[SOLVED] How to Patch Base OS WIMs in a non-SCCM Environment?

10-11  Source: Network gathering  Views:0 

My new employer doesn't have SCCM but they're at least using MDT, even if it is 2010.  We (System Engineers for servers; Desktop Engineers for workstations) have historically been using Windows Update to patch the machine in question, but that (a) requires
a bit of baby sitting, (b) takes ages and (c) is done every time a new server is stood up or new image is built.
Being one of the new guys, I've been asked if there's a way to automate the installation of OS updates for Windows 7 up to Server 2012 R2.  My process has been to mount the WIM and apply as many updates as I can offline by pointing DISM to a directory
full of updates.
However, I've been in situations where updates break the WIM because dependencies weren't in place, namely .NET which can't be installed offline.  And its such a hassle to go through that troubleshooting process narrow it down to the offending update
- augh!
Having said all that, I'm in need of some advice for how to handle
stock WIMs from stock Microsoft ISO's.
What process do you experts follow for getting that WIM fully up to date?
I'm talking all the [recommended] updates offered via Windows Update: from updates for Windows, IE, .NET; standard security updates to IE upgrades (e.g. from 9 to 9, 9 to 10, 10 to 11), MSXML updates, Silverlight etc..
Does update installation order matter?
Is it safe to point DISM to a directory of cabs for offline updates & let it rip or does it require a bit of structure?
I'm sort of doing a hybrid: Pulled down over 200 updates from the Microsoft update catalog, extracted the cabs into a centralized location & separated them into two groups, group 2 being updates that
seem to cause problems when done offline or can't be done offline due to a prerequisite.  (Group 1 is bit more than 200 updates, Group 2 is about a dozen including 2685811, 2685813, 2533552, 2819745)
Can I assume that for updates like WMF 4.0, UMDF 1.11, KMFD 1.11, MSXML and straight upgrades like .NET 4.5, IE 10/11, you're laying down the OS, installing the pre-requisites, installing the updates - maybe even running Windows Updates, then capturing?
I'm just really curious as to how far off the mark I am, how I can automate as much of this as possible and of course doing it right! :)
Although it is possible to install many updates offline, some just must be performed online, as you mention above.
My recommendation (and that of Niehaus, Arwidmark, Nystrom, Hunter, MCS, et. al.) is to create a MDT deployment share ( called the create share ) with task sequences for each image type. Install the OS, update the machine (via WSUS or Windows Update),
install your favorite applications, (UPdate again), and then Sysprep and Capture. All done within a Virtual Machine, preferably Hyper-V.
If you can automate all of your applications, then you can pretty much do the entire process with a single click.
I have a beefy i7-4771 with 32GB of ram, and *TWO* speedy SSD Drives. Imaging *8* machines in parallel takes about 4 hrs.
Keith Garner - Principal Consultant [owner] -
I need a moment to collect myself after reading your hardware.
Seriously though, I'm down with doing it with MDT in a VM because its the cleanest it can be at that point.  My only concern were those 'gotchas':
Is DISM smart enough to know the proper installation order of the updates in that directory?  If not do I have to run DISM multiple times (pointing it to the same collection of CABs) to make sure I got everything?
Is there a fairly comprehensive list of updates that should be handled with special care/attention?
Anything else I didn't think of.
I really appreciate your responses - thank you kindly for putting up with me Keith. :)
Related articles