not something I've tried but I'll give it a go.
It's a shame the Install Software Updates step doesn't do what it says on the tin... In my mind it should check for available updates, download & install them, reboot and repeat until no more software updates are detected as available. After that does
it move on to the next step in the task sequence.
One step after Windows is installed, one after Apps are installed, job done. Simples.
J.
-
Proposed as answer by
RJ454ME
Thursday, September 20, 2012 6:33 PM
-
Unproposed as answer by
RJ454ME
Thursday, September 20, 2012 6:34 PM
July 23rd, 2012 5:39pm
Hi,
Thanks for the suggestion, that's not something I've tried but I'll give it a go.
It's a shame the Install Software Updates step doesn't do what it says on the tin... In my mind it should check for available updates, download & install them, reboot and repeat until no more software updates are detected as available. After that does
it move on to the next step in the task sequence.
One step after Windows is installed, one after Apps are installed, job done. Simples.
J.
-
Proposed as answer by
RJ454ME
Thursday, September 20, 2012 6:33 PM
-
Unproposed as answer by
RJ454ME
Thursday, September 20, 2012 6:34 PM
July 23rd, 2012 5:39pm
Hi,
Just a quick update as I've made a little more progress...
We're running in a pure HTTPS environment and this meant that although I'd run the 'Build and Capture' task sequences in July, no updates were actually being applied to my golden image. This is because the client was in a workgroup and the certificates I'd
told the client to select during the installation process were not being used. The control panel applet was just coming up with Client Certificate = 'None' instead of 'PKI'. Updates are installed corrently on domain machines but joining the B&C reference
PC to the domain is not an option...
As a test, I changed the communication on the Management Server and Distribution Point to allow HTTP and my 'Build and Capture' task sequence immediately found & installed 78 updates and restarted. Afterwards it ran the ISU step another 3 times with
restarts in between. All three found that 0 updates were applicable and the task sequence completed successfully. I was certain I'd cracked it.
I logged in to Windows and there were 7 new updates to install. Only one of them was not included in the package I have targetted to 'Unknown Computers' or my 'Build and Capture' collection, so I've added that. After installing those another 12 appeared,
I started to get a serious sense of deja-vu and just switched the thing off...
No matter what I try it seems that the ISU step will not work more than once per task sequence. This means that updates to updates can't ever be installed, and this accounts for at least a third of the updates that are applied. I'm giving up on this as it's
now wasted more of my time than I cared to give it. I will just script the updates to install from a WSUS server instead of using SCCM.
-
Marked as answer by
fusiongroup
Thursday, August 02, 2012 9:36 AM
-
Unmarked as answer by
fusiongroup
Friday, August 03, 2012 9:34 AM
August 2nd, 2012 9:36am
Hi,
Just a quick update as I've made a little more progress...
We're running in a pure HTTPS environment and this meant that although I'd run the 'Build and Capture' task sequences in July, no updates were actually being applied to my golden image. This is because the client was in a workgroup and the certificates I'd
told the client to select during the installation process were not being used. The control panel applet was just coming up with Client Certificate = 'None' instead of 'PKI'. Updates are installed corrently on domain machines but joining the B&C reference
PC to the domain is not an option...
As a test, I changed the communication on the Management Server and Distribution Point to allow HTTP and my 'Build and Capture' task sequence immediately found & installed 78 updates and restarted. Afterwards it ran the ISU step another 3 times with
restarts in between. All three found that 0 updates were applicable and the task sequence completed successfully. I was certain I'd cracked it.
I logged in to Windows and there were 7 new updates to install. Only one of them was not included in the package I have targetted to 'Unknown Computers' or my 'Build and Capture' collection, so I've added that. After installing those another 12 appeared,
I started to get a serious sense of deja-vu and just switched the thing off...
No matter what I try it seems that the ISU step will not work more than once per task sequence. This means that updates to updates can't ever be installed, and this accounts for at least a third of the updates that are applied. I'm giving up on this as it's
now wasted more of my time than I cared to give it. I will just script the updates to install from a WSUS server instead of using SCCM.
-
Marked as answer by
fusiongroup
Thursday, August 02, 2012 9:36 AM
-
Unmarked as answer by
fusiongroup
Friday, August 03, 2012 9:34 AM
August 2nd, 2012 12:36pm
Hi,
Just a quick update as I've made a little more progress...
We're running in a pure HTTPS environment and this meant that although I'd run the 'Build and Capture' task sequences in July, no updates were actually being applied to my golden image. This is because the client was in a workgroup and the certificates I'd
told the client to select during the installation process were not being used. The control panel applet was just coming up with Client Certificate = 'None' instead of 'PKI'. Updates are installed corrently on domain machines but joining the B&C reference
PC to the domain is not an option...
As a test, I changed the communication on the Management Server and Distribution Point to allow HTTP and my 'Build and Capture' task sequence immediately found & installed 78 updates and restarted. Afterwards it ran the ISU step another 3 times with
restarts in between. All three found that 0 updates were applicable and the task sequence completed successfully. I was certain I'd cracked it.
I logged in to Windows and there were 7 new updates to install. Only one of them was not included in the package I have targetted to 'Unknown Computers' or my 'Build and Capture' collection, so I've added that. After installing those another 12 appeared,
I started to get a serious sense of deja-vu and just switched the thing off...
No matter what I try it seems that the ISU step will not work more than once per task sequence. This means that updates to updates can't ever be installed, and this accounts for at least a third of the updates that are applied. I'm giving up on this as it's
now wasted more of my time than I cared to give it. I will just script the updates to install from a WSUS server instead of using SCCM.
-
Marked as answer by
fusiongroup
Thursday, August 02, 2012 9:36 AM
-
Unmarked as answer by
fusiongroup
Friday, August 03, 2012 9:34 AM
August 2nd, 2012 12:36pm
Hello,
if you want to apply all advertised updates in your BuC or other TS you must trigger a full updatescan as a command before the update step:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
You should do the updates 2 or three times to catch all updates, because of dependencies (with reboots between).
Because after the first scan -> "the client uses the software updates metadata that is stored locally"
http://technet.microsoft.com/en-us/library/gg682168.aspxv ->
Scan for Software Updates Compliance Process
August 2nd, 2012 6:40pm
Thank you! This is exactly what I've been looking for!
I have no idea why you wouldn't want to scan for updates before each update deployment... Using metadata from a previous scan seems like a bad idea to me because of the very issue I'm having... Updates are slipping through the net.
But this works perfectly.
Thanks again.
James.
August 3rd, 2012 12:39pm
Hello,
i think MS want to create not "to much traffic" ;-).
If you want to Trigger other funny things, here is a list:
Hardware Inventory 00000000-0000-0000-0000-000000000001 Software Inventory 00000000-0000-0000-0000-000000000002
Data Discovery 00000000-0000-0000-0000-000000000003
Machine Policy Assignment Request 00000000-0000-0000-0000-000000000021
Machine Policy Evaluation 00000000-0000-0000-0000-000000000022
Refresh Default Management Point 00000000-0000-0000-0000-000000000023
Refresh Location (AD site or Subnet) 00000000-0000-0000-0000-000000000024
Software Metering Usage Reporting 00000000-0000-0000-0000-000000000031
Sourcelist Update Cycle 00000000-0000-0000-0000-000000000032
Refresh proxy management point 00000000-0000-0000-0000-000000000037
Cleanup policy 00000000-0000-0000-0000-000000000040
Validate assignments 00000000-0000-0000-0000-000000000042
Certificate Maintenance 00000000-0000-0000-0000-000000000051
Branch DP Scheduled Maintenance 00000000-0000-0000-0000-000000000061
Branch DP Provisioning Status Reporting 00000000-0000-0000-0000-000000000062
Software Update Deployment 00000000-0000-0000-0000-000000000108
State Message Upload 00000000-0000-0000-0000-000000000111
State Message Cache Cleanup 00000000-0000-0000-0000-000000000112
Software Update Scan 00000000-0000-0000-0000-000000000113
Software Update Deployment Re-eval 00000000-0000-0000-0000-000000000114
OOBS Discovery 00000000-0000-0000-0000-000000000120
August 3rd, 2012 12:51pm
I just used the exact command in my 'Run Command Line' task and it works fine. No need to change anything:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
-
Edited by
fusiongroup
Wednesday, September 12, 2012 11:04 AM
September 12th, 2012 11:03am
Hello,
if you want to apply all advertised updates in your BuC or other TS you must trigger a full updatescan as a command before the update step:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
You should do the updates 2 or three times to catch all updates, because of dependencies (with reboots between).
Because after the first scan -> "the client uses the software updates metadata that is stored locally"
http://technet.microsoft.com/en-us/library/gg682168.aspxv ->
Scan for Software Updates Compliance Process
September 12th, 2012 1:56pm
I just used the exact command in my 'Run Command Line' task and it works fine. No need to change anything:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
-
Edited by
fusiongroup
Wednesday, September 12, 2012 11:04 AM
September 12th, 2012 2:03pm
I just used the exact command in my 'Run Command Line' task and it works fine. No need to change anything:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
-
Edited by
fusiongroup
Wednesday, September 12, 2012 11:04 AM
September 12th, 2012 2:03pm
Cheers fusiongroup. I tried with it as-is but I was still unable to patch, back to the drawing board!
Thanks
September 12th, 2012 6:35pm
Hello Goulash,
you can test it on an existing client, opening cmd as an admin and run the command , after, you can see some actions in the WUAHandler.log under c:\Windows\CCM\Logs
A
September 12th, 2012 7:16pm
Hi JPietsch,
Good idea - I hadn't thought of that!
I notice in your TS that you also include a step to allow the scan to finish, is that a cmd entry or similar to just delay the install step from starting for a few minutes? I haven't tired that so maybe mine was allowed enough time to complete the scan.
Many thanks
September 13th, 2012 7:20pm
Hi Goulash,
it's only prophylaxis :-), i only use it at that customer ..... . All the time it works without a delay.
September 13th, 2012 7:27pm
Hi JPietsch
Your screenshot of your Task Sequence was very helpful on getting the updates to scan.
But im interested in your other 2 steps after the scan.
Please can you perhaps explain that and also if possible attached screenshots of those steps.
Thanks
November 14th, 2012 1:40pm
Hi,
do you mean "Wait for Scan.. " and "Update..."?
"Wait for scan..." is only a delay for 30 sec., but you don't Need this.
The "Update...." step is to re-evalute the update deployment, you need this for the install process, it depends on "Scan for Updates"
"Scan for Update" is only to scan against the catalog and does not install any updates.
Hope this will help you
November 14th, 2012 7:28pm
Thanks, this should be very helpful.
November 15th, 2012 11:14am
Hi JPietsch......question...
do you join your reference process to the domain to be able to get the software updates or leave the reference computer to a workgroup....
Do you specify the SMSMP= var in the Setup Windows and ConfigMgr task ?
January 9th, 2013 12:48pm
Hi Pollewops,
at the build and capture TS the computer is no domainmember (workgroup).
I set the following Parameters for the sccm Client:
FSP=server.domain.bla SMSMP=server.domain.bla CCMLOGLEVEL=0 CCMLOGMAXHISTORY=2 CCMLOGMAXSIZE=2000000 SMSCACHESIZE=20000
You can find the parameters here:
http://technet.microsoft.com/en-us/library/gg699356.aspx
Important is the FSP and the SMSMP parameter, you need the FSP for non Domain members (impor
January 9th, 2013 1:35pm
Important is the FSP and the SMSMP parameter, you need the FSP for non Domain members
(important).
FSP? Sure? Is that a typo and you meant SMSMP?
January 9th, 2013 2:08pm
Hi Torsten,
no, i mean FSP, because at build and capture the Client isn't trusted (Workgroup) and can't authenticate .... .
The FSP in 2012 has the function of SLP (i think so, i read this, can't find at the moment).
If you enable anonymous auth. i think you don't need.
Tell me when im wrong ;-).
http://technet.microsoft.com/en-us/library/gg681976.aspx#BKMK_Determine_FSP
January 9th, 2013 2:27pm
So when I join the computer to the domain, it can find the SMSMP, and then the FSP role is not required
January 9th, 2013 4:49pm
Yes, but "normaly" for build and capture it is recommended to don't join to domain. But it depends on your Scenario ;-).
January 9th, 2013 5:06pm
The FSP in 2012 has the function of SLP (i think so, i read this, can't find at the moment).
That is incorrect. The FSP in 2012 remains almost completely unchanged. The functionality of the SLP was rolled into the MP in 2012.
January 9th, 2013 11:24pm
Yes, but "normaly" for build and capture it is recommended to don't join to domain.
I concur with the recommendation and would go one step further as it should never be done and there are no valid reasons to do so.
January 9th, 2013 11:25pm
Ok so best way is to never join domain with build and capture....
But what roles are required at the SCCM 2012 server then tpo be able to apply Software Updates to the "unknown" computers and how do I configure that in the "Setup Windows and ConfigMgr" task ?
I think FSP role is not required and SLP role is now added to SMSMP...so only SMSMP= is enough to be able to apply the software updates to a workgroup computer ?
January 10th, 2013 1:40am
Hello,
ok, i've tested a BuC TS without FSP and defined "only" the SMSMP -> it works with updates (no apps or packages tested).
If you have the nice "feature" that the updates hungs at download, you can make your BuC without patches and after import, use the "Offline Patching" of your image, using right mouse on your OS Image and "Schedule Updates". This will "inject" your image,
after finishing don't forget to update you DPs-
@jason: Yes your'e right MP takes the role of FSP (a phantom in my head ;-) )
January 10th, 2013 3:14am
Hi JP
That works perfect
- no FSP defined
- only SMSMP used in setyup windows and config manager
- no domain join- after image is created, do offline servicing to update the software updates in the image
THANKS !
January 10th, 2013 3:58pm
Hi,
The Configuration Manager Client caches the results of a Software Update evaluation scan.
This cache has a rather long TTL, longer than the Task Sequence lasted. See my blog post
http://www.toolzz.com/?p=1059 for the solution.
June 12th, 2013 3:37pm
I used your method, but after the first series of installing the updates, the computer reboots and the task sequence never continues.
Because of this, the client is stuck in provisioning mode and the client is not usable.
Did you encounter this when using your method?
October 11th, 2013 12:04pm
But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. I used to see this problem (and others) frequently when I had 3,000+ targeted
-
Edited by
fusiongroup
Friday, October 11, 2013 1:07 PM
October 11th, 2013 1:06pm
Hi,
Yes, I used to see that quite a bit but I haven't seen it in ages. It's really annoying because there's virtually nothing in the logs to go on either.
Roughly how many updates are targeted to your Build and Capture PC? I think I used to see this more often when I had thousands of updates targeted to the B&C machine, rather than the couple of hundred I have now.
James.
October 11th, 2013 3:15pm
Hi,
Yes, I used to see that quite a bit but I haven't seen it in ages. It's really annoying because there's virtually nothing in the logs to go on either.
Roughly how many updates are targeted to your Build and Capture PC? I think I used to see this more often when I had thousands of updates targeted to the B&C machine, rather than the couple of hundred I have now.
James.
I'm not using it with a build and capture, just wit normal deployment.
The first update cycle installs 22 updates.
I have tried to put it in a separate tasksequence that is deployed after the initial install and made the deployment required, but then I get other errors :s.
October 11th, 2013 3:47pm
But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. I used to see this problem (and others) frequently when I had 3,000+ targeted
-
Edited by
fusiongroup
Friday, October 11, 2013 1:07 PM
October 11th, 2013 4:06pm
But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. I used to see this problem (and others) frequently when I had 3,000+ targeted
-
Edited by
fusiongroup
Friday, October 11, 2013 1:07 PM
October 11th, 2013 4:06pm
But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. When I used to see this problem more when I used to have 3,000+ targeted
I think its only 300 updates that are available in the ADR for windows 7.
On top of that I slipstream most updates in the wim file.
Only updates from the last month are applied during/after the install.
October 11th, 2013 4:17pm
Numbers sound about right then.
I have 232 targeted to my B&C collection and around 132 of them install during a Win7x86 B&C task. This gives me a fully up-to-date image to deploy. I don't bother with slipstreaming because you can only slipstream .msp patches into the .wim,
which will miss some out.
Is it definitely the install software updates step that's causing it to get stuck provisioning mode? If you do a reboot after the "Setup Windows and ConfigMgr" step does it correctly pick up the task sequence? Are you installing the
Cumulative Update 2 client patches? (Presuming you've updated the server to CU2). I'm just thinking that if you're not installing the client patches, it might be failing after the first reboot, rather than after the first software update step.
One thing that did help with my situation was putting plenty of reboots in along the way. It seems it just gives up if you try to ask too much of it.
October 14th, 2013 11:21am
Numbers sound about right then.
I have 232 targeted to my B&C collection and around 132 of them install during a Win7x86 B&C task. This gives me a fully up-to-date image to deploy. I don't bother with slipstreaming because you can only slipstream .msp patches into the .wim,
which will miss some out.
Is it definitely the install software updates step that's causing it to get stuck provisioning mode? If you do a reboot after the "Setup Windows and ConfigMgr" step does it correctly pick up the task sequence? Are you installing the
Cumulative Update 2 client patches? (Presuming you've updated the server to CU2). I'm just thinking that if you're not installing the client patches, it might be failing after the first reboot, rather than after the first software update step.
One thing that did help with my situation was putting plenty of reboots in along the way. It seems it just gives up if you try to ask too much of it.
I'm running SCCM 2012 SP1 without any cu updates.
After some further investigation I suspect one of the windows updates causes the problem.
After the initial software updates step, the machine reboots. After this reboot it doesn't get back into the OSD, but drops to CTRL+ALT+DEL window.
I found a similar
thread.
No I need to find a way to find out which updates will be installed during the Install Software Updates step and exclude some updates.
Any tips in this area are welcome.
October 14th, 2013 3:12pm
To find a list of updates, boot up a clean PC and then just run a Windows Update scan from control panel. That will list all the KBs that are required.
I have my ADRs configured to scan for all Windows 7 updates, then remove the ones I don't want to be available for install.
I remove updates I don't want from the ADR like this:
If you want to remove specific KB then adding -%KBxxxxxx% for each KB article you want to remove to your search list should do the trick.
A good place to start would be to remove the updates listed in Michael's link and see what happens.
October 14th, 2013 3:49pm
Odd error. Here's a copy/paste of the 'Run Command Line' task I execute to perform the scan:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
I also have the C:\Windows\System32\wbem folder set in the 'Start In' box. Not sure if that helps or not though.
Please keep me posted. I rebuilt my base image the other day and I've just found out my x64 deployments are doing something similar. They're just rebooting after the 'Setup Windows and ConfigMgr' step and not picking up the task sequence again. I'm presuming
it's down to an update as x86 goes through fine and both are deployed from the same task sequence.
-
Edited by
fusiongroup
Tuesday, October 15, 2013 9:38 AM
October 15th, 2013 9:37am
To find a list of updates, boot up a clean PC and then just run a Windows Update scan from control panel. That will list all the KBs that are required.
I have my ADRs configured to scan for all Windows 7 updates, then remove the ones I don't want to be available for install.
I remove updates I don't want from the ADR like this:
If you want to remove specific KB then adding -%KBxxxxxx% for each KB article you want to remove to your search list should do the trick.
A good place to start would be to remove the updates listed in Michael's link and see what happens.
Thank you for the tip , this helps a lot.
October 15th, 2013 10:02am
The wmic query fails for me with "invalid verb switch" error.
I found another command that I can execute.
powershell set-executionpolicy bypass;$SMSCli = [wmiclass] "\root\ccm:SMS_Client";$SMSCli.TriggerSchedule("{00000000-0000-0000-0000-000000000113}")
I'm testing the new method now and see what it gives, keep you posted.
October 15th, 2013 10:04am
Odd error. Here's a copy/paste of the 'Run Command Line' task I execute to perform the scan:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
I also have the C:\Windows\System32\wbem folder set in the 'Start In' box. Not sure if that helps or not though.
Please keep me posted. I rebuilt my base image the other day and I've just found out my x64 deployments are doing something similar. They're just rebooting after the 'Setup Windows and ConfigMgr' step and not picking up the task sequence again. I'm presuming
it's down to an update as x86 goes through fine and both are deployed from the same task sequence.
-
Edited by
fusiongroup
Tuesday, October 15, 2013 9:38 AM
October 15th, 2013 12:37pm
Odd error. Here's a copy/paste of the 'Run Command Line' task I execute to perform the scan:
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
I also have the C:\Windows\System32\wbem folder set in the 'Start In' box. Not sure if that helps or not though.
Please keep me posted. I rebuilt my base image the other day and I've just found out my x64 deployments are doing something similar. They're just rebooting after the 'Setup Windows and ConfigMgr' step and not picking up the task sequence again. I'm presuming
it's down to an update as x86 goes through fine and both are deployed from the same task sequence.
-
Edited by
fusiongroup
Tuesday, October 15, 2013 9:38 AM
October 15th, 2013 12:37pm
Ok
Here are my findings:
In my case 2862330 was the cruelpit.
Required steps to remove the update:
- add "-%KBxxxxxx%" to the title in the ADR as stated above.
- Next try to find the update in the software groups, if it's in there, rightclick and choose membership, remove the update from the software group.
- then find the update in the deployment package , rightclick and choose delete.
Wait for the deploymentpackage to be replicated to the distribution point and you can update/install your clients again.
To make things less problematic in the future, I'm testing the following setup:
Tasksequence to deploy without software updates.
Create a new TS with only the software updates, and deploy it to the same device collection as required.
Once the installation is complete, the updates should be installed automatically.
October 15th, 2013 3:16pm
- add "-%KBxxxxxx%" to the title in the ADR as stated above.
Note that there is no reason to surround the word(s) with wildcards like % as the filter is effectively doing a "contains" type operation. I guess it doesn't hurt (although I'm kind of surprised that it works), but it's certainly not necessary.
October 15th, 2013 5:02pm
Another workaround could be to include the update in your OS image using Offline Servicing. http://blogs.technet.com/b/inside_osd/archive/2011/04/18/configuration-manager-2012-offline-servicing-for-operating-system-images.aspx
Although that would require an update of the OS Image package on all Distribution Points.
-
Edited by
Michael Stokholm
Tuesday, October 15, 2013 5:53 PM
October 15th, 2013 5:48pm
Another workaround could be to include the update in your OS image using Offline Servicing. http://blogs.technet.com/b/inside_osd/archive/2011/04/18/configuration-manager-2012-offline-servicing-for-operating-system-images.aspx
Although that would require an update of the OS Image package on all Distribution Points.
-
Edited by
Michael Stokholm
Tuesday, October 15, 2013 5:53 PM
October 15th, 2013 8:48pm
Another workaround could be to include the update in your OS image using Offline Servicing. http://blogs.technet.com/b/inside_osd/archive/2011/04/18/configuration-manager-2012-offline-servicing-for-operating-system-images.aspx
Although that would require an update of the OS Image package on all Distribution Points.
-
Edited by
Michael Stokholm
Tuesday, October 15, 2013 5:53 PM
October 15th, 2013 8:48pm
Another workaround could be to include the update in your OS image using Offline Servicing. http://blogs.technet.com/b/inside_osd/archive/2011/04/18/configuration-manager-2012-offline-servicing-for-operating-system-images.aspx
Although that would require an update of the OS Image package on all Distribution Points.
That is true for new installations, however you get into trouble for existing installations. Updates managed by SCCM could fail because of the dual reboot i guess.
October 22nd, 2013 2:24pm
Hi,
I started out using wildcards to replace the KB article numbers in security updates.
e.g.
-%InfoPath%64-bit%
-%Lync%64-bit%
Maybe I wasn't quite exact on my syntax, it should really be:
-InfoPath%64-bit
-Lync%64-bit
This allows me to remove all the security updates for 64-bit versions of these products without blanket removing 64-bit updates, or all updates for that product.
October 22nd, 2013 7:26pm
Good advice however this does not solve the problem during a task sequence because the scan will not have finished by the time the update step is about to begin. Use the fix from the sccm 2007 days, still works great. Just create it as a package with a program
to run this vbs script:
Schid = "{00000000-0000-0000-0000-000000000113}"
sMachine = "."
Set WMItarget = GetObject("winmgmts://" & sMachine)
Set WMICCM=GetObject("Winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & sMachine & "\root\ccm")
set SMSCli = WMICCM.Get("SMS_Client")
set oParams = SMSCli.Methods_("TriggerSchedule").inParameters.SpawnInstance_()
oParams.sScheduleID = Schid
set res = WMICCM.ExecMethod("SMS_Client", "TriggerSchedule", oParams)
wscript.sleep(180000)
Save that as initiateUpdateScan.vbs , create a package and distribute it, add a program to the package that calls it like this:
start /wait cscript initiateUpdateScan.vbs
Place the install package task sequence step for this just before "install updates" task sequence step.
The reason this actually works is because of the wscript.sleep(180000) this gives the system time to finish the scan and populate the results to WMI before the "install updates" task is called. You'll notice the same function is being performed as the WMIC
method, so nothing wrong with that but this .vbs solution has proved more reliable. Especially on older computers that take awhile to scan for updates anyway.
Same fix for the same bug since early 2007.
-Ben
February 17th, 2014 9:08pm
if you're getting the "invalid verb switch" double check the speach marks you you are using I just typed it out and it seemed to work, I have seen people copy and paste it from the net and it fails because its using the "speach marks"
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
Copy this one - and try it in the command promt first you should get this in your command promt
Executing (sms_client)->TriggerSchedule()
Method execution successful.
Out Parameters:[abstract]
class __PARAMETERS
{
[out] uint32 ReturnValue;
};
If its wrong you will recieve the verb error explained
April 23rd, 2014 4:55pm
how do you guys avoid problems with windows updates forcing reboot which TS cannot seem to handle?
June 21st, 2014 9:15am
The ConfigMgr client can handle reboots, but I cannot handle hotfixes that require *two* reboots. The only way to work around it si removing those hotfixes so that they will not be deployed.
June 21st, 2014 11:22am
how do you guys avoid problems with windows updates forcing reboot which TS cannot seem
June 21st, 2014 6:48pm
Hi,
do you mean "Wait for Scan.. " and "Update..."?
"Wait for scan..." is only a delay for 30 sec., but you don't Need this.
The "Update...." step is to re-evalute the update deployment, you need this for the install process, it depends on "Scan for Updates"
"Scan for Update" is only to scan against the catalog and does not install any updates.
Hope this will help you
August 20th, 2014 2:53pm
You should be able to accomplish the same thing by pinging the network adapter's loopback address and setting a 30 second time out...
ping 127.0.0.1 -n 1 -w 30000
August 20th, 2014 3:07pm
The issue I see with Ben's approach is that the software update scan can take a variable amount of time potentially causing issues when the timer expires and software updates start when the scan has not completed. If you do searches on the internet
you will find typically a command Powershell.exe -command start-sleep xxx where xxx is never the same value twice in the examples. I understand everyone's environment is different but I think this is a variable that is just waiting to
be exceeded down the road. I would like to see a process where that variable amount of wait time is replaced with a process that actually checks to see if the Software Update Scan has actually completed. I am not sure if this is possible but it
would make for a more consistent process....if it's even possible to do during a TS. I would think you could go into a loop in a script and check something to see if it's complete. I am going to investigate this and see what I can come up with.
If anyone has a sample of a similar script, has a reason why I shouldn't do this or why its not possible I would love to hear from you. I am also trying to use Powershell in place of WMIC or VBS where its applicable.
Examples:
powershell.exe -command "([wmiclass]'root\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000113}')"
powershell.exe -command start-sleep 600
BTW...I am referring to the process where 2-4 Software Update Scan and Deployments passes are added to the TS in order to get as many patches as possible deployed by the end of the TS.
To add to this update scan process it would also be nice to check and see if updates are needed and not complete the remaining passes if no updates are available. I am sure you could do this by setting an OSD variable and using as a condition on the
steps.
I would also be interested in seeing the approach people are using to exclude the two-reboot hotfixes and how they are getting deployed after the fact.
Thanks
-
Edited by
mniccum
Wednesday, November 12, 2014 11:05 PM
November 12th, 2014 11:01pm
The issue I see with Ben's approach is that the software update scan can take a variable amount of time potentially causing issues when the timer expires and software updates start when the scan has not completed. If you do searches on the internet
you will find typically a command Powershell.exe -command start-sleep xxx where xxx is never the same value twice in the examples. I understand everyone's environment is different but I think this is a variable that is just waiting to
be exceeded down the road. I would like to see a process where that variable amount of wait time is replaced with a process that actually checks to see if the Software Update Scan has actually completed. I am not sure if this is possible but it
would make for a more consistent process....if it's even possible to do during a TS. I would think you could go into a loop in a script and check something to see if it's complete. I am going to investigate this and see what I can come up with.
If anyone has a sample of a similar script, has a reason why I shouldn't do this or why its not possible I would love to hear from you. I am also trying to use Powershell in place of WMIC or VBS where its applicable.
Examples:
powershell.exe -command "([wmiclass]'root\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000113}')"
powershell.exe -command start-sleep 600
BTW...I am referring to the process where 2-4 Software Update Scan and Deployments passes are added to the TS in order to get as many patches as possible deployed by the end of the TS.
To add to this update scan process it would also be nice to check and see if updates are needed and not complete the remaining passes if no updates are available. I am sure you could do this by setting an OSD variable and using as a condition on the
steps.
I would also be interested in seeing the approach people are using to exclude the two-reboot hotfixes and how they are getting deployed after the fact.
Thanks
-
Edited by
mniccum
Wednesday, November 12, 2014 11:05 PM
November 13th, 2014 2:01am
The issue I see with Ben's approach is that the software update scan can take a variable amount of time potentially causing issues when the timer expires and software updates start when the scan has not completed. If you do searches on the internet
you will find typically a command Powershell.exe -command start-sleep xxx where xxx is never the same value twice in the examples. I understand everyone's environment is different but I think this is a variable that is just waiting to
be exceeded down the road. I would like to see a process where that variable amount of wait time is replaced with a process that actually checks to see if the Software Update Scan has actually completed. I am not sure if this is possible but it
would make for a more consistent process....if it's even possible to do during a TS. I would think you could go into a loop in a script and check something to see if it's complete. I am going to investigate this and see what I can come up with.
If anyone has a sample of a similar script, has a reason why I shouldn't do this or why its not possible I would love to hear from you. I am also trying to use Powershell in place of WMIC or VBS where its applicable.
Examples:
powershell.exe -command "([wmiclass]'root\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000113}')"
powershell.exe -command start-sleep 600
BTW...I am referring to the process where 2-4 Software Update Scan and Deployments passes are added to the TS in order to get as many patches as possible deployed by the end of the TS.
To add to this update scan process it would also be nice to check and see if updates are needed and not complete the remaining passes if no updates are available. I am sure you could do this by setting an OSD variable and using as a condition on the
steps.
I would also be interested in seeing the approach people are using to exclude the two-reboot hotfixes and how they are getting deployed after the fact.
Thanks
-
Edited by
mniccum
Wednesday, November 12, 2014 11:05 PM
November 13th, 2014 2:01am
I don't have a pause in my script and have not encountered any issues with the scan not finishing before the Software Update installation step. This is true for my B&C TSs which install in the region of 200 updates, including custom trusted publisher
updates from SCUP 2011. So I can't really comment on that side of things.
With regards to the patching side of things: I tried removing the multiple reboot patches from my Task Sequences by excluding them from the Auto Deployment Rules that target the same containers as the task sequences by adding -KBxxxxxx in the ADR. Unfortunately,
due to me having the multiple reboot updates targeted up 'update' collections that are populated by hardware/software DB queries, any PC that is performing a 'Refresh' TS ends up with the offending patches being targeted for install anyway and the TS fails.
For a long time I was just removing the client record from the DB and recreating it so that the offending updates would not be targeted to the client. Once the client has been refreshed, a hardware inventory is performed, the collections updated daily, the
multiple reboot patches are detected and are scheduled for install for the following Friday afternoon. This used to annoy me as I don't like 'incomplete' clients being delivered to users' desktop.
Recently though I've been toying with offline servicing. At first I attempted to integrate every available update but this just ended up killing things too. A number of the updates that can be installed via offline servicing have a .net 4 pre-requisite
but because .net 4 cannot be slipstreamed, the prerequisite is not satisfied, Windows setup fails and so does the TS. So using this method there is a chance you'll end up installing a patch that will kill your image... Still not ideal.
What I have settled on is slipstreaming specific patches into my installation media using dism and then running a B&C TS to update my image.
This is the batch file I use (you'll need to change to suit):
Dism /mount-wim /wimfile:D:\SCCMContentSources\Applications\Microsoft\Windows\7\Professional\SP1\64-bit\Sources\install.wim /index:1 /mountdir:D:\HotFixIntegration\Offline
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\Updates
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\IE
Dism /unmount-wim /mountdir:D:\HotFixIntegration\Offline /commit
The first line mounts the image.
The second line slipstreams the following .msu updates:
kmdf-1.11, KB2526870, KB2529073, KB2545698, KB2561285, KB2574819-v2, KB2592687, KB2617858, KB2670838, KB2726535, KB2729094-v2, KB2786081, KB2834140-v2, KB2847311, KB2855844, KB2862330-v2, KB2862335, KB2864202, KB2868038, KB2876284, KB2883150, KB2884256,
KB2965788, KB2984976, KB917607, KB971033, KB976399, KB977944, KB981750
These are essentially just the multiple reboot patches and their pre-requisites, IE11 prerequisites, and a few KBs that not published to WSUS.
The third line slipstreams IE11 from the IE11 .cab file.
The fourth line commits the changes to the install media.
After running a B&C TS from this modified installation source there are no updates available to freshly deployed images (until the next patch Tuesday!).
Unfortunately this a manual process as I need to check the multiple reboot KB article each time updates are released but it's the only way I can put out 100% patched PCs and have a PC Refresh task sequence that doesn't fail.
-
Edited by
fusiongroup
Thursday, November 13, 2014 10:28 AM
November 13th, 2014 10:04am
I don't have a pause in my script and have not encountered any issues with the scan not finishing before the Software Update installation step. This is true for my B&C TSs which install in the region of 200 updates, including custom trusted publisher
updates from SCUP 2011. So I can't really comment on that side of things.
With regards to the patching side of things: I tried removing the multiple reboot patches from my Task Sequences by excluding them from the Auto Deployment Rules that target the same containers as the task sequences by adding -KBxxxxxx in the ADR. Unfortunately,
due to me having the multiple reboot updates targeted up 'update' collections that are populated by hardware/software DB queries, any PC that is performing a 'Refresh' TS ends up with the offending patches being targeted for install anyway and the TS fails.
For a long time I was just removing the client record from the DB and recreating it so that the offending updates would not be targeted to the client. Once the client has been refreshed, a hardware inventory is performed, the collections updated daily, the
multiple reboot patches are detected and are scheduled for install for the following Friday afternoon. This used to annoy me as I don't like 'incomplete' clients being delivered to users' desktop.
Recently though I've been toying with offline servicing. At first I attempted to integrate every available update but this just ended up killing things too. A number of the updates that can be installed via offline servicing have a .net 4 pre-requisite
but because .net 4 cannot be slipstreamed, the prerequisite is not satisfied, Windows setup fails and so does the TS. So using this method there is a chance you'll end up installing a patch that will kill your image... Still not ideal.
What I have settled on is slipstreaming specific patches into my installation media using dism and then running a B&C TS to update my image.
This is the batch file I use (you'll need to change to suit):
Dism /mount-wim /wimfile:D:\SCCMContentSources\Applications\Microsoft\Windows\7\Professional\SP1\64-bit\Sources\install.wim /index:1 /mountdir:D:\HotFixIntegration\Offline
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\Updates
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\IE
Dism /unmount-wim /mountdir:D:\HotFixIntegration\Offline /commit
The first line mounts the image.
The second line slipstreams the following .msu updates:
kmdf-1.11, KB2526870, KB2529073, KB2545698, KB2561285, KB2574819-v2, KB2592687, KB2617858, KB2670838, KB2726535, KB2729094-v2, KB2786081, KB2834140-v2, KB2847311, KB2855844, KB2862330-v2, KB2862335, KB2864202, KB2868038, KB2876284, KB2883150, KB2884256,
KB2965788, KB2984976, KB917607, KB971033, KB976399, KB977944, KB981750
These are essentially just the multiple reboot patches and their pre-requisites, IE11 prerequisites, and a few KBs that not published to WSUS.
The third line slipstreams IE11 from the IE11 .cab file.
The fourth line commits the changes to the install media.
After running a B&C TS from this modified installation source there are no updates available to freshly deployed images (until the next patch Tuesday!).
Unfortunately this a manual process as I need to check the multiple reboot KB article each time updates are released but it's the only way I can put out 100% patched PCs and have a PC Refresh task sequence that doesn't fail.
-
Edited by
fusiongroup
Thursday, November 13, 2014 10:28 AM
November 13th, 2014 1:04pm
I don't have a pause in my script and have not encountered any issues with the scan not finishing before the Software Update installation step. This is true for my B&C TSs which install in the region of 200 updates, including custom trusted publisher
updates from SCUP 2011. So I can't really comment on that side of things.
With regards to the patching side of things: I tried removing the multiple reboot patches from my Task Sequences by excluding them from the Auto Deployment Rules that target the same containers as the task sequences by adding -KBxxxxxx in the ADR. Unfortunately,
due to me having the multiple reboot updates targeted up 'update' collections that are populated by hardware/software DB queries, any PC that is performing a 'Refresh' TS ends up with the offending patches being targeted for install anyway and the TS fails.
For a long time I was just removing the client record from the DB and recreating it so that the offending updates would not be targeted to the client. Once the client has been refreshed, a hardware inventory is performed, the collections updated daily, the
multiple reboot patches are detected and are scheduled for install for the following Friday afternoon. This used to annoy me as I don't like 'incomplete' clients being delivered to users' desktop.
Recently though I've been toying with offline servicing. At first I attempted to integrate every available update but this just ended up killing things too. A number of the updates that can be installed via offline servicing have a .net 4 pre-requisite
but because .net 4 cannot be slipstreamed, the prerequisite is not satisfied, Windows setup fails and so does the TS. So using this method there is a chance you'll end up installing a patch that will kill your image... Still not ideal.
What I have settled on is slipstreaming specific patches into my installation media using dism and then running a B&C TS to update my image.
This is the batch file I use (you'll need to change to suit):
Dism /mount-wim /wimfile:D:\SCCMContentSources\Applications\Microsoft\Windows\7\Professional\SP1\64-bit\Sources\install.wim /index:1 /mountdir:D:\HotFixIntegration\Offline
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\Updates
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\IE
Dism /unmount-wim /mountdir:D:\HotFixIntegration\Offline /commit
The first line mounts the image.
The second line slipstreams the following .msu updates:
kmdf-1.11, KB2526870, KB2529073, KB2545698, KB2561285, KB2574819-v2, KB2592687, KB2617858, KB2670838, KB2726535, KB2729094-v2, KB2786081, KB2834140-v2, KB2847311, KB2855844, KB2862330-v2, KB2862335, KB2864202, KB2868038, KB2876284, KB2883150, KB2884256,
KB2965788, KB2984976, KB917607, KB971033, KB976399, KB977944, KB981750
These are essentially just the multiple reboot patches and their pre-requisites, IE11 prerequisites, and a few KBs that not published to WSUS.
The third line slipstreams IE11 from the IE11 .cab file.
The fourth line commits the changes to the install media.
After running a B&C TS from this modified installation source there are no updates available to freshly deployed images (until the next patch Tuesday!).
Unfortunately this a manual process as I need to check the multiple reboot KB article each time updates are released but it's the only way I can put out 100% patched PCs and have a PC Refresh task sequence that doesn't fail.
-
Edited by
fusiongroup
Thursday, November 13, 2014 10:28 AM
November 13th, 2014 1:04pm
so... why not use this command instead:
WMIC /namespace:\\root\ccm\invagt path inventoryActionStatus where
InventoryActionID="{00000000-0000-0000-0000-000000000113}" DELETE
/NOINTERACTIVE
It should delete the scan history, thus forcing the "Install Software Updates" step to rescan before installing. This way we do not have to actively initiate the scna, and do not have to wait for it.
Anyone tried this already?
November 24th, 2014 8:01pm
I have two TS Update Software steps available, and both are failing:
The task sequence execution engine failed executing the action (Install Software Updates 2) in the group (State Restore) with the error code 2149859344
Action output: ... hreadID = 3240;
;
uccessfully submitted event to the Status Agent.
End TS policy evaluation
Policy evaluation initiated
GetIPriviledgedInstallInterface successful
Refreshing Updates
Successfully initiated RefreshUpdates operation
Waiting for RefreshUpdates complete notification from Updates Deployment Agent
Notification received, RefreshUpdates have been completed
Signaled RefreshComplete notification
Received RefreshUpdates complete notification from Updates Deployment Agent
RefreshUpdates operation has been completed, hr=0x80244010
RefreshUpdates(), HRESULT=80244010 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\installswupdate.cpp,923)
InstallUpdates(pInstallUpdate, tType, sJobID, sActiveRequestHandle), HRESULT=80244010 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\main.cpp,248)
Setting TSEnv variable SMSTSInstallUpdateJobGUID=
Process(pInstallUpdate, tType), HRESULT=80244010 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\main.cpp,302). The operating system reported error 3: The system cannot find the path specified.
SUP packages are available and deployable via Desktop deployment. Only OSD fails. This started happening after I captured brand new image with all updates at that point. SUP Deployment policy/group has been created before new image. Any ideas?
February 25th, 2015 5:14am
80244010 = The number of round trips to the server exceeded the maximum limit. Source: Windows Update Agent
Examine the updates related logs (U*.log, WUAHandler, ScanAgent and WindowsUpdate.log).
February 25th, 2015 5:29am
You have too many updates targeted at your client PC. See my post above from Monday, October 14, 2013 12:49 PM
February 25th, 2015 5:32am
You have too many updates targeted at your client PC. See my post above from Monday, October 14, 2013 12:49 PM
I wish it could be that easy :)
I have one and only Deployment to OSD collection, where are unknown Computers only. Old image is bulling 92 updates fine, new image doesnt. CM agent is the same version in both.
New image pulls updates fine from Desktop deployment, to the WU agent cannot be broken either.
February 25th, 2015 9:05am
This explains in more detail the problem you are having.
http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx
You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.
I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in
the B&C TS's ADRs from the Unknown Computer's ADR.
Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.
Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the
number of updates targeted.
February 25th, 2015 9:50am
This explains in more detail the problem you are having.
http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx
You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.
I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in
the B&C TS's ADRs from the Unknown Computer's ADR.
Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.
Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the
number of updates targeted.
-
Proposed as answer by
yannara
Friday, February 27, 2015 2:33 PM
February 25th, 2015 2:51pm
This explains in more detail the problem you are having.
http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx
You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.
I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in
the B&C TS's ADRs from the Unknown Computer's ADR.
Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.
Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the
number of updates targeted.
-
Proposed as answer by
yannara
Friday, February 27, 2015 2:33 PM
February 25th, 2015 2:51pm
This explains in more detail the problem you are having.
http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx
You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.
I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in
the B&C TS's ADRs from the Unknown Computer's ADR.
Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.
Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the
number of updates targeted.
-
Proposed as answer by
yannara
21 hours 20 minutes ago
February 25th, 2015 5:51pm
Thank you for help, I deminished amount of updates from 300 -> 40 (to only required Office updates) but situation stays the same.
I cant gather local logs until next week.
February 26th, 2015 8:38am
Ou yes, I could manage it By entering 3 different steps without restart, and on 3rd step, it started download updates fine!
February 27th, 2015 9:34am
Hi,
I've tryied but I get an error in the TS.
I've made the update steps in the TS like described
here.
But when it arrive on the steps where it has to run the WMIC command, it fail.
The OS ist W7x64SP1
March 13th, 2015 5:42am
I've tryied but I get an error in the TS.
[...]
But when it arrive on the steps where it has to run the WMIC command, it fail.
It would be great if you would have mentioned details about the error at all. How should we help if we don't know what happened?
March 13th, 2015 6:14am
The error i get in the log is:
March 17th, 2015 4:57am
Hi,
I'm researching for a trigger to force the client install updates.
Does anybody have success using script (WMI or VBS) with the TriggerSchedule "{00000000-0000-0000-0000-000000000113}"?
I'm still testing but it's taking to much time.. Could i check some log if it's running?
Thanks
Julio
June 26th, 2015 1:19pm
Yes, my task sequence would work by running the trigger schedule command and then running the install software updates task immediately afterwards. No pause or wait needed. I think running the trigger schedule command makes the client remove it's cached
scan results.
However, as a lot of people have reported issues with updates still not being detected, I decided to follow this advice and run the scan with a 3 minute delay before moving to the next step in the TS.
I do this using the VBS script that peacepenguin posted earlier in this thread:
Schid = "{00000000-0000-0000-0000-000000000113}"
sMachine = "."
Set WMItarget = GetObject("winmgmts://" & sMachine)
Set WMICCM=GetObject("Winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & sMachine & "\root\ccm")
set SMSCli = WMICCM.Get("SMS_Client")
set oParams = SMSCli.Methods_("TriggerSchedule").inParameters.SpawnInstance_()
oParams.sScheduleID = Schid
set res = WMICCM.ExecMethod("SMS_Client", "TriggerSchedule", oParams)
wscript.sleep(180000)
-
Edited by
fusiongroup
18 hours 11 minutes ago
words
July 7th, 2015 9:34am
Yes, my task sequence would work by running the trigger schedule command and then running the install software updates task immediately afterwards. No pause or wait needed. I think running the trigger schedule command makes the client remove it's cached
scan results.
However, as a lot of people have reported issues with updates still not being detected, I decided to follow this advice and run the scan with a 3 minute delay before moving to the next step in the TS.
I do this using the VBS script that peacepenguin posted earlier in this thread:
Schid = "{00000000-0000-0000-0000-000000000113}"
sMachine = "."
Set WMItarget = GetObject("winmgmts://" & sMachine)
Set WMICCM=GetObject("Winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & sMachine & "\root\ccm")
set SMSCli = WMICCM.Get("SMS_Client")
set oParams = SMSCli.Methods_("TriggerSchedule").inParameters.SpawnInstance_()
oParams.sScheduleID = Schid
set res = WMICCM.ExecMethod("SMS_Client", "TriggerSchedule", oParams)
wscript.sleep(180000)
-
Edited by
fusiongroup
Tuesday, July 07, 2015 1:35 PM
words
July 7th, 2015 1:33pm
Hi,
Any updates on this thread?
I have around 500 fix to deploy in my B&C. I found 56 are install in my first install and nothing on step 2 and 3. Even IE 11 is not install.
What should be the max fix in the software updates package to be sure it is succeeding?
Would increasing the sleep solve the issue or removing it?
July 26th, 2015 8:57am
You should use offline servicing to inject the vast majority of updates into the base image before using it in a B&C.
July 26th, 2015 6:27pm
Hi,
I appreciate your help. Is it fix with SP1?
What is happening exactly with Windows 7 32 bit preventing the TS to do the job?
Which updates will not be applied by offline servicing?
-
Edited by
FRacine
5 hours 46 minutes ago
July 26th, 2015 9:58pm
Hi,
I appreciate your help. Is it fix with SP1?
What is happening exactly with Windows 7 32 bit preventing the TS to do the job?
Which updates will not be applied by offline servicing?
-
Edited by
FRacine
Monday, July 27, 2015 2:01 AM
July 27th, 2015 1:57am
Non-CBS updates will not be applied. This include Office updates and other non-core OS updates.
Don't know what exactly is happening to prevent update installation, but basically any large number of updates during a TS will cause issues regardless of the ConfigMgr version.
July 27th, 2015 9:25am