Hi,

Can somebody tell me if it actually possible to fully patch a computer via an SCCM 2012 task sequence using the install software updates task? If you have managed this can you shed some light on where I'm going wrong? For me, this behaviour is exactly the same as ConfigMgr07... It simply doesn't work as it should.

I've integrated IE9 into my image and then added in all available updates via offline servicing. My task sequence installs windows, installs Adobe Reader, Office 2010 and Visio Viewer 2010. I then reboot the machine and perform all my patching via the Install Software Updates task (with it set to 'all'), then reboot again. I do this four times in total.

It downloads and installs some 24 updates in the first instance. The second, third and fourth time it doesn't download or install anything.

When the task sequence completes and the OS first starts up there are 10 updates waiting to be installed (including updates for Adobe Reader and Flash that I have published to the WSUS server via SCUP). After installing those and rebooting there is a single hotfix available (KB2533552). After installing that and rebooting, .NET4 Client Profile is waiting for me. After that there another nine more updates are available (mainly .NET4). Reboot, .NET4 Framework, reboot 5x .NET4 framework updates.

Why does the software update task not install 'all' updates when that is what I've selected? I have an automatic deployment rule targeted to my OSD and Unknown Computers collections. The rule is set to include Windows 7, Office 2010 and Adobe products with all update classification types.

The way I did it was to create a new software update group with  all non expired or superseded updates and deployed that to the unknown computers collection. Then when the task ran the updates it pulled them all in. This also got them to show up in the list when I scheduled and update for the wim file. 

Hope that helps!

Hi,

Thanks for the reply, sorry for getting back so late but I've been doing a fair bit of testing.

What you describe is the same as what I have now. I'm curious as to the method you approach this with? Do you just run the step once and it pulls in every update? Or do you have to run it two, three, four times in a row? Do you put add reboots after each run. Do you patch everything after you've installed all your apps or patch the base OS first, install more apps, and then do some more patching?

I've checked my automatic deployment rule and can't find a way of excluding expired updates but fortunately there don't appear to be any in the list when I check the group members.

I've created a task sequence that runs the Install Software Updates step but it only ever finds updates available to install twice. The first time I log in to Windows there are 34 more updates available to install. All but one of the 34 updates are members of the software update group that has been created by my Automatic Deployment rule. The only update it doesn't have is a Visual C++ 2008 SP1 so I'm going to add that product class to my deployment rules and see whether that one update is holding up all the rest. I'm also wondering which products you have targetted? Just Windows & Office or every product that's on the WSUS server?

Thanks,

James.

• Edited by fusiongroup Tuesday, July 10, 2012 7:53 AM

Hi,

Thanks for the reply, sorry for getting back so late but I've been doing a fair bit of testing.

What you describe is the same as what I have now. I'm curious as to the method you approach this with? Do you just run the step once and it pulls in every update? Or do you have to run it two, three, four times in a row? Do you put add reboots after each run. Do you patch everything after you've installed all your apps or patch the base OS first, install more apps, and then do some more patching?

I've checked my automatic deployment rule and can't find a way of excluding expired updates but fortunately there don't appear to be any in the list when I check the group members.

I've created a task sequence that runs the Install Software Updates step but it only ever finds updates available to install twice. The first time I log in to Windows there are 34 more updates available to install. All but one of the 34 updates are members of the software update group that has been created by my Automatic Deployment rule. The only update it doesn't have is a Visual C++ 2008 SP1 so I'm going to add that product class to my deployment rules and see whether that one update is holding up all the rest. I'm also wondering which products you have targetted? Just Windows & Office or every product that's on the WSUS server?

Thanks,

James.

• Edited by fusiongroup Tuesday, July 10, 2012 7:53 AM

Hi,

Thanks for the reply, sorry for getting back so late but I've been doing a fair bit of testing.

What you describe is the same as what I have now. I'm curious as to the method you approach this with? Do you just run the step once and it pulls in every update? Or do you have to run it two, three, four times in a row? Do you put add reboots after each run. Do you patch everything after you've installed all your apps or patch the base OS first, install more apps, and then do some more patching?

I've checked my automatic deployment rule and can't find a way of excluding expired updates but fortunately there don't appear to be any in the list when I check the group members.

I've created a task sequence that runs the Install Software Updates step but it only ever finds updates available to install twice. The first time I log in to Windows there are 34 more updates available to install. All but one of the 34 updates are members of the software update group that has been created by my Automatic Deployment rule. The only update it doesn't have is a Visual C++ 2008 SP1 so I'm going to add that product class to my deployment rules and see whether that one update is holding up all the rest. I'm also wondering which products you have targetted? Just Windows & Office or every product that's on the WSUS server?

Thanks,

James.

• Edited by fusiongroup Tuesday, July 10, 2012 7:53 AM

Actually going back I was just targeting Windows 7 updates. I made a updates group and made it required for unknown computers. Then I built a reference PC and captured it. The only hting I changed in the task was to add my apps. (which it looks like it limits you to 9 apps unless you use the variable name which is a real pain in the butt if you are troubleshooting. I ended up just setting dependencies on some of the apps to install other apps to get around that.) After I capture it I ran the update OS and it showed all the patches were applied. I am not sure I'm a big fan of the reference image but it does speed up deployments. I don't like that there isn't an easy way to manually build you golden image then capture it but that is just me I guess. 

I will have to go back now and try it with the Office updates and all that and see if it works or not. I'll document what I'm doing and if it works I'll hit you back.

Ive build 5 OSD enfiroments with software updates integration. I had no serious problems with those, but never used Adobe or other non-Microsoft updates.

Here are some facts:
- my .wim image is created from original Win7 SP1 installation media, without any external update installed.
- deployment for software updates in SCCM are not mondatory
- software update step has "all software updates" option selected, not just mandatory updates.
- the deloyment of software updates are target to a collection which has "unknown"-query, "unknown x86 record", "unknown x64 record" and a collection with workstation query. Deployment also pulled to a sub collections in this.
- I have 2-3 steps before MS Office installation step, and 2-3 step after, that OS and Office would be updated separatly.

Hope this helps! :)

• Proposed as answer by chockymonster Thursday, August 07, 2014 5:40 PM
• Unproposed as answer by fusiongroup Friday, August 08, 2014 7:39 AM

Ive build 5 OSD enfiroments with software updates integration. I had no serious problems with those, but never used Adobe or other non-Microsoft updates.

Here are some facts:
- my .wim image is created from original Win7 SP1 installation media, without any external update installed.
- deployment for software updates in SCCM are not mondatory
- software update step has "all software updates" option selected, not just mandatory updates.
- the deloyment of software updates are target to a collection which has "unknown"-query, "unknown x86 record", "unknown x64 record" and a collection with workstation query. Deployment also pulled to a sub collections in this.
- I have 2-3 steps before MS Office installation step, and 2-3 step after, that OS and Office would be updated separatly.

Hope this helps! :)

• Proposed as answer by chockymonster Thursday, August 07, 2014 5:40 PM
• Unproposed as answer by fusiongroup Friday, August 08, 2014 7:39 AM

Ive build 5 OSD enfiroments with software updates integration. I had no serious problems with those, but never used Adobe or other non-Microsoft updates.

Here are some facts:
- my .wim image is created from original Win7 SP1 installation media, without any external update installed.
- deployment for software updates in SCCM are not mondatory
- software update step has "all software updates" option selected, not just mandatory updates.
- the deloyment of software updates are target to a collection which has "unknown"-query, "unknown x86 record", "unknown x64 record" and a collection with workstation query. Deployment also pulled to a sub collections in this.
- I have 2-3 steps before MS Office installation step, and 2-3 step after, that OS and Office would be updated separatly.

Hope this helps! :)

• Proposed as answer by chockymonster Thursday, August 07, 2014 5:40 PM
• Unproposed as answer by fusiongroup Friday, August 08, 2014 7:39 AM

Thanks for all the replies people!

I've had my head buried trying to get this working over the past week or so but it still doesn't want to play ball.

I like to keep my reference image as vanilla as possible and then dynamically install the apps later in the task sequence based on stuff like Make/Model/Location etc. I suppose I could always incorporate the standard apps into the reference image but I think I'll find I'm having to update the image even more frequently then.

I did create my reference image a couple of months ago so there are updates now avilable that are not included in it. I was hoping that the 'offline servicing' would take care of the issue of having to rebuild the reference issue every month. I've found that not all the updates are compatible with this method of updating the base image so references need to be taken anyway... Making the offline servicing completely pointless.

One thing I've have noticed recently is that my copy of Office is the RTM version. I'm going to update it to Office 2010 inc SP1 which is availabe for download through my VLSC and see if that helps matters at all.

If not then I will be reverting back to an old vbs script I wrote to perform all the Windows Updates through WSUS. I really wanted to ditch that this time round and just rely on the built in functions of SCCM so it would be easier for my coleagues to fix/get support in the case of the updating aspect failing completely.

Thanks for all the help.

J.

Hi,

Thanks for the suggestion, that's not something I've tried but I'll give it a go.

It's a shame the Install Software Updates step doesn't do what it says on the tin... In my mind it should check for available updates, download & install them, reboot and repeat until no more software updates are detected as available. After that does it move on to the next step in the task sequence.

One step after Windows is installed, one after Apps are installed, job done. Simples.

J.

• Proposed as answer by RJ454ME Thursday, September 20, 2012 6:33 PM
• Unproposed as answer by RJ454ME Thursday, September 20, 2012 6:34 PM

Hi,

Thanks for the suggestion, that's not something I've tried but I'll give it a go.

It's a shame the Install Software Updates step doesn't do what it says on the tin... In my mind it should check for available updates, download & install them, reboot and repeat until no more software updates are detected as available. After that does it move on to the next step in the task sequence.

One step after Windows is installed, one after Apps are installed, job done. Simples.

J.

• Proposed as answer by RJ454ME Thursday, September 20, 2012 6:33 PM
• Unproposed as answer by RJ454ME Thursday, September 20, 2012 6:34 PM

Hi,

Thanks for the suggestion, that's not something I've tried but I'll give it a go.

It's a shame the Install Software Updates step doesn't do what it says on the tin... In my mind it should check for available updates, download & install them, reboot and repeat until no more software updates are detected as available. After that does it move on to the next step in the task sequence.

One step after Windows is installed, one after Apps are installed, job done. Simples.

J.

• Proposed as answer by RJ454ME Thursday, September 20, 2012 6:33 PM
• Unproposed as answer by RJ454ME Thursday, September 20, 2012 6:34 PM

Hi,

Just a quick update as I've made a little more progress...

We're running in a pure HTTPS environment and this meant that although I'd run the 'Build and Capture' task sequences in July, no updates were actually being applied to my golden image. This is because the client was in a workgroup and the certificates I'd told the client to select during the installation process were not being used. The control panel applet was just coming up with Client Certificate = 'None' instead of 'PKI'. Updates are installed corrently on domain machines but joining the B&C reference PC to the domain is not an option...

As a test, I changed the communication on the Management Server and Distribution Point to allow HTTP and my 'Build and Capture' task sequence immediately found & installed 78 updates and restarted. Afterwards it ran the ISU step another 3 times with restarts in between. All three found that 0 updates were applicable and the task sequence completed successfully. I was certain I'd cracked it.

I logged in to Windows and there were 7 new updates to install. Only one of them was not included in the package I have targetted to 'Unknown Computers' or my 'Build and Capture' collection, so I've added that. After installing those another 12 appeared, I started to get a serious sense of deja-vu and just switched the thing off...

No matter what I try it seems that the ISU step will not work more than once per task sequence. This means that updates to updates can't ever be installed, and this accounts for at least a third of the updates that are applied. I'm giving up on this as it's now wasted more of my time than I cared to give it. I will just script the updates to install from a WSUS server instead of using SCCM.

• Marked as answer by fusiongroup Thursday, August 02, 2012 9:36 AM
• Unmarked as answer by fusiongroup Friday, August 03, 2012 9:34 AM

Hi,

Just a quick update as I've made a little more progress...

We're running in a pure HTTPS environment and this meant that although I'd run the 'Build and Capture' task sequences in July, no updates were actually being applied to my golden image. This is because the client was in a workgroup and the certificates I'd told the client to select during the installation process were not being used. The control panel applet was just coming up with Client Certificate = 'None' instead of 'PKI'. Updates are installed corrently on domain machines but joining the B&C reference PC to the domain is not an option...

As a test, I changed the communication on the Management Server and Distribution Point to allow HTTP and my 'Build and Capture' task sequence immediately found & installed 78 updates and restarted. Afterwards it ran the ISU step another 3 times with restarts in between. All three found that 0 updates were applicable and the task sequence completed successfully. I was certain I'd cracked it.

I logged in to Windows and there were 7 new updates to install. Only one of them was not included in the package I have targetted to 'Unknown Computers' or my 'Build and Capture' collection, so I've added that. After installing those another 12 appeared, I started to get a serious sense of deja-vu and just switched the thing off...

No matter what I try it seems that the ISU step will not work more than once per task sequence. This means that updates to updates can't ever be installed, and this accounts for at least a third of the updates that are applied. I'm giving up on this as it's now wasted more of my time than I cared to give it. I will just script the updates to install from a WSUS server instead of using SCCM.

• Marked as answer by fusiongroup Thursday, August 02, 2012 9:36 AM
• Unmarked as answer by fusiongroup Friday, August 03, 2012 9:34 AM

Hi,

Just a quick update as I've made a little more progress...

We're running in a pure HTTPS environment and this meant that although I'd run the 'Build and Capture' task sequences in July, no updates were actually being applied to my golden image. This is because the client was in a workgroup and the certificates I'd told the client to select during the installation process were not being used. The control panel applet was just coming up with Client Certificate = 'None' instead of 'PKI'. Updates are installed corrently on domain machines but joining the B&C reference PC to the domain is not an option...

As a test, I changed the communication on the Management Server and Distribution Point to allow HTTP and my 'Build and Capture' task sequence immediately found & installed 78 updates and restarted. Afterwards it ran the ISU step another 3 times with restarts in between. All three found that 0 updates were applicable and the task sequence completed successfully. I was certain I'd cracked it.

I logged in to Windows and there were 7 new updates to install. Only one of them was not included in the package I have targetted to 'Unknown Computers' or my 'Build and Capture' collection, so I've added that. After installing those another 12 appeared, I started to get a serious sense of deja-vu and just switched the thing off...

No matter what I try it seems that the ISU step will not work more than once per task sequence. This means that updates to updates can't ever be installed, and this accounts for at least a third of the updates that are applied. I'm giving up on this as it's now wasted more of my time than I cared to give it. I will just script the updates to install from a WSUS server instead of using SCCM.

• Marked as answer by fusiongroup Thursday, August 02, 2012 9:36 AM
• Unmarked as answer by fusiongroup Friday, August 03, 2012 9:34 AM

Hello,

if you want to apply all advertised updates in your BuC or other TS you must trigger a full updatescan as a command before the update step:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

You should do the updates 2 or three times to catch all updates, because of dependencies (with reboots between).

Because after the first scan -> "the client uses the software updates metadata that is stored locally"

http://technet.microsoft.com/en-us/library/gg682168.aspxv -> Scan for Software Updates Compliance Process

Thank you! This is exactly what I've been looking for!

I have no idea why you wouldn't want to scan for updates before each update deployment... Using metadata from a previous scan seems like a bad idea to me because of the very issue I'm having... Updates are slipping through the net.

But this works perfectly.

Thanks again.

James.

Hello,

i think MS want to create not "to much traffic" ;-).

If you want to Trigger other funny things, here is a list:

Hardware Inventory 00000000-0000-0000-0000-000000000001 Software Inventory 00000000-0000-0000-0000-000000000002
Data Discovery 00000000-0000-0000-0000-000000000003
Machine Policy Assignment Request 00000000-0000-0000-0000-000000000021
Machine Policy Evaluation 00000000-0000-0000-0000-000000000022
Refresh Default Management Point 00000000-0000-0000-0000-000000000023
Refresh Location (AD site or Subnet) 00000000-0000-0000-0000-000000000024
Software Metering Usage Reporting 00000000-0000-0000-0000-000000000031
Sourcelist Update Cycle 00000000-0000-0000-0000-000000000032
Refresh proxy management point 00000000-0000-0000-0000-000000000037
Cleanup policy 00000000-0000-0000-0000-000000000040
Validate assignments 00000000-0000-0000-0000-000000000042
Certificate Maintenance 00000000-0000-0000-0000-000000000051
Branch DP Scheduled Maintenance 00000000-0000-0000-0000-000000000061
Branch DP Provisioning Status Reporting 00000000-0000-0000-0000-000000000062
Software Update Deployment 00000000-0000-0000-0000-000000000108
State Message Upload 00000000-0000-0000-0000-000000000111
State Message Cache Cleanup 00000000-0000-0000-0000-000000000112
Software Update Scan 00000000-0000-0000-0000-000000000113
Software Update Deployment Re-eval 00000000-0000-0000-0000-000000000114
OOBS Discovery 00000000-0000-0000-0000-000000000120

I just used the exact command in my 'Run Command Line' task and it works fine. No need to change anything:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

• Edited by fusiongroup Wednesday, September 12, 2012 11:04 AM

Hello,

if you want to apply all advertised updates in your BuC or other TS you must trigger a full updatescan as a command before the update step:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

You should do the updates 2 or three times to catch all updates, because of dependencies (with reboots between).

Because after the first scan -> "the client uses the software updates metadata that is stored locally"

http://technet.microsoft.com/en-us/library/gg682168.aspxv -> Scan for Software Updates Compliance Process

I just used the exact command in my 'Run Command Line' task and it works fine. No need to change anything:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

• Edited by fusiongroup Wednesday, September 12, 2012 11:04 AM

I just used the exact command in my 'Run Command Line' task and it works fine. No need to change anything:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

• Edited by fusiongroup Wednesday, September 12, 2012 11:04 AM

Cheers fusiongroup. I tried with it as-is but I was still unable to patch, back to the drawing board!

Thanks

Hello Goulash,

you can test it on an existing client, opening cmd as an admin and run the command , after, you can see some actions in the WUAHandler.log under c:\Windows\CCM\Logs

Hi JPietsch,

Good idea - I hadn't thought of that!

I notice in your TS that you also include a step to allow the scan to finish, is that a cmd entry or similar to just delay the install step from starting for a few minutes? I haven't tired that so maybe mine was allowed enough time to complete the scan.

Many thanks

Hi Goulash,

it's only prophylaxis :-), i only use it at that customer ..... . All the time it works without a delay.

Hi JPietsch

Your screenshot of your Task Sequence was very helpful on getting the updates to scan.

But im interested in your other 2 steps after the scan.

Please can you perhaps explain that and also if possible attached screenshots of those steps.

Thanks

Hi,

do you mean "Wait for Scan.. " and "Update..."?

"Wait for scan..." is only a delay for 30 sec., but you don't Need this.

The "Update...." step is to re-evalute the update deployment, you need this for the install process, it depends on "Scan for Updates"

"Scan for Update" is only to scan against the catalog and does not install any updates.

Hope this will help you

Hi JPietsch......question...

do you join your reference process to the domain to be able to get the software updates or leave the reference computer to a workgroup....

Hi Pollewops,

at the build and capture TS the computer is no domainmember (workgroup).

I set the following Parameters for the sccm Client:

FSP=server.domain.bla SMSMP=server.domain.bla CCMLOGLEVEL=0 CCMLOGMAXHISTORY=2 CCMLOGMAXSIZE=2000000 SMSCACHESIZE=20000

You can find the parameters here:

http://technet.microsoft.com/en-us/library/gg699356.aspx

Important is the FSP and the SMSMP parameter, you need the FSP for non Domain members (impor

Important is the FSP and the SMSMP parameter, you need the FSP for non Domain members (important).

Hi Torsten,

no, i mean FSP, because at build and capture the Client isn't trusted (Workgroup) and can't authenticate .... .

The FSP in 2012 has the function of SLP (i think so, i read this, can't find at the moment).

If you enable anonymous auth. i think you don't need.

Tell me when im wrong ;-).

http://technet.microsoft.com/en-us/library/gg681976.aspx#BKMK_Determine_FSP

The FSP in 2012 has the function of SLP (i think so, i read this, can't find at the moment).

Yes, but "normaly" for build and capture it is recommended to don't join to domain.

Ok so best way is to never join domain with build and capture....

But what roles are required at the SCCM 2012 server then tpo be able to apply Software Updates to the "unknown" computers and how do I configure that in the "Setup Windows and ConfigMgr" task ?

I think FSP role is not required and SLP role is now added to SMSMP...so only SMSMP= is enough to be able to apply the software updates to a workgroup computer ?

Hello,

ok, i've tested a BuC TS without FSP and defined "only" the SMSMP -> it works with updates (no apps or packages tested).

If you have the nice "feature" that the updates hungs at download, you can make your BuC without patches and after import, use the "Offline Patching" of your image, using right mouse on your OS Image and "Schedule Updates". This will "inject" your image, after finishing don't forget to update you DPs-

@jason: Yes your'e right MP takes the role of FSP (a phantom in my head ;-) )

Hi JP

That works perfect

- no FSP defined

- only SMSMP used in setyup windows and config manager

- no domain join- after image is created, do offline servicing to update the software updates in the image

THANKS !

Hi,

The Configuration Manager Client caches the results of a Software Update evaluation scan.
This cache has a rather long TTL, longer than the Task Sequence lasted. See my blog post http://www.toolzz.com/?p=1059 for the solution.

I used your method, but after the first series of installing the updates, the computer reboots and the task sequence never continues.

Because of this, the client is stuck in provisioning mode and the client is not usable.

Did you encounter this when using your method?

But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. I used to see this problem (and others) frequently when I had 3,000+ targeted 

• Edited by fusiongroup Friday, October 11, 2013 1:07 PM

Hi,

Yes, I used to see that quite a bit but I haven't seen it in ages. It's really annoying because there's virtually nothing in the logs to go on either.

Roughly how many updates are targeted to your Build and Capture PC? I think I used to see this more often when I had thousands of updates targeted to the B&C machine, rather than the couple of hundred I have now.

James.

Hi,

Yes, I used to see that quite a bit but I haven't seen it in ages. It's really annoying because there's virtually nothing in the logs to go on either.

Roughly how many updates are targeted to your Build and Capture PC? I think I used to see this more often when I had thousands of updates targeted to the B&C machine, rather than the couple of hundred I have now.

James.

I'm not using it with a build and capture, just wit normal deployment.

The first update cycle installs 22 updates.

I have tried to put it in a separate tasksequence that is deployed after the initial install and made the deployment required, but then I get other errors :s.

But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. I used to see this problem (and others) frequently when I had 3,000+ targeted 

• Edited by fusiongroup Friday, October 11, 2013 1:07 PM

But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. I used to see this problem (and others) frequently when I had 3,000+ targeted 

• Edited by fusiongroup Friday, October 11, 2013 1:07 PM

But how many updates are targeted to the machine? I have 225 targeted to my Win7 x86 build and capture task sequence. When I used to see this problem more when I used to have 3,000+ targeted 

I think its only 300 updates that are available in the ADR for windows 7.
On top of that I slipstream most updates in the wim file.

Only updates from the last month are applied during/after the install.

Numbers sound about right then.

I have 232 targeted to my B&C collection and around 132 of them install during a Win7x86 B&C task. This gives me a fully up-to-date image to deploy. I don't bother with slipstreaming because you can only slipstream .msp patches into the .wim, which will miss some out.

Is it definitely the install software updates step that's causing it to get stuck provisioning mode? If you do a reboot after the "Setup Windows and ConfigMgr" step does it correctly pick up the task sequence? Are you installing the Cumulative Update 2 client patches? (Presuming you've updated the server to CU2). I'm just thinking that if you're not installing the client patches, it might be failing after the first reboot, rather than after the first software update step.

One thing that did help with my situation was putting plenty of reboots in along the way. It seems it just gives up if you try to ask too much of it.

Also take a note on this:

http://support.microsoft.com/kb/2894518

• Edited by Michael Stokholm Monday, October 14, 2013 12:27 PM

Numbers sound about right then.

I have 232 targeted to my B&C collection and around 132 of them install during a Win7x86 B&C task. This gives me a fully up-to-date image to deploy. I don't bother with slipstreaming because you can only slipstream .msp patches into the .wim, which will miss some out.

Is it definitely the install software updates step that's causing it to get stuck provisioning mode? If you do a reboot after the "Setup Windows and ConfigMgr" step does it correctly pick up the task sequence? Are you installing the Cumulative Update 2 client patches? (Presuming you've updated the server to CU2). I'm just thinking that if you're not installing the client patches, it might be failing after the first reboot, rather than after the first software update step.

One thing that did help with my situation was putting plenty of reboots in along the way. It seems it just gives up if you try to ask too much of it.

I'm running SCCM 2012 SP1 without any cu updates.

After some further investigation I suspect one of the windows updates causes the problem.
After the initial software updates step, the machine reboots. After this reboot it doesn't get back into the OSD, but drops to CTRL+ALT+DEL window.

I found a similar thread.

No I need to find a way to find out which updates will be installed during the Install Software Updates step and exclude some updates.
Any tips in this area are welcome.

Also take a note on this:

http://support.microsoft.com/kb/2894518

• Edited by Michael Stokholm Monday, October 14, 2013 12:27 PM

Also take a note on this:

http://support.microsoft.com/kb/2894518

• Edited by Michael Stokholm Monday, October 14, 2013 12:27 PM

To find a list of updates, boot up a clean PC and then just run a Windows Update scan from control panel. That will list all the KBs that are required.

I have my ADRs configured to scan for all Windows 7 updates, then remove the ones I don't want to be available for install.

I remove updates I don't want from the ADR like this:

If you want to remove specific KB then adding -%KBxxxxxx% for each KB article you want to remove to your search list should do the trick.

A good place to start would be to remove the updates listed in Michael's link and see what happens.

Odd error. Here's a copy/paste of the 'Run Command Line' task I execute to perform the scan:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

I also have the C:\Windows\System32\wbem folder set in the 'Start In' box. Not sure if that helps or not though.

Please keep me posted. I rebuilt my base image the other day and I've just found out my x64 deployments are doing something similar. They're just rebooting after the 'Setup Windows and ConfigMgr' step and not picking up the task sequence again. I'm presuming it's down to an update as x86 goes through fine and both are deployed from the same task sequence.

• Edited by fusiongroup Tuesday, October 15, 2013 9:38 AM

To find a list of updates, boot up a clean PC and then just run a Windows Update scan from control panel. That will list all the KBs that are required.

I have my ADRs configured to scan for all Windows 7 updates, then remove the ones I don't want to be available for install.

I remove updates I don't want from the ADR like this:

If you want to remove specific KB then adding -%KBxxxxxx% for each KB article you want to remove to your search list should do the trick.

A good place to start would be to remove the updates listed in Michael's link and see what happens.

The wmic query fails for me with "invalid verb switch" error.

I found another command that I can execute.

powershell set-executionpolicy bypass;$SMSCli = [wmiclass] "\root\ccm:SMS_Client";$SMSCli.TriggerSchedule("{00000000-0000-0000-0000-000000000113}")

I'm testing the new method now and see what it gives, keep you posted.

Odd error. Here's a copy/paste of the 'Run Command Line' task I execute to perform the scan:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

I also have the C:\Windows\System32\wbem folder set in the 'Start In' box. Not sure if that helps or not though.

Please keep me posted. I rebuilt my base image the other day and I've just found out my x64 deployments are doing something similar. They're just rebooting after the 'Setup Windows and ConfigMgr' step and not picking up the task sequence again. I'm presuming it's down to an update as x86 goes through fine and both are deployed from the same task sequence.

• Edited by fusiongroup Tuesday, October 15, 2013 9:38 AM

Odd error. Here's a copy/paste of the 'Run Command Line' task I execute to perform the scan:

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

I also have the C:\Windows\System32\wbem folder set in the 'Start In' box. Not sure if that helps or not though.

Please keep me posted. I rebuilt my base image the other day and I've just found out my x64 deployments are doing something similar. They're just rebooting after the 'Setup Windows and ConfigMgr' step and not picking up the task sequence again. I'm presuming it's down to an update as x86 goes through fine and both are deployed from the same task sequence.

• Edited by fusiongroup Tuesday, October 15, 2013 9:38 AM

Ok

Here are my findings:

In my case 2862330  was the cruelpit.
Required steps to remove the update:

- add "-%KBxxxxxx%" to the title in the ADR as stated above.
- Next try to find the update in the software groups, if it's in there, rightclick and choose membership, remove the update from the software group.
- then find the update in the deployment package , rightclick and choose delete.

Wait for the deploymentpackage to be replicated to the distribution point and you can update/install your clients again.

To make things less problematic in the future, I'm testing the following setup:

Tasksequence to deploy without software updates.
Create a new TS with only the software updates, and deploy it to the same device collection as required.

Once the installation is complete, the updates should be installed automatically.

- add "-%KBxxxxxx%" to the title in the ADR as stated above.

• Edited by Michael Stokholm Tuesday, October 15, 2013 5:53 PM

• Edited by Michael Stokholm Tuesday, October 15, 2013 5:53 PM

• Edited by Michael Stokholm Tuesday, October 15, 2013 5:53 PM

Another workaround could be to include the update in your OS image using Offline Servicing. http://blogs.technet.com/b/inside_osd/archive/2011/04/18/configuration-manager-2012-offline-servicing-for-operating-system-images.aspx
Although that would require an update of the OS Image package on all Distribution Points.

That is true for new installations, however you get into trouble for existing installations. Updates managed by SCCM could fail because of the dual reboot i guess.

Hi,

I started out using wildcards to replace the KB article numbers in security updates.

e.g.
-%InfoPath%64-bit%
-%Lync%64-bit%

Maybe I wasn't quite exact on my syntax, it should really be:

-InfoPath%64-bit
-Lync%64-bit

This allows me to remove all the security updates for 64-bit versions of these products without blanket removing 64-bit updates, or all updates for that product.

Good advice however this does not solve the problem during a task sequence because the scan will not have finished by the time the update step is about to begin. Use the fix from the sccm 2007 days, still works great. Just create it as a package with a program to run this vbs script:

Schid = "{00000000-0000-0000-0000-000000000113}"
sMachine = "."
Set WMItarget = GetObject("winmgmts://" & sMachine)
Set WMICCM=GetObject("Winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & sMachine & "\root\ccm")
set SMSCli = WMICCM.Get("SMS_Client")
set oParams = SMSCli.Methods_("TriggerSchedule").inParameters.SpawnInstance_()
oParams.sScheduleID = Schid
set res = WMICCM.ExecMethod("SMS_Client", "TriggerSchedule", oParams)
wscript.sleep(180000)

Save that as initiateUpdateScan.vbs , create a package and distribute it, add a program to the package that calls it like this:

start /wait cscript initiateUpdateScan.vbs

Place the install package task sequence step for this just before "install updates" task sequence step.

The reason this actually works is because of the wscript.sleep(180000) this gives the system time to finish the scan and populate the results to WMI before the "install updates" task is called. You'll notice the same function is being performed as the WMIC method, so nothing wrong with that but this .vbs solution has proved more reliable. Especially on older computers that take awhile to scan for updates anyway.

Same fix for the same bug since early 2007.

-Ben

if you're getting the "invalid verb switch" double check the speach marks you you are using I just typed it out and it seemed to work, I have seen people copy and paste it from the net and it fails because its using the "speach marks"

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

Copy this one - and try it in the command promt first you should get this in your command promt 

Executing (sms_client)->TriggerSchedule()
Method execution successful.
Out Parameters:[abstract]
class __PARAMETERS
{
        [out] uint32 ReturnValue;
};

If its wrong you will recieve the verb error explained

how do you guys avoid problems with windows updates forcing reboot which TS cannot seem

Hi,

do you mean "Wait for Scan.. " and "Update..."?

"Wait for scan..." is only a delay for 30 sec., but you don't Need this.

The "Update...." step is to re-evalute the update deployment, you need this for the install process, it depends on "Scan for Updates"

"Scan for Update" is only to scan against the catalog and does not install any updates.

Hope this will help you

You should be able to accomplish the same thing by pinging the network adapter's loopback address and setting a 30 second time out...

ping 127.0.0.1 -n 1 -w 30000

The issue I see with Ben's approach is that the software update scan can take a variable amount of time potentially causing issues when the timer expires and software updates start when the scan has not completed.  If you do searches on the internet you will find typically a command Powershell.exe -command start-sleep xxx where xxx is never the same value twice in the examples.  I understand everyone's environment is different but I think this is a variable that is just waiting to be exceeded down the road.  I would like to see a process where that variable amount of wait time is replaced with a process that actually checks to see if the Software Update Scan has actually completed.  I am not sure if this is possible but it would make for a more consistent process....if it's even possible to do during a TS.  I would think you could go into a loop in a script and check something to see if it's complete.  I am going to investigate this and see what I can come up with.   If anyone has a sample of a similar script, has a reason why I shouldn't do this or why its not possible I would love to hear from you.  I am also trying to use Powershell in place of WMIC or VBS where its applicable.

Examples:

powershell.exe -command "([wmiclass]'root\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000113}')"

powershell.exe -command start-sleep 600

BTW...I am referring to the process where 2-4 Software Update Scan and Deployments passes are added to the TS in order to get as many patches as possible deployed by the end of the TS.

To add to this update scan process it would also be nice to check and see if updates are needed and not complete the remaining passes if no updates are available.  I am sure you could do this by setting an OSD variable and using as a condition on the steps.

I would also be interested in seeing the approach people are using to exclude the two-reboot hotfixes and how they are getting deployed after the fact.

Thanks

• Edited by mniccum Wednesday, November 12, 2014 11:05 PM

The issue I see with Ben's approach is that the software update scan can take a variable amount of time potentially causing issues when the timer expires and software updates start when the scan has not completed.  If you do searches on the internet you will find typically a command Powershell.exe -command start-sleep xxx where xxx is never the same value twice in the examples.  I understand everyone's environment is different but I think this is a variable that is just waiting to be exceeded down the road.  I would like to see a process where that variable amount of wait time is replaced with a process that actually checks to see if the Software Update Scan has actually completed.  I am not sure if this is possible but it would make for a more consistent process....if it's even possible to do during a TS.  I would think you could go into a loop in a script and check something to see if it's complete.  I am going to investigate this and see what I can come up with.   If anyone has a sample of a similar script, has a reason why I shouldn't do this or why its not possible I would love to hear from you.  I am also trying to use Powershell in place of WMIC or VBS where its applicable.

Examples:

powershell.exe -command "([wmiclass]'root\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000113}')"

powershell.exe -command start-sleep 600

BTW...I am referring to the process where 2-4 Software Update Scan and Deployments passes are added to the TS in order to get as many patches as possible deployed by the end of the TS.

To add to this update scan process it would also be nice to check and see if updates are needed and not complete the remaining passes if no updates are available.  I am sure you could do this by setting an OSD variable and using as a condition on the steps.

I would also be interested in seeing the approach people are using to exclude the two-reboot hotfixes and how they are getting deployed after the fact.

Thanks

• Edited by mniccum Wednesday, November 12, 2014 11:05 PM

The issue I see with Ben's approach is that the software update scan can take a variable amount of time potentially causing issues when the timer expires and software updates start when the scan has not completed.  If you do searches on the internet you will find typically a command Powershell.exe -command start-sleep xxx where xxx is never the same value twice in the examples.  I understand everyone's environment is different but I think this is a variable that is just waiting to be exceeded down the road.  I would like to see a process where that variable amount of wait time is replaced with a process that actually checks to see if the Software Update Scan has actually completed.  I am not sure if this is possible but it would make for a more consistent process....if it's even possible to do during a TS.  I would think you could go into a loop in a script and check something to see if it's complete.  I am going to investigate this and see what I can come up with.   If anyone has a sample of a similar script, has a reason why I shouldn't do this or why its not possible I would love to hear from you.  I am also trying to use Powershell in place of WMIC or VBS where its applicable.

Examples:

powershell.exe -command "([wmiclass]'root\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000113}')"

powershell.exe -command start-sleep 600

BTW...I am referring to the process where 2-4 Software Update Scan and Deployments passes are added to the TS in order to get as many patches as possible deployed by the end of the TS.

To add to this update scan process it would also be nice to check and see if updates are needed and not complete the remaining passes if no updates are available.  I am sure you could do this by setting an OSD variable and using as a condition on the steps.

I would also be interested in seeing the approach people are using to exclude the two-reboot hotfixes and how they are getting deployed after the fact.

Thanks

• Edited by mniccum Wednesday, November 12, 2014 11:05 PM

I don't have a pause in my script and have not encountered any issues with the scan not finishing before the Software Update installation step. This is true for my B&C TSs which install in the region of 200 updates, including custom trusted publisher updates from SCUP 2011. So I can't really comment on that side of things.

With regards to the patching side of things: I tried removing the multiple reboot patches from my Task Sequences by excluding them from the Auto Deployment Rules that target the same containers as the task sequences by adding -KBxxxxxx in the ADR. Unfortunately, due to me having the multiple reboot updates targeted up 'update' collections that are populated by hardware/software DB queries, any PC that is performing a 'Refresh' TS ends up with the offending patches being targeted for install anyway and the TS fails.

For a long time I was just removing the client record from the DB and recreating it so that the offending updates would not be targeted to the client. Once the client has been refreshed, a hardware inventory is performed, the collections updated daily, the multiple reboot patches are detected and are scheduled for install for the following Friday afternoon. This used to annoy me as I don't like 'incomplete' clients being delivered to users' desktop.

Recently though I've been toying with offline servicing. At first I attempted to integrate every available update but this just ended up killing things too. A number of the updates that can be installed via offline servicing have a .net 4 pre-requisite but because .net 4 cannot be slipstreamed, the prerequisite is not satisfied, Windows setup fails and so does the TS. So using this method there is a chance you'll end up installing a patch that will kill your image... Still not ideal.

What I have settled on is slipstreaming specific patches into my installation media using dism and then running a B&C TS to update my image.

This is the batch file I use (you'll need to change to suit):

Dism /mount-wim /wimfile:D:\SCCMContentSources\Applications\Microsoft\Windows\7\Professional\SP1\64-bit\Sources\install.wim /index:1 /mountdir:D:\HotFixIntegration\Offline
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\Updates
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\IE
Dism /unmount-wim /mountdir:D:\HotFixIntegration\Offline /commit

The first line mounts the image.

The second line slipstreams the following .msu updates:

kmdf-1.11, KB2526870, KB2529073, KB2545698, KB2561285, KB2574819-v2, KB2592687, KB2617858, KB2670838, KB2726535, KB2729094-v2, KB2786081, KB2834140-v2, KB2847311, KB2855844, KB2862330-v2, KB2862335, KB2864202, KB2868038, KB2876284, KB2883150, KB2884256, KB2965788, KB2984976, KB917607, KB971033, KB976399, KB977944, KB981750

These are essentially just the multiple reboot patches and their pre-requisites, IE11 prerequisites, and a few KBs that not published to WSUS.

The third line slipstreams IE11 from the IE11 .cab file.

The fourth line commits the changes to the install media.

After running a B&C TS from this modified installation source there are no updates available to freshly deployed images (until the next patch Tuesday!).

Unfortunately this a manual process as I need to check the multiple reboot KB article each time updates are released but it's the only way I can put out 100% patched PCs and have a PC Refresh task sequence that doesn't fail.

• Edited by fusiongroup Thursday, November 13, 2014 10:28 AM

I don't have a pause in my script and have not encountered any issues with the scan not finishing before the Software Update installation step. This is true for my B&C TSs which install in the region of 200 updates, including custom trusted publisher updates from SCUP 2011. So I can't really comment on that side of things.

With regards to the patching side of things: I tried removing the multiple reboot patches from my Task Sequences by excluding them from the Auto Deployment Rules that target the same containers as the task sequences by adding -KBxxxxxx in the ADR. Unfortunately, due to me having the multiple reboot updates targeted up 'update' collections that are populated by hardware/software DB queries, any PC that is performing a 'Refresh' TS ends up with the offending patches being targeted for install anyway and the TS fails.

For a long time I was just removing the client record from the DB and recreating it so that the offending updates would not be targeted to the client. Once the client has been refreshed, a hardware inventory is performed, the collections updated daily, the multiple reboot patches are detected and are scheduled for install for the following Friday afternoon. This used to annoy me as I don't like 'incomplete' clients being delivered to users' desktop.

Recently though I've been toying with offline servicing. At first I attempted to integrate every available update but this just ended up killing things too. A number of the updates that can be installed via offline servicing have a .net 4 pre-requisite but because .net 4 cannot be slipstreamed, the prerequisite is not satisfied, Windows setup fails and so does the TS. So using this method there is a chance you'll end up installing a patch that will kill your image... Still not ideal.

What I have settled on is slipstreaming specific patches into my installation media using dism and then running a B&C TS to update my image.

This is the batch file I use (you'll need to change to suit):

Dism /mount-wim /wimfile:D:\SCCMContentSources\Applications\Microsoft\Windows\7\Professional\SP1\64-bit\Sources\install.wim /index:1 /mountdir:D:\HotFixIntegration\Offline
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\Updates
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\IE
Dism /unmount-wim /mountdir:D:\HotFixIntegration\Offline /commit

The first line mounts the image.

The second line slipstreams the following .msu updates:

kmdf-1.11, KB2526870, KB2529073, KB2545698, KB2561285, KB2574819-v2, KB2592687, KB2617858, KB2670838, KB2726535, KB2729094-v2, KB2786081, KB2834140-v2, KB2847311, KB2855844, KB2862330-v2, KB2862335, KB2864202, KB2868038, KB2876284, KB2883150, KB2884256, KB2965788, KB2984976, KB917607, KB971033, KB976399, KB977944, KB981750

These are essentially just the multiple reboot patches and their pre-requisites, IE11 prerequisites, and a few KBs that not published to WSUS.

The third line slipstreams IE11 from the IE11 .cab file.

The fourth line commits the changes to the install media.

After running a B&C TS from this modified installation source there are no updates available to freshly deployed images (until the next patch Tuesday!).

Unfortunately this a manual process as I need to check the multiple reboot KB article each time updates are released but it's the only way I can put out 100% patched PCs and have a PC Refresh task sequence that doesn't fail.

• Edited by fusiongroup Thursday, November 13, 2014 10:28 AM

I don't have a pause in my script and have not encountered any issues with the scan not finishing before the Software Update installation step. This is true for my B&C TSs which install in the region of 200 updates, including custom trusted publisher updates from SCUP 2011. So I can't really comment on that side of things.

With regards to the patching side of things: I tried removing the multiple reboot patches from my Task Sequences by excluding them from the Auto Deployment Rules that target the same containers as the task sequences by adding -KBxxxxxx in the ADR. Unfortunately, due to me having the multiple reboot updates targeted up 'update' collections that are populated by hardware/software DB queries, any PC that is performing a 'Refresh' TS ends up with the offending patches being targeted for install anyway and the TS fails.

For a long time I was just removing the client record from the DB and recreating it so that the offending updates would not be targeted to the client. Once the client has been refreshed, a hardware inventory is performed, the collections updated daily, the multiple reboot patches are detected and are scheduled for install for the following Friday afternoon. This used to annoy me as I don't like 'incomplete' clients being delivered to users' desktop.

Recently though I've been toying with offline servicing. At first I attempted to integrate every available update but this just ended up killing things too. A number of the updates that can be installed via offline servicing have a .net 4 pre-requisite but because .net 4 cannot be slipstreamed, the prerequisite is not satisfied, Windows setup fails and so does the TS. So using this method there is a chance you'll end up installing a patch that will kill your image... Still not ideal.

What I have settled on is slipstreaming specific patches into my installation media using dism and then running a B&C TS to update my image.

This is the batch file I use (you'll need to change to suit):

Dism /mount-wim /wimfile:D:\SCCMContentSources\Applications\Microsoft\Windows\7\Professional\SP1\64-bit\Sources\install.wim /index:1 /mountdir:D:\HotFixIntegration\Offline
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\Updates
Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\IE
Dism /unmount-wim /mountdir:D:\HotFixIntegration\Offline /commit

The first line mounts the image.

The second line slipstreams the following .msu updates:

kmdf-1.11, KB2526870, KB2529073, KB2545698, KB2561285, KB2574819-v2, KB2592687, KB2617858, KB2670838, KB2726535, KB2729094-v2, KB2786081, KB2834140-v2, KB2847311, KB2855844, KB2862330-v2, KB2862335, KB2864202, KB2868038, KB2876284, KB2883150, KB2884256, KB2965788, KB2984976, KB917607, KB971033, KB976399, KB977944, KB981750

These are essentially just the multiple reboot patches and their pre-requisites, IE11 prerequisites, and a few KBs that not published to WSUS.

The third line slipstreams IE11 from the IE11 .cab file.

The fourth line commits the changes to the install media.

After running a B&C TS from this modified installation source there are no updates available to freshly deployed images (until the next patch Tuesday!).

Unfortunately this a manual process as I need to check the multiple reboot KB article each time updates are released but it's the only way I can put out 100% patched PCs and have a PC Refresh task sequence that doesn't fail.

• Edited by fusiongroup Thursday, November 13, 2014 10:28 AM

so... why not use this command instead:

WMIC /namespace:\\root\ccm\invagt path inventoryActionStatus where
InventoryActionID="{00000000-0000-0000-0000-000000000113}" DELETE
/NOINTERACTIVE

It should delete the scan history, thus forcing the "Install Software Updates" step to rescan before installing. This way we do not have to actively initiate the scna, and do not have to wait for it.

Anyone tried this already?

I was intrigued by this but had a sneaky suspicion it wouldn't work due to an error I previously ran into. The error is documented here:

http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx

By deleting the scan history you will never complete a full scan of the all the available updates (for a build and capture task sequences anyway).

I tested this and found it to be true. The second and third Install Software Updates tasks start the detection from the beginning rather than continuing from where the first one left off.

I have two TS Update Software steps available, and both are failing:

The task sequence execution engine failed executing the action (Install Software Updates 2) in the group (State Restore) with the error code 2149859344
Action output: ... hreadID = 3240;
;

uccessfully submitted event to the Status Agent.
End TS policy evaluation
Policy evaluation initiated
GetIPriviledgedInstallInterface successful
Refreshing Updates
Successfully initiated RefreshUpdates operation
Waiting for RefreshUpdates complete notification from Updates Deployment Agent
Notification received, RefreshUpdates have been completed
Signaled RefreshComplete notification
Received RefreshUpdates complete notification from Updates Deployment Agent
RefreshUpdates operation has been completed, hr=0x80244010
RefreshUpdates(), HRESULT=80244010 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\installswupdate.cpp,923)
InstallUpdates(pInstallUpdate, tType, sJobID, sActiveRequestHandle), HRESULT=80244010 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\main.cpp,248)
Setting TSEnv variable SMSTSInstallUpdateJobGUID=
Process(pInstallUpdate, tType), HRESULT=80244010 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\main.cpp,302). The operating system reported error 3: The system cannot find the path specified.

You have too many updates targeted at your client PC. See my post above from Monday, October 14, 2013 12:49 PM

I wish it could be that easy :)

I have one and only Deployment to OSD collection, where are unknown Computers only. Old image is bulling 92 updates fine, new image doesnt. CM agent is the same version in both.

New image pulls updates fine from Desktop deployment, to the WU agent cannot be broken either.

This explains in more detail the problem you are having.

http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx

You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.

I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in the B&C TS's ADRs from the Unknown Computer's ADR.

Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.

Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the number of updates targeted.

This explains in more detail the problem you are having.

http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx

You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.

I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in the B&C TS's ADRs from the Unknown Computer's ADR.

Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.

Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the number of updates targeted.

• Proposed as answer by yannara Friday, February 27, 2015 2:33 PM

This explains in more detail the problem you are having.

http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx

You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.

I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in the B&C TS's ADRs from the Unknown Computer's ADR.

Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.

Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the number of updates targeted.

• Proposed as answer by yannara Friday, February 27, 2015 2:33 PM

This explains in more detail the problem you are having.

http://blogs.technet.com/b/sus/archive/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010.aspx

You have to reduce the number of updates if you want it to work reliably without error. I managed it using a combination of solutions.

I always struggled before I re-designed my OSD Collections. I now have one for each OS's (XPx86, 7x86, 7x64 etc.) Build and Capture TS and add the client manually if I want to create a new image. This way you can remove all the updates contained in the B&C TS's ADRs from the Unknown Computer's ADR.

Make sure any versions of Office have service packs slipstreamed before they are installed on the client and remove all slipstreamed updates from the targeting rules.

Prior to this I used to get around it by making sure I had 'Continue on error' checked for each Install Software Updates TS step. Run 2 or 3 consecutively without reboot. This took ages though and was the main reason I looked at reducing the number of updates targeted.

• Proposed as answer by yannara 21 hours 20 minutes ago

Thank you for help, I deminished amount of updates from 300 -> 40 (to only required Office updates) but situation stays the same.

I cant gather local logs until next week.

Hi,

I've tryied but I get an error in the TS.

I've made the update steps in the TS like described here.

But when it arrive on the steps where it has to run the WMIC command, it fail.

The OS ist W7x64SP1

I've tryied but I get an error in the TS.

[...]

But when it arrive on the steps where it has to run the WMIC command, it fail.

The error i get in the log is:

Hi,

I'm researching for a trigger to force the client install updates.

Does anybody have success using script (WMI or VBS) with the TriggerSchedule "{00000000-0000-0000-0000-000000000113}"?

I'm still testing but it's taking to much time.. Could i check some log if it's running?

Thanks

Julio

Yes, my task sequence would work by running the trigger schedule command and then running the install software updates task immediately afterwards. No pause or wait needed. I think running the trigger schedule command makes the client remove it's cached scan results.

However, as a lot of people have reported issues with updates still not being detected, I decided to follow this advice and run the scan with a 3 minute delay before moving to the next step in the TS.

I do this using the VBS script that peacepenguin posted earlier in this thread:

Schid = "{00000000-0000-0000-0000-000000000113}"
sMachine = "."
Set WMItarget = GetObject("winmgmts://" & sMachine)
Set WMICCM=GetObject("Winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & sMachine & "\root\ccm")
set SMSCli = WMICCM.Get("SMS_Client")
set oParams = SMSCli.Methods_("TriggerSchedule").inParameters.SpawnInstance_()
oParams.sScheduleID = Schid
set res = WMICCM.ExecMethod("SMS_Client", "TriggerSchedule", oParams)
wscript.sleep(180000)

• Edited by fusiongroup 18 hours 11 minutes ago words

Yes, my task sequence would work by running the trigger schedule command and then running the install software updates task immediately afterwards. No pause or wait needed. I think running the trigger schedule command makes the client remove it's cached scan results.

However, as a lot of people have reported issues with updates still not being detected, I decided to follow this advice and run the scan with a 3 minute delay before moving to the next step in the TS.

I do this using the VBS script that peacepenguin posted earlier in this thread:

Schid = "{00000000-0000-0000-0000-000000000113}"
sMachine = "."
Set WMItarget = GetObject("winmgmts://" & sMachine)
Set WMICCM=GetObject("Winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & sMachine & "\root\ccm")
set SMSCli = WMICCM.Get("SMS_Client")
set oParams = SMSCli.Methods_("TriggerSchedule").inParameters.SpawnInstance_()
oParams.sScheduleID = Schid
set res = WMICCM.ExecMethod("SMS_Client", "TriggerSchedule", oParams)
wscript.sleep(180000)

• Edited by fusiongroup Tuesday, July 07, 2015 1:35 PM words

Hi,

Any updates on this thread?

I have around 500 fix to deploy in my B&C. I found 56 are install in my first install and nothing on step 2 and 3. Even IE 11 is not install.

What should be the max fix in the software updates package to be sure it is succeeding?

Would increasing the sleep solve the issue or removing it?

Hi,

I appreciate your help. Is it fix with SP1?

What is happening exactly with Windows 7 32 bit preventing the TS to do the job?

Which updates will not be applied by offline servicing?

• Edited by FRacine 5 hours 46 minutes ago

Hi,

I appreciate your help. Is it fix with SP1?

What is happening exactly with Windows 7 32 bit preventing the TS to do the job?

Which updates will not be applied by offline servicing?

• Edited by FRacine Monday, July 27, 2015 2:01 AM

Non-CBS updates will not be applied. This include Office updates and other non-core OS updates.

Don't know what exactly is happening to prevent update installation, but basically any large number of updates during a TS will cause issues regardless of the ConfigMgr version.