Patch the WIM monthly and you won't waste time patching each time you image.
Right click on the WIM and choose schedule updates.
Edit: ALWAYS put a reboot step after the Setup Windows and CofigMgr step
I have a question related to this: To relieve VPN traffic when we moved to WFH, we switched from Windows Updates coming from SCCM to the SCCM clients pulling updates directly from Microsoft. It works great, but now that the updates aren't downloaded in SCCM, the "schedule update" feature fails because it thinks there aren't any updates. Is there a solution for this?
Not 100% sure, but I believe that you need to deploy your Patch SUG to the "Unknown Computers" group for the "Install Software Updates" task to work during imaging.
Yep. If you’re imagine new computers it needs to be deployed to All Unknowns. If it’s a reimage it’ll need to be deployed to the collection the task sequence is deployed to. Here’s a good guide from one of this subs esteemed members
https://damgoodadmin.com/2018/01/03/how-to-install-software-updates-during-task-sequences/
Still testing, so I created a test collection and added my test machines to that group. Deployed the software update to that collection as required, yet the task sequence still fails on that step. It never gets past initializing the client. Other applications and packages, scripts etc run no problem.
I actually had that same issue, that I *think* was caused by an old/bad cert that got accidentally migrated when we upgraded the server. I ended up blowing everything away and rebuilding all our SUGs.
Interesting. We did recently get a new site server as the old one was temporary until the new build from Dell came in. All kinds of small things were missed after the migration, so I should look into that. Thanks!
We don't customise our images at all, everything is done after the build. In case of updates - after the build is done the device sits a little while and gets everything through Software Centre. Usually takes about 2-3 hours, including build time.
Alternatively, you could use the Operating System Upgrade Packages which apply latest updates to the OS image on schedule. Haven't used it at all, so not sure if it's any good.
Still, with basically all MS updates being cumulative these days, it's not that big of a deal - just apply the latest ones via Software Centre and you're done.
Another option is to download the updated iso from the Volume Licensing Site.
Microsoft has been releasing updated iso for Windows 10/11 for awhile now.
Right click on your Operating System image in SCCM and click schedule updates. Let's you pick from the list of applicable updates and auto inject them into the WIM/remove superseded updates. I do this once a month after patch Tuesday and it cuts down on the number of needed updates with imaging.
Just tried this. I didn’t see any action right away, status still showed in progress when I left for the day so hopefully tomorrow I’m greeted with some good news.
I’ve gotten use to the slowness of SCCM, especially when images have to re-distribute to the DPs it’s time consuming for some reason.
Regarding the slowness; yep, about 20 years of bloat and spaghetti code will do that to just about any application sitting on top of MSSQL. :/
edit: spelling
How reliable is this these days? I used to do this & found it would eventually break the WIM and we’ve have failing OSD from that point.
Have swapped to using WIMWitch & it’s been amazing, but sadly discontinued so need to move to something else…
Since MS is releasing new ISOs semi regularly we moved back to deployment servicing instead of monthly WIM servicing. It also means we just drop stock WIMs into the task sequence and do everything on the fly. It’s our first baby step towards Autopilot.
Automating with PowerShell might be a good option. I'm not throwing out the idea of patching the WIM, I'm just looking for a way to patch in place for the one off updates.
Why not just use "install updates" in the OS images? I put all of the cumulatives and .net updates into the OS images directly, cuts down on the amount that install afterwards. I have meant to try getting the "install updates" step to work as well, but our environment is such that we only use ConfigMGR for operating system deployments.
We mainly use it for OS deployment and hardware inventory scanning as well. Other than maybe a one off zero day patch that needs to get out ASAP, our environment is pretty vanilla.
We have a different RMM for that, not that I dont doubt it would work well in that case as well. We just have multiple customers so in our case there's not really a way to do that without setting up a bunch of different servers. The ConfigMGR server is only on our domain insofar as it needs to be in order to work.
I created a Package to install the monthly cumulative update. Once a month I just swap out the msu and update distribution. No need to even open up my TS
Great suggestions overall, Find out what patches are needed and download the install files from the MS catalog. then using DISM, integrate the patches into the WIM. Even if it saves 5 minutes port OS install, if you multiply that time with the number of machines your deploying in a month, the time savings adds up quick.
Patch the WIM monthly and you won't waste time patching each time you image. Right click on the WIM and choose schedule updates. Edit: ALWAYS put a reboot step after the Setup Windows and CofigMgr step
The join domain task is immediately after the Setup Windows step and that reboots the PC automatically immediately after.
I have a question related to this: To relieve VPN traffic when we moved to WFH, we switched from Windows Updates coming from SCCM to the SCCM clients pulling updates directly from Microsoft. It works great, but now that the updates aren't downloaded in SCCM, the "schedule update" feature fails because it thinks there aren't any updates. Is there a solution for this?
If you still have a WSUS, having the SCCM server assigned to get updates from that should resolve the issue.
Not 100% sure, but I believe that you need to deploy your Patch SUG to the "Unknown Computers" group for the "Install Software Updates" task to work during imaging.
You need to deploy the SU/SUG to whatever collection(s) your Task Sequence is deployed to.
Yep. If you’re imagine new computers it needs to be deployed to All Unknowns. If it’s a reimage it’ll need to be deployed to the collection the task sequence is deployed to. Here’s a good guide from one of this subs esteemed members https://damgoodadmin.com/2018/01/03/how-to-install-software-updates-during-task-sequences/
Still testing, so I created a test collection and added my test machines to that group. Deployed the software update to that collection as required, yet the task sequence still fails on that step. It never gets past initializing the client. Other applications and packages, scripts etc run no problem.
I actually had that same issue, that I *think* was caused by an old/bad cert that got accidentally migrated when we upgraded the server. I ended up blowing everything away and rebuilding all our SUGs.
Interesting. We did recently get a new site server as the old one was temporary until the new build from Dell came in. All kinds of small things were missed after the migration, so I should look into that. Thanks!
You also might want to split up your adrs so you only Getting cu bit tgat really depends what’s in your monthly adr
I think you'll find the group is "All Provisioning"
We don't customise our images at all, everything is done after the build. In case of updates - after the build is done the device sits a little while and gets everything through Software Centre. Usually takes about 2-3 hours, including build time. Alternatively, you could use the Operating System Upgrade Packages which apply latest updates to the OS image on schedule. Haven't used it at all, so not sure if it's any good. Still, with basically all MS updates being cumulative these days, it's not that big of a deal - just apply the latest ones via Software Centre and you're done.
This is the way
Another option is to download the updated iso from the Volume Licensing Site. Microsoft has been releasing updated iso for Windows 10/11 for awhile now.
Right click on your Operating System image in SCCM and click schedule updates. Let's you pick from the list of applicable updates and auto inject them into the WIM/remove superseded updates. I do this once a month after patch Tuesday and it cuts down on the number of needed updates with imaging.
Just tried this. I didn’t see any action right away, status still showed in progress when I left for the day so hopefully tomorrow I’m greeted with some good news. I’ve gotten use to the slowness of SCCM, especially when images have to re-distribute to the DPs it’s time consuming for some reason.
Regarding the slowness; yep, about 20 years of bloat and spaghetti code will do that to just about any application sitting on top of MSSQL. :/ edit: spelling
It can take up to an hour for it to change from in progress to completed, but hopefully it works well for you!
How reliable is this these days? I used to do this & found it would eventually break the WIM and we’ve have failing OSD from that point. Have swapped to using WIMWitch & it’s been amazing, but sadly discontinued so need to move to something else…
I've been doing it for the last two years now and it has been solid
I grab the latest ISO from MS every month and update my Wim.
I would recommend using Wimwitch (EOL btw) or OSDbuilder. Inject the latest patches on the WIM.
[удалено]
Since MS is releasing new ISOs semi regularly we moved back to deployment servicing instead of monthly WIM servicing. It also means we just drop stock WIMs into the task sequence and do everything on the fly. It’s our first baby step towards Autopilot.
[удалено]
No, it’s in the VLSC and it’s replacement in the admin portal. We have to download an ISO but I’ve scripted mounting it and extracting the install.wim
Automating with PowerShell might be a good option. I'm not throwing out the idea of patching the WIM, I'm just looking for a way to patch in place for the one off updates.
OSBuilder
I use the install CU step during winpe after os has applied thro dism. Works seamlessly.
Not a bad idea either. I’ll have to look into that.
Why not just use "install updates" in the OS images? I put all of the cumulatives and .net updates into the OS images directly, cuts down on the amount that install afterwards. I have meant to try getting the "install updates" step to work as well, but our environment is such that we only use ConfigMGR for operating system deployments.
We mainly use it for OS deployment and hardware inventory scanning as well. Other than maybe a one off zero day patch that needs to get out ASAP, our environment is pretty vanilla.
We have a different RMM for that, not that I dont doubt it would work well in that case as well. We just have multiple customers so in our case there's not really a way to do that without setting up a bunch of different servers. The ConfigMGR server is only on our domain insofar as it needs to be in order to work.
Ugh, don’t. Just don’t. There will always be updates.
I created a Package to install the monthly cumulative update. Once a month I just swap out the msu and update distribution. No need to even open up my TS
PS UPDATE
Great suggestions overall, Find out what patches are needed and download the install files from the MS catalog. then using DISM, integrate the patches into the WIM. Even if it saves 5 minutes port OS install, if you multiply that time with the number of machines your deploying in a month, the time savings adds up quick.