Installing patches during capture phase fails :-(

I have a SCCM 2012 SP1 CU3 environment and want to build and capture an image with Windows 7 and all deployed patches.

I create a task sequence and Windows 7 and additional packages (.Net, C++ runtimes etc) are installed perfectly.

But patches are not. I see in WUAhandler.log that patches are detected but never will be downloaded or installed.

The error i get in Windowsupdate.log is:

The task sequence execution engine failed executing the action (Install Software Updates) in the group (Install Updates) with the error code 2147943860
Action output: ... y evaluation
Policy evaluation initiated
GetIPriviledgedInstallInterface successful
Refreshing Updates
Successfully initiated RefreshUpdates operation
Waiting for RefreshUpdates complete notification from Updates Deployment Agent
FALSE, HRESULT=800705b4 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\installswupdate.cpp,1273)
WaitForRefreshUpdatesComplete(spInstall), HRESULT=800705b4 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\installswupdate.cpp,1331)
RefreshUpdates(), HRESULT=800705b4 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\installswupdate.cpp,923)
InstallUpdates(pInstallUpdate, tType, sJobID, sActiveRequestHandle), HRESULT=800705b4 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\main.cpp,248)
Setting TSEnv variable SMSTSInstallUpdateJobGUID=
Process(pInstallUpdate, tType), HRESULT=800705b4 (e:\nts_sccm_release\sms\client\osdeployment\installswupdate\main.cpp,304)
Timedout waiting for updates refresh complete notification. The operating system reported error 2147943860: This operation returned because the timeout period expired. 
Does someone has any idea where i should look for an answer which will sole this issue ?

December 24th, 2013 12:10am

Have you already examined U*.log. WUAHandler.log and ScanAgent.log? Have you added SMSMP to the Setup Windows and ConfigMgr step if the client is workgroup joined?
Free Windows Admin Tool Kit Click here and download it now
December 24th, 2013 12:20am

Yes I add the SMSMP option and installing the latest CU3 patch to the Set Windows and ConfigMgr step. And yes the build and capture computer is not domain joined and kept in a workgroup.

Further I did investigate the logs you mention but could not find anything strange...i can post the logs for completeness if required ?


ADDITIONAL INFORMATION: I have some additional information. I am currently in a migrated scenario. So my old SCCM 2007 is migrated to SCCM 2012 and the DPs are shared DPs right now.
  • Edited by pollewops Monday, December 23, 2013 9:32 PM
December 24th, 2013 12:23am

The only other idea I have right now is to make sure you add SMSMP=hostname.fqdn

There is nothing more to it if your SCCM updates work fine for domain joined devices.

Free Windows Admin Tool Kit Click here and download it now
December 24th, 2013 12:37am

Yes I use SMSMP=hostname.fqdn.

Strange is that the logs describe that patches are detected but they never are downloaded and installed.....

Are patches downloaded across a different port then normal packages from DP ?


SMSCACHESIZE=10000 SMSMP=sccmprimaryserver.fqdn.com PATCH="%_SMSTSMDataPath%\OSD\S0200001\patch\x64\configmgr2012ac-sp1-kb2882125-x64.msp"


  • Edited by pollewops Monday, December 23, 2013 10:30 PM
December 24th, 2013 1:06am

What kind of boundary are you using?
Free Windows Admin Tool Kit Click here and download it now
December 24th, 2013 2:20am

It is an IP Address Range boundary....client is in a workgroup !

  • Edited by pollewops Monday, December 23, 2013 11:45 PM
December 24th, 2013 2:40am

Maybe someone can help me on this one....when i investigate the windowsupdate.log file i see the following entries coming.

2013-12-24	10:42:31:639	 932	768	DnldMgr	***********  DnldMgr: New download job [UpdateId = {112FA241-E8C9-4EE7-A8B4-D3A4C65F7FEB}.102]  ***********
2013-12-24	10:42:31:639	 932	768	DnldMgr	  * BITS job initialized, JobId = {8313955E-CFF0-42C6-953F-0F4FDD7AC9DB}
2013-12-24	10:42:31:655	 932	768	DnldMgr	  * Downloading from http://fqdn_wsus_server:8530/Content/CE/E0C816A683326F69E8DF8178889F555ACBB051CE.cab to C:\Windows\SoftwareDistribution\Download\9214be182ea0ec97ce8a55beaa608a67\windows6.1-kb2584146-x64.cab (full file).
2013-12-24	10:42:31:655	 932	768	Agent	*********
2013-12-24	10:42:31:655	 932	768	Agent	**  END  **  Agent: Downloading updates [CallerId = AutomaticUpdates]
2013-12-24	10:42:31:655	 932	768	Agent	*************
2013-12-24	10:42:31:655	 932	768	DnldMgr	*************
2013-12-24	10:42:31:655	 932	768	DnldMgr	** START **  DnldMgr: Downloading updates [CallerId = AutomaticUpdates]
2013-12-24	10:42:31:655	 932	768	DnldMgr	*********
2013-12-24	10:42:31:655	 932	768	DnldMgr	  * Call ID = {FBF86DA8-0601-4646-B3DA-77E581469473}
2013-12-24	10:42:31:655	 932	768	DnldMgr	  * Priority = 2, Interactive = 0, Owner is system = 1, Explicit proxy = 0, Proxy session id = -1, ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
2013-12-24	10:42:31:655	 932	768	DnldMgr	  * Updates to download = 1
2013-12-24	10:42:31:655	 932	768	Agent	  *   Title = Update for Windows 7 for x64-based Systems (KB2852386)
2013-12-24	10:42:31:655	 932	768	Agent	  *   UpdateId = {EA3D7A07-B377-4451-8976-DF2F5CA98F0E}.200
2013-12-24	10:42:31:655	 932	768	Agent	  *     Bundles 1 updates:
2013-12-24	10:42:31:655	 932	768	Agent	  *       {858781D9-5324-410F-A19B-988BBAE60227}.200
2013-12-24	10:42:31:655	 932	768	PT	+++++++++++  PT: Synchronizing file locations  +++++++++++
2013-12-24	10:42:31:655	 932	768	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://fqdn_wsus_server:8530/ClientWebService/client.asmx
2013-12-24	10:42:31:655	 932	9f0	DnldMgr	WARNING: BITS job {8313955E-CFF0-42C6-953F-0F4FDD7AC9DB} failed, updateId = {112FA241-E8C9-4EE7-A8B4-D3A4C65F7FEB}.102, hr = 0x80190194, BG_ERROR_CONTEXT = 5
2013-12-24	10:42:31:655	 932	9f0	DnldMgr	  Progress failure bytes total = 91553, bytes transferred = 0
2013-12-24	10:42:31:655	 932	9f0	DnldMgr	  Failed job file: URL = http://fqdn_wsus_server:8530/Content/CE/E0C816A683326F69E8DF8178889F555ACBB051CE.cab, local path = C:\Windows\SoftwareDistribution\Download\9214be182ea0ec97ce8a55beaa608a67\windows6.1-kb2584146-x64.cab
2013-12-24	10:42:31:671	 932	9f0	DnldMgr	Error 0x80244019 occurred while downloading update; notifying dependent calls.

This job failed, but when i checked my WSUS server and explorer the Content directory there is no entry containing the following:

http://fqdn_wsus_server:8530/Content/CE/E0C816A683326F69E8DF8178889F555ACBB051CE.cab

So how can it be downloaded then ? The /CE/ directory is not available there !

Free Windows Admin Tool Kit Click here and download it now
December 24th, 2013 4:26pm

Can you make sure you have distributed update to DP?

Also, can you make sure that your DP is assigned to that boundary group where your workgroup client is sitting?


December 24th, 2013 5:36pm

I reinstalled WSUS and SUP again and now notices that in the WindowsUpdate.log lines are referring to au.windowsupdate.com....why is my client connecting to Windows Update ? It can't access due to firewall and proxy....but why.

My SCCM 2012 server does contain the patches so why connecting to Microsoft ?

I really do not know what is going on here....i do have 2 other SCCM 2012 configurations with the same setup and those works fine...why this one not ?


  • Edited by pollewops Sunday, December 29, 2013 10:38 AM
Free Windows Admin Tool Kit Click here and download it now
December 29th, 2013 12:50pm

in the sample logfile you provided, this machine is configured to your WSUS and trying to download the content for the update/patch, and cannot get the cabfile.
when a WSUS is configured as a SUP, there is no content in WSUS (because you download the update cabfiles directly into a deployment package).

also, the logfile shows that this client is using Automatic Updates (AU), and not the ConfigMgr client agent to initiate this update, so, something is not right here.

the [CallerID = ccmexec] when the ConfigMgr agent is correctly controlling WUAgent.
so, it seems that this client is performing a mixture of default AU behaviour, plus, some WSUS configuration is getting there.
and, BITS has started, trying to download the cabfile from your WSUS (Which it will never find).

after your reinstall of WSUS and SUP, the client is not trying to download from windowsupdate.com ?

this is the default behaviour of a Windows machine, e.g. when there is no WSUS nor ConfigMgr running, and this can sometimes happen, if the Automatic Updates service starts before ConfigMgr agent has completely applied CM policy.

in your build/capture, are you disabling the AU service, or, setting the WUserver address in registry ?

Have you checked the client agent settings (policy) for the build/capture collection ?

December 30th, 2013 1:56am

Hi Don thanks for your reply. My WSUS server is being setup as a SUP. My client is a workgroup computer so no policies are affected I am currently in a migration scenario and have enabled DP sharing. Could that affect this process. Maybe I need to switch it add and test it again then ?? But can I switch it off and later on again ? It is currently a greenfield situation do I sm currently loss what is going I on. . I am doing a default B&C and do not configuring settings with registry keys. I tried that but that did not work either :-(
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2013 10:20am

Have you considered grabbing an image of the OS without any updates in it and then offline servicing the updates into the WIM after it is pulled? A lot simpler and cleaner
December 30th, 2013 10:07pm

Yes it is...and that will probably work....but this needs to work either. And i really want to know what goes on here.....

Maybe i will reinstall entire environment and only forst install primary SCCM 2012 SP1 and then test this.

The apply CU3, test, apply my 4 secondaries, test, then enable migration with my old SCCM 2007 environment, test.....

:-(

Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2014 9:08pm

Honestly, I think most of that stuff overcomplicates the B&C process. The idea is to really keep the Golden image as clean as possible. Then apply everything you need afterwards so that any change in version, policies, procedures, etc... can be performed without ever having to open your Golden image.

You could try using a custom Unattend file that disables Autoupdates and see if that helps. We do that on our systems as we control it through GPO and don't want the machines phoning out and downloading data before policies apply.

January 3rd, 2014 9:22pm

Hi Dustin..that could be a solution...do you have the information for me which i need to add to the unattend.xml file in order to disable the AutoUpdate functionality ?

Of is it just adding:  <ProtectYourPC>3</ProtectYourPC>


  • Edited by pollewops Friday, January 03, 2014 6:31 PM
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2014 9:25pm

Yeah, are you familiar with creating the Unattend using Windows SIM and Windows 7 source files?

The setting is applied at the "OOBESYSTEM" pass and the setting is "ProtectYourPC". The options are:

  • 1 = Specifies the recommended level of protection for your computer.
  • 2 = Specifies that only updates are installed.
  • 3 = Specifies that automatic protection is disabled.

Source: Link

January 3rd, 2014 9:33pm

damn..i checked and i already use the following settings:

<OOBE>
   <HideEULAPage>true</HideEULAPage>
   <NetworkLocation>Work</NetworkLocation>
   <ProtectYourPC>3</ProtectYourPC>
   <SkipMachineOOBE>true</SkipMachineOOBE>
   <SkipUserOOBE>true</SkipUserOOBE>
</OOBE>

Free Windows Admin Tool Kit Click here and download it now
January 4th, 2014 1:02am

That's weird then. I can't think of another reason why it would try and autoupdate using external sources. I don't typically do it this way so it's been a long while since I have attempted it.

This may be a silly question but you have all the roles installed properly for the SUP? You have enabled software updates on your client policy? The policy is applied to the clients properly and there aren't multiple conflicting pol

January 4th, 2014 1:07am

Yes it drivers me crazy too......i configured the Default Client Settings with the enabling of Software Updates with the default refresh rates.

My SUP is configured to use port 8530 and my used WSUS database is SQL Server 2012.

I now disabled the migration shared distribution option, removed all boundaries except the one needed for my single pc and will try it again....something simple is going wrong here.....

I use F8 from my client and with netstat -a i see connections using port 80 and 8530 to my primary server and DP.

Free Windows Admin Tool Kit Click here and download it now
January 4th, 2014 1:45am

This is solved......:-)

I had a patch in my deployment list which wasn't downloaded yet.....the proices does not like that !

Further I removed the patches from the list which requires reboots. After that by B&C completed succesfully.

January 14th, 2014 6:31am

This is solved......:-)

I had a patch in my deployment list which wasn't downloaded yet.....the proices does not like that !

Further I removed the patches from the list which requires reboots. After that by B&C completed succesfully.


See also: http://support.microsoft.com/kb/2894518
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2014 6:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics