06 February 2013

MDT: Installing Windows 7 Updates as Packages

This is a really nice feature that MDT has allowing for all updates to be installed during the initial windows setup process. The problem is that certain updates will not install and cause the Install Updates function to fail, thereby halting the build. You will see the message Windows could not apply unattend settings during pass [offlineServicing]. The only way to resolve this is to remove the updates that caused it to halt.

The best way to locate the updates causing the problem is to create a structured package group. The way I setup my company's was to create the following structure:


  1. Windows 7 Updates
    1. Pre-Image Updates
      1. Non-Security Updates
        1. 2009
        2. 2011
        3. 2012
        4. 2013
      2. Optional Updates
      3. Security Updates
        1. 2010
        2. 2011
        3. 2012
    2. Post-Image Updates
      1. Non-Security Updates
      2. Optional Updates
      3. Security Updates

This gives an easy, sorted structure for the updates, which also allows you to find and remove those updates no longer needed after a service pack is installed. Plus, it allows you to activate/deactivate smaller sets of updates through the selection profile, thereby making narrowing down to the bad updates much easier. You might wonder where I got this structure. I use Windows Updates Downloader to download all of my windows updates and it uses this structure  I can verify that it works out great. This also allowed me to more easily find those updates that caused the build to crash during the offline installation. As far as associating them with a task sequence, all you have to do is check-mark each folder to be included in the selection profile, allowing all of the folders to be installed under a single task sequence. 

As far as the list of updates I found to halt the build of Windows 7 64-Bit with SP1, here it is:
  • KB2496898
  • KB2533552
  • KB2604521
  • KB2726535
Once I removed these updates, the offline update worked flawless. I did not bother trying to get these updates back in the system. I allow WSUS to install them.

12 comments:

  1. I have to thank you for this article. That last patch you mentioned gave me headaches. You saved me hours of work.

    I was able to weed out most of the updates that are "online only" updates by using MDT with the latest service pack and checking in the x:\windows\logs\dism\dism.log file. Sadly though, my production MDT is behind by one rev though and doesn't have this log.

    Thanks again!

    ReplyDelete
  2. That short list of 4 exclusions saved me hours. THANK YOU!!!

    ReplyDelete
  3. Great list!! :) You can add KB2829104

    ReplyDelete
  4. Worked a treat.
    Thanks !

    ReplyDelete
  5. Hello,
    I have the same problem when I tried to slipstream some updates directly on Windows media. I discovered, sometime ago, that not all updates can be slipstreamed. All updates (*.CAB) have a file called update.mum. When a update can not be slipstreamed, there is a information inside this file called "allowedOffline". When it is false, you can not slipstream this update inside Windows media directly.
    I just read about that, but I give up from add updates in the Windows media at all.
    But now that I implemented MDT, this problem come back. It is sadly that MDT do not check if update can be installed offline or not. Like your experiences, not all updates can be slipstreamed and when you do Windows do not install at all!
    I really wanted to use "Packages" on MDT, but I have more than 100+ updates to check and it is humanally impossible! I could read the log about installations errors to just remove updates that fails to install but it took a long time too.
    So, I decided to write a script that can be added to MDT that checks if the attrib "allowedOffline" is set to "false" (update can not be slipstreamed) and then the update is disabled from MDT. It is not removed completelly for 3 reasons:
    1 - My script is not totally tested. It can erase something that it could not.
    2 - If for some reason a update that can be slipstreamed be disabled, I can reenable it again.
    3 - And the most important: I use a program that download updates (like you do) called WSUS Offline Update. It download the files to a specific folder. Monthly I update the repository and I add it again to MDT. Even if I remove it, it will back again and worst: It will be reenabled. If I keep them and let them disable, the updates from the past month will not be added and it status (from disabled) will not change.
    Please note that my script is not totally tested (worked fine with Vista/7 packages that is downloaded from WSUS Offline Download)! Use at your own risk.
    Feel free to adapt it to your needs or to suggest fixes:

    http://pastebin.com/9HXhiUMn

    Any updates to the script will be made at that page.

    I hope this script can help someone like it helped. Saved a lot of time!

    ReplyDelete
  6. Any updates since July 2013? Seems there may be some new ones causing the same issues...

    ReplyDelete
  7. Add this one: KB2807986

    ReplyDelete
  8. Another one KB2538243

    ReplyDelete
  9. Is there an up to date list of which updates should NOT be added to MDT?
    I keep receiving an error:"Windows could not apply unattend settings during pass [offlineServicing]."

    ReplyDelete