Tuesday, November 15, 2016

inject Windows 10 Cumulative via DISM in ConfigMgr

Previously I talked of an issue around Windows 10 1607 and WSUS patching for B&C Task Sequences. We use MDT to create images that are in turn deployed via SCCM. This issue reminded me of some past items in Windows 7 around updates that need to be pre-injected before sysprep runs, aka first bootup. Some off the top of my head:
  • NVMe (2990941)
  • TPM 2.0 (KB2920188)
  • Servicing Stack (KB3020369)
This got me to rethink on what is our best approach for patching Windows 10 systems during deployments. Does it make sense that we do first bootup as patched as we can during B&C or deployment? You have to decide if it does for your environment. For mine it looks to be the case to do during deployment, least until MS brings Unified Update Platform (UUP) to life and it works its way into SCCM.

With Windows 10, a big big way to handle early boot issues is to apply the latest Cumulative. This can mean the B&C WIM only gets changed for other items besides patches so I think I can get to one or two B&C WIM cycles in between major releases such as the upcoming Creators Update. Traditionally with Windows 7 we push a new one once a quarter and the Apply Patches steps get them current otherwise. By injecting the latest cumulative, the Apply Drivers step has less to process when it generates the JET database used by Windows Update and determines what patches apply. This also has the benefit of working with any out of band cumulatives released. You run whatever cumulative you want or for me the minimum needed for WSUS to work in the B&C process.

Downside would be size, as of today the 64-Bit latest cumulative (KB3200790) is 892MB so that is extra storage on a DP that will grow as new cumulatives are released. I have not validated but the update should match what is pulled via SUP so storage and replication may be minor. Since I use Nomad this does not apply to me as it does not have any centralized store like a SCCM DP does.

So going off my previous issue, we inject the minimum patches needed into the B&C WIM and run the latest Cumulative during deployment from ConfigMgr. Here is how to set it up for 1607:

  1. Locate the latest cumulative. MS has a great page to track that. 
  2. Once identified goto the Update Catalog to get the MSU.
  3. Put the downloaded MSU on your SCCM Source in its own folder
  4. In the SCCM Console create a package for it
    1. I call it 'OSD - Windows 10 1607 Cumulative KBXXXXX'
    2. For the Description I use '2016 11 09 Cumulative for Windows 10 1607'
    3. Point the package source to the UNC in step 3
    4. Do not create a program
    5. Optionally for Nomad I use 100% work rate
    6. Finish out the wizard
  5. In the SCCM Console goto your 1607 Task Sequence
    1. Find the Apply Image step, noting 32-Bit or 64-Bit
    2. Immediately after create a Run Command Line step
    3. Point it to your package path
    4. For the command line use 
 Dism /Image:%OSDISK%\ /Add-Package /Packagepath:"." /ScratchDir:"%OSDISK%\Windows\Temp"   

This assumes you only did the 64-Bit in the package. If you put both 32-Bit and 64-Bit MSU files in one package you will have to modify the Command line step as needed. This step above will apply any files it finds in that path.

The DISM injection goes WAY quicker then the Apply Patches step and the deployment itself goes faster as well this method.