Offline Patching with help from MDT

With Windows 10 on the way, I’ve been interested in releases and builds.

It’s become clear that Microsoft is moving towards a model of more frequent major builds with incremental *.msu updates between. What’s going to be interesting is to see how Microsoft makes builds available for updates within enterprises. We’ve seen some interesting ideas with the Windows 8.1 Updates where Microsoft has released a major update via a couple of *.msu packages distributed via WSUS.

The future of updating

Another interesting avenue is the ability to “Upgrade” machines from Windows 7, Windows 8, and Windows 8.1 to Windows 10. This is a change for Windows Setup, where in the past Windows “Upgrade” was only available from the previous version of Windows. So you can’t “Upgrade” from Windows XP to Windows 7, nor can you upgrade from Vista to windows 8.

The problem with Upgrading is that you can *only* use the Clean Windows Image directly from Microsoft, if you install your own Applications or customizations into a Custom reference image (the sysprep+image method most IT departments are familiar with), you can’t use that custom image to Upgrade. Instead you need to use the MDT and/or SCCM “Refresh” method to migrate Settings and Files using USMT from one OS to another.

It was because of the inability to use custom images, and the inability to Upgrade from older OS versions that the “Upgrade” scenario was taken out of the current version of MDT, it was present in older MDT 2010 versions.

Although you can’t use Custom images that are syspreped and captured, there is still some question as to whether or not we will be able to use images that have been “offline” patched using DISM in “Upgrade” scenarios. There are a couple of hundred updates for Windows 7, and no IT department in their right mind should ever send out an unpatched image to machines with the *hope* that the user will get around to running Windows Update to patch the machine. So keeping deployment images up to date is important.

What remains to be seen is if Microsoft will do a better job of releasing regular updates for Windows 10 so that IT departments don’t have to patch these OS’es. There have been hints from Microsoft about regular full Updates to the OS, but we won’t see any evidence of that until the second half of 2015.

Offline Servicing

All of this got me thinking about the Offline Servicing patching cycle in general. What is involved in patching an image?

The principles are available from Microsoft:
http://technet.microsoft.com/en-us/library/dd744559(v=ws.10).aspx
• Take an existing *.wim image and mount locally
• Use the dism command to add a package or collection of packages.
• Un mount the *.wim image.

Yet there is far more to the process than just this: What Updates should I use? Where do I get the updates? What order should I install them? Are there any updates form WU that I can’t use? What about Delta Compressed updates? Etc…

I’ve been asking around about updates. I started off looking at http://download.wsusoffline.net/ but I got a bit discouraged at the size and complexity of the WSUSOffline solution.

So I developed a script to run at the end of my LiteTouch Deploy and Capture task sequence. The script will list all of the updates installed on each machine and dump out the Links where the update came from:

https://onedrive.live.com/?cid=5407B03614346A99&id=5407B03614346A99%2114113

param(
    [string] $Filter = "IsInstalled = 1 and Type = 'Software'"
)

$objSession = New-Object -ComObject "Microsoft.Update.Session"

foreach($update in $objSession.CreateUpdateSearcher().Search($Filter).Updates)
{
    foreach($bundledUpdate in $update.BundledUpdates)
    {
        foreach($content in $bundledUpdate.DownloadContents)
        {
            if ($content.IsDeltaCompressedContent)
            {
                write-verbose "Ignore Delta Compressed Content: $($Update.Title)"
                continue
            }
            
            if ( $content.DownloadURL.toLower().EndsWith(".exe") )
            {
                write-verbose "Ignore Exe Content: $($Update.Title)"
                #continue
            }

            [pscustomobject] @{
                ID = $update.Identity.UpdateID
                KB = $update.KBARticleIDs| %{ $_ } 
                URL = $update.MoreInfoUrls| %{ $_ } 
                Type = $Update.Categories | ?{ $_.Parent.CategoryID -ne "6964aab4-c5b5-43bd-a17d-ffb4346a8e1d" } | %{ $_.Name }
                Title = $update.Title
                Size = $bundledUpdate.MaxDownloadSize
                DownloadURL = $content.DownloadURL
                Auto = $update.autoSelectOnWebSites
            }
        }
    }
}

This provided me with a list of downloads for each platform type Win10, Win7SP1, Win8.1, Win2k8, Win2012, Win10Server.

Example:

...
WU(505): 8d865f13-ec5f-4bfe-95d9-4a172680523e
	True
	http://download.windowsupdate.com/d/msdownload/update/software/secu/2014/09/windows6.1-kb3000869-x64_be731ba069a45d2c2786e7f8f5de13014aa7786e.cab
	Security Updates,
	3000869
	http://support.microsoft.com/kb/3000869	Security Update for Windows 7 for x64-based Systems (KB3000869)
...

I wrote another PowerShell Script to download each update from Windows Update (Filtering out “Express”, Exe and psf updates)

Then another PowerShell script to apply all the updates for each platform to the core OS images.

It took me a while to get the process down right, and I can imagine how difficult it would be to start this process from scratch. How do you determine which updates to install? Is it a manual hit or miss process?

Results

• I was a bit surprised at how slow the update process is. On my fast i7 machine with a SSD Drive, the full offline update of Windows 2008 R2 took about 63 minutes.

• End results show that for the Offline Updated Windows Server 2008 image, was missing
   o Latest Version of IE 11
   o .NET Framework 4.5
   o nor the Windows Malicious Software Removal tool

Missing updates after deployment from Offline Syspreped image:
updates1

Missing updates after deployment from MDT Syspreped image:
updates.MDT

• There wasn’t any noticeable difference in the installation time at deployment.

• There were some noticeable differences in the size, generally MDT Syspreped images were 23% larger than offline images (except for the Windows Server 2012 Image was actually smaller in the MDT Syspreped image.

RTM Original Image Offline Capture LiteTouch Capture
Win2008R2Sp1 2.62 GB 3.45 GB ( 32%) 4.3 GB ( 64%)
Win2012R2U 3.67 GB 4.56 GB ( 24%) 4.53 GB ( 23%)
Win7SP1x64Eval 2.62 GB 3.53 GB ( 35%) 4.38 GB ( 67%)
Win7SP1x86Eval 1.97 GB 2.48 GB ( 26%) 3.22 GB ( 63%)
Win81Ux64Eval 3.12 GB 4.05 GB ( 30%) 4.41 GB ( 41%)
Win81Ux86Eval 2.32 GB 2.85 GB ( 23%) 3.41 GB ( 47%)

Offline vs MDT

So what are the pros and cons here for using offline images:

Offline Images (dism.exe patching):
• Pro: With the correct package manifest/collection, images Can be created quickly.
• Pro: It might be possible to use images in Windows 10 “Upgrade” scenario (TBD)
• Pro: Deployment is easy with MDT and/or SCCM.
• Pro: Base images are smaller.
• Con: Not all updates can be serviced offline (not all updates come as *.msu/*.cab files)
• Con: You can’t add any custom applications.
• Con: Difficult to find the correct manifest of drivers to update, manual process.

Online Update (Apply,Update,Install,Sysprep,Capture with MDT)
• Con: Images can’t be used in Windows “Upgrade” scenarios.
• Pro: Deployment is easy with MDT and/or SCCM.
• Pro: Easy to install applications and configurations into image that’s ready for deployment.

Conclusions

So which one is better?

Well, if you have a MDT build and capture task sequence setup for your master images, I wouldn’t change.

If you don’t put much into your base image, just a couple of security patches updates (MSU/CAB), then sticking with offline updates can work fine. But if you need to get any more complex then time to look at MDT.

The question about Windows 10 and the future still remains to be seen. If Microsoft can get a system up and running and keep it consistent, then moving away from MDT imaging could be viable. But that’s over a year away.

-k

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s