Support Tip: Computers connect to Windows Update to download updates during ConfigMgr Task Sequence execution

Support Tip: Computers connect to Windows Update to download updates during ConfigMgr Task Sequence execution

  • Comments 3
  • Likes

~ Bryan Xiao

ToolsWhen deploying an operating system to clients using an OS image with either System Center Configuration Manager 2007 (ConfigMgr 2007) or System Center 2012 Configuration Manager (ConfigMgr 2012), even if there's an "Install Software Update" step in the Task Sequence, computers will try to connect to Windows Update to download some updates before initiating the "Install Software Update" step. This is a normal behavior and we can monitor this via Windowsupdate.log by looking for the following entries:

1004 7bc Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
1004 7bc Agent *********

1004 7bc Agent   * Online = Yes; Ignore download priority = No

1004 7bc Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"

1004 7bc Agent   * ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update

1004 7bc Agent   * Search Scope = {Machine}

1004 7bc Setup Checking for agent SelfUpdate

While this behavior is normal, it can potentially introduce a couple of issues:

- If the computers do not have Internet access they will retry the connection several times before proceeding with next action, thus prolonging the overall execution time of the Task Sequence.

- If the computers do have Internet access, this may cause high utilization of the Internet connection if many computers are running the Task Sequence.

Fortunately for us there is a way we can modify this behavior. To suppress the Windows Update Agent until the "Install Software Update" step runs in the Task Sequence, you can use an unattend.xml file to set the "ProtectYourPC" property to "3" in OOBE and add it in the Task Sequence.

Microsoft recommends using Windows System Image Manager (Windows SIM) when creating your unattend.xml file. The Windows System Image Manager technical reference can be found here: http://technet.microsoft.com/en-us/library/cc722301(v=ws.10).aspx

For reference, here is an example of how one such file might look for Windows 7 x86:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <ProtectYourPC>3</ProtectYourPC>
            </OOBE>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="catalog://cm12std-sp1/dsources/install_windows 7 enterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Hope this helps!

Bryan Xiao | Support Engineer | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Adding this to the Apply Operating System step crashes the TS. Perhaps you could outline those steps also?
    I created a package, with the xml file with no program, selected the package and selected the file unattend_wsus.xml - which I created properly in WSIM