Use PowerShell Commands to Assist with Patching During SCCM Image Build

Many people who use SCCM to build OS images have come across a slight issue where subsequent “Install Software Updates” task sequences are not finding any patches.  This issue occurs because the machine doesn’t refresh it’s update scan and therefore doesn’t think it needs any updates.  Brandon Linton detailed some PowerShell commands recently on the MDT-OSD list that can be used to trigger a refresh cycle so additional patches are picked up and applied.  Having this issue in our environment, I put this into place and after a little trial and error got them to work as well.  I debated using the offline patching method, but we also install Office 2010 into our image and the offline method cannot patch Office.

Our environment is SCCM 2007 SP2 R2, on Server 2008R2, SQL 2008 R2. We have MDT 2010 Update 1 fully integrated, and use SCCM ZTI for both building and deploying images.  Images are built on VMWare ESXi 4.1.

The first step is to make sure you have a Deployment Package with all of the applicable updates for both Windows 7 and Office 2010.  Then, create a Deployment that targets All – Unknown Computers.  As the computer used to create the image isn’t currently known to SCCM, using this collection guarantees that it get the targeted deployment.

After already having run the first “Install Software Updates” task, and then installing Office 2010, the next step is to add the following tasks to your image build task sequence.   The first one is the scan cycle refresh:

Scan for Updates

Care has to be taken with the command line so that PowerShell doesn’t pick up any stray carriage returns.  It may be best to copy this into Notepad first to make sure it looks correct:

powershell.exe -command "([wmiclass]‘root\ccm:SMS_Client’).TriggerSchedule(‘{00000000-0000-0000-0000-000000000113}’)"

 

Following the scan refresh is a command to sleep the build process for a few minutes to make sure the scan completes before moving on to the actual patch processes (this one is set to 180, or 3 minutes…you can adjust if need be):

Scan pause

 

powershell.exe -command start-sleep 180

 

And of course, the final part is the usual Install Updates Task:

Install SU's

 

This whole process is repeated at the very end of the build process, just before the image is captured.  All three of the Install Software Update tasks are set to install “All Software Updates”.  Although there are three, the first two seem to grab everything.

 

I should point out that some of the information in the respective patching log files can be confusing.  The UpdatesStore.log will show you what is installed, missing, or not applicable.  The UpdatesHandler.log will show you the status of the scan and of each applicable update through the process (downloaded, installed, etc.).  The UpdatesDeployment.log shows the actual  targeted updates, and the progress of each update, from downloading to installing.  The confusing part is that you may see messages such as “InstallTargetedUpdates failed, error 80040708” in the UpdatesDeployment.log.  However, the the Task Sequence doesn’t fail and the patches are indeed applied.

email

Written by , Posted .
  • http://myITforum.com/myitforumwp/community/members/nickmoseley/ Nick Moseley

    Nice!!!

    • http://myITforum.com/myitforumwp/community/members/zman213/ Billy Abernathy

      I am getting an error saying I am missing mscoree.dll has anyone else ran across this?

      • http://myITforum.com/myitforumwp/community/members/rodtrent/ Rod Trent

        Make sure you have the most current .NET framework installed. That file is included. There’s links here: http://myitforum.com/myitforumwp/2012/01/24/microsoft-net-framework-4-and-configmgr-2012/

        • http://myITforum.com/myitforumwp/community/members/markkent/ Mark Kent

          Agreed. Make sure .NET 4 is in your first round of patches.

          • http://myITforum.com/myitforumwp/community/members/zman213/ Billy Abernathy

            I have .net 4 installed on my base image and I still get the error when invoking the command. Do I have to have .net installed in the boot image?

  • http://myITforum.com/myitforumwp/community/members/markkent/ Mark Kent

    No at this point, it is running off the OS that you will capture at the end. I guess I am stumped at this point. That error points to the .NET framework, but if you have it as part of the OS I am not sure why it is bombing on it.

  • http://myITforum.com/myitforumwp/community/members/rgervase/ Ron Gervase

    Mark, great post. I was able to do this previously using WMIC commands, but when we try using your PowerShell command line, it does seem to actually trigger the schedule but it always returns an error. Any help would be appreciated.

    format-default : The following exception occurred while retrieving members: “The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)”
    + CategoryInfo : NotSpecified: (:) [format-default], ExtendedTypeSystemException
    + FullyQualifiedErrorId : CatchFromBaseGetMembers,Microsoft.PowerShell.Commands.FormatDefaultCommand

    We are just trying to run it on the local machine at this point. powershell.exe -command “([wmiclass]`root\ccm:SMS_Client’).TriggerSchedule(`{00000000-0000-0000-0000-000000000113}’)”