OSD Unfriendly Patches

Last year I was having a devil of a time doing a Build and Capture Task Sequence (TS) as it kept rebooting outside the task sequence and causing it to fail. It was related to the SUP steps, however I could not figure it out as we immediately transitioned from ConfigMgr 2007 to 2012 (yay!). Recently however, after adding the October 2013 Microsoft Patches, we started experiencing this same issue on the production Windows 7 TS. It was immediately after this change, so we removed the SUP advertisement and all was well. In working on a solution, our ConfigMgr Admin Cory Becht (of right click tools fame) found KB2894518 covering the problem. Turns out there are a few Microsoft patches that reboot a system multiple times. This causes havok for a Task Sequence as it must be what restarts the PC during the deployment, not something outside of it like a patch. How nice of MS to release patches that have several restarts, they can mitigate this problem.

     NOTE: This KB will be kept up to date with patches known to require multiple restarts.

To address it we made several changes to our process.

1. Each month we visit that KB to see if new ones show up.
2. These OSD unfriendly patches were moved to a focused Software Update Group called 'OSD Excluded Updates'
3. 'OSD Excluded Updates' are advertised to all systems and not the 'Unknown Computers' Collection used by Deployments.
4. Inject these troublesome updates via DISM to quarterly WIM.

For #4 I found a nice Powershell script (written by BenP) at the Microsoft Script Center that simplifies it. You just pass it the path to the WIM, mount folder, patches, and it does the rest. So after creating a WIM via a Build and Capture TS, I inject the patches that apply and then import the WIM into SCCM for use. Currently this is just KB2862330 and KB2545698 for Windows 7.

For obtaining the patches, the Microsoft Update Catalog is the best place as you just enter the KB and download .MSU files for the relevant Operating System, nothing to extract. It will download each update to a sub folder so if you use the above script you'll need to put all the relevant updates in the same folder, 'Windows 7 X86' for example.

While at the Update Catalog site, if you click on the update and select the 'Package Details' tab and it will tell you what that patch replaces or is replaced by it. Or check via ConfigMgr.. Basically, each of these troublesome patches will be replaced eventually by another one and you may not have to use DISM to inject it and instead let the SUP step(s) install it. I like to have the deployment to include everything vs letting production advertisements apply it after handing the asset to a user so we chose to inject it to our quarterly WIM.