You could try the following script out ( http://blogs.technet.com/b/configmgrdogs/archive/2012/02/15/applying-windows-updates-to-a-base-wim-using-dism-and-powershell.aspx) to automate the dism injection of the SU into the wim rather than a build/capture.
There's no one stop solution here. On Wed, Oct 29, 2014 at 3:05 PM, Jason Sandys <ja...@sandys.us> wrote: > First, I honestly don’t know which updates are all CBS and which are > not. I know that Office updates are not CBS (as mentioned by the others). I > don’t think .Net Framework in Win 7 are either although they are in Win 8 – > not sure on this though as I haven’t explicitly looked. I don’t think > there’s a comprehensive list anywhere either L > > > > As for what servicing buys you over installation during a build and > capture: Technically, not much except side-stepping the double-reboot > issues (although I’ve heard this isn’t even the case). Servicing has the > advantage that you can add updates not in WSUS though (like 2775511 among a > few others) – you need to this servicing manually though with DISM. The > other advantage to servicing is that you don’t have to re-run your build > and capture TS to inject the new monthly updates assuming they are all CBS > based. > > > > If you are comparing servicing to deploy updates in a normal deployment > ts, then I’d say a lot because you are deploying a completely unpatched > image which to me is a huge security risk. > > > > My normal thing to do is use manual servicing to inject non-WSUS updates > (like 2775511) and double-reboot updates into the base image and then use a > build and capture TS to inject the rest and put any other polish on the > image. Then, on a monthly basis, use servicing to inject new monthly > updates. Then once every 6 months (or so), re-run the build and capture TS > to add all (even non-CBS) updates. > > > > I guess you/I could simply add the manual servicing steps to the build and > capture TS also but just haven’t done that. > > > > There’s lots of middle ground and minor difference possible here also. > > > > J > > > > *From:* listsad...@lists.myitforum.com [mailto: > listsad...@lists.myitforum.com] *On Behalf Of *Dwayne Allen > *Sent:* Wednesday, October 29, 2014 9:42 AM > *To:* mssms@lists.myitforum.com > *Subject:* Re: [mssms] RE: Patch/WIM Injection > > > > But what does that buy you over having an apply software updates step in > your task sequence? > > > ----- > Dwayne Allen > dwayne.al...@gmail.com > (479) 310-0027 > > > > On Wed, Oct 29, 2014 at 8:40 AM, Jason Wallace <jaso...@outlook.com> > wrote: > > They are deployed as the OS boots for the first time so from a security > perspective it is better than having a vulnerable system on the LAN while > updates are deployed. > > > > > On 29 Oct 2014, at 14:08, Bradley, Matt <mbrad...@quiktrip.com> wrote: > > When you say not all updates can be injected, do you mean things like > Office updates, or are there others that a person would miss? > > > > I also didn’t realize injecting the updates to the image didn’t actually > install them. If they are only the installed after an OSD, then I’m even > more inclined not to inject. I might image two PC’s as a test, one with > the patches already installed, one with them injected, and see which one > builds faster. > > > > *From:* listsad...@lists.myitforum.com [ > mailto:listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>] *On > Behalf Of *Jason Sandys > *Sent:* Tuesday, October 28, 2014 10:06 AM > *To:* mssms@lists.myitforum.com > *Subject:* [mssms] RE: Patch/WIM Injection > > > > First, not all updates can be injected into a WIM so even if you do employ > image servicing, it is not sufficient to deploy a fully patched image. > Thus, you really should be capturing a new image periodically no matter > what – if you are using a build and capture task sequence (whether in MDT > or ConfigMgr) then this is a trivial task (beware of the double reboots in > ConfigMgr though L). > > > > Offline servicing in ConfigMgr has had issues (not really ConfigMgr’s > fault to my knowledge but that’s beside the point) and is why some/many > people shy away from using image servicing. Also note that image servicing > doesn’t actually install the updates. It merely injects them into the WIM > for installation during Windows Setup so it really doesn’t save you as much > as you think it does in terms of time or space. > > > > J > > > > *From:* listsad...@lists.myitforum.com [ > mailto:listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>] *On > Behalf Of *Bradley, Matt > *Sent:* Tuesday, October 28, 2014 9:55 AM > *To:* mssms@lists.myitforum.com > *Subject:* [mssms] Patch/WIM Injection > > > > I’ve read that some people do not like injecting monthly patches directly > into the OS WIM. Some prefer to just capture reference images. Being that > a bad patch could be removed from a WIM if it was determined to be bad, I’d > like to hear some feedback on why some choose to still stay away from this > method, and stay with reference image capture. > > > > Thanks. > > > > > > > > > > > > > >