Jump to content


Photo

using SCCM 2012 RC in a LAB - Part 12. Updating an Operating System image using Offline Servicing.


  • Please log in to reply
32 replies to this topic

#1 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,842 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 10 December 2011 - 10:57 PM

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies.

In Part 6 we configured our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections. In Part 7 we used the Build and Capture process to create our Base Windows 7 X64 wim image. In Part 8 we created a USMT 4 package to migrate the users data using hardlinking and then we imported the captured image into ConfigMgr and created a Deploy Windows 7 X64 task sequence. We created a Deploy Windows 7 X64 Collection and set some User Device Affinity collection variables.

In Part 9 we created an Application, and created a deployment type for that application to only install if the Primary User was True for that device (User Device Affinity), we then copied our Task Sequence (duplicated it), deployed the new Task Sequence, added a computer to the new collection and then PXE booted the computer to the Deployment Menu. In Part 10 we monitored the Deployment process in a lot of detail to how UDA sent state messages and we verified that our application installed on the users Primary Device, in addition we modified our collection variables, and added a prestart command to our boot image to prompt for the SMSTSUdaUsers. In Part 11 we setup the Reporting Services Point Role and verified that reporting was working.

Now we will use a new feature in ConfigMgr which allows us to Patch operating system WIM images using Offline Servicing. This means that you can apply Windows Updates by using Component-Based Servicing (CBS) to update the your previously captured WIM images.

The Offline Servicing feature is applicable for Component Based Servicing (CBS) updates and for the following operating systems:

  • Microsoft Windows Vista SP2 and later
  • Microsoft Windows Server 2008 SP2 and later
  • Microsoft Windows 7 RTM
  • Microsoft Windows 2008 R2

DISM is used to inject the updates - Deployment Image Servicing and Management (DISM)






Note: At the launch of ConfigMgr 2012 Beta 2 Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 are not supported. They will be supported with Configuration Manager 2012 RTM.



Step 1. Review our current Captured WIM file.

Perform the following on your SCCM 2012 server as SMSadmin.

In the ConfigMgr console, expand the Software Library and then expand Operating Systems, select Operating System Images. This will contain our previously captured Windows 7 X64 WIM image. Select our Windows 7 X64 WIM image and note the four tabs which appear.

windows 7 enterprise wim image.png

Click on the Update Status tab. This tab will list any updates that have been added to our image via Offline Servicing, we haven't completed any Offline Servicing on our WIM image yet so for this reason it will appear empty.

no items found in update status.png

Note: Even though our Captured image has updates installed in it already, unfortunately the Update Status tab will not list udpates that are in the captured image unless those updates that have been added via Offline Servicing after the WIM image was added to ConfigMgr.


Step 2. Perform a Software Update Point Synchronization

Perform the following on your SCCM 2012 server as SMSadmin.

Before we perform Offline Servicing, we want to make sure we have the latest updates Synced. In Software Updates, All Software Updates. In the Ribbon, click on Synchronize Software Updates.

all software updates synchronize software updates.png

answer Yes to the Sync request

yes to sync.png

while it's syncing, using CMTrace, monitor the WsyncMgr.log file found in D:\Program Files\Microsoft Configuration Manager\Logs, look for the Sync Suceeded line to be sure it's finished. If you have synced recently it will be quick.

sync succeeded.png

Once the sync is complete, mark any new updates that were released since you last updated your target OS and download them and add them to your Target Operating System Software Update Group (for example, update these updates to your Windows 7 updates software update group which we created in part 6.


Step 3. Start Offline Servicing

Perform the following on your SCCM 2012 server as SMSadmin.

Select our Captured Windows 7 X64 image and click on Schedule Updates in the ribbon

schedule updates.png

The Update Operating System Image Wizard appears, note that it automatically selects the architecture of your image (X64) and you can list all the updates it has found available to this Operating System. If you want you can sort by any of the column headings, for example click on Bulletin ID to see what are the latest Bulletin ID's being made available to Offline Servicing.

update operating system image wizard.png

click next, and you are presented with the Set Schedule screen, this is great for ConfigMgr admins as it means you can decide when your server will do the Offline Servicing work (disk intensive) so for example you could schedule it to occur on Saturday evening when everyone is home. If you want to set a schedule click on Custom Schedule, however as we are in a LAB we will choose As soon as possible.

Note: Injecting updates into the WIM images offline is disk intensive so you should not perform this operation except when the server is 'at rest'. Also allow for free space on your Configmgr Server drive as the WIM image will be duplicated (backup copy created) during this process.

As soon as possible.png

you'll be presented with a summary of Updates offered to the Offline Servicing Process

summary.png

click next to continue and review the completion screen, the wizard is quick, the injection however takes time as you will see.

completion screen.png

Step 4. Monitor the Progress with the OfflineServicingMgr.log file

Perform the following on your SCCM 2012 server as SMSadmin.

ConfigMgr 2012 introduced some new logs one of which is the OfflineServicingMgr.log file, open it in CMTrace so that we can monitor the progress of our Offline Servicing. You will note it mentions copying our current WIM image to a temporary folder called ConfigMgr_OfflineImageServicing, and it's at this point your ConfigMgr server will become slower to use (especially in a LAB as typically your hardware isn't that fast in a LAB and this is very disk intensive).

offlineservicing log.png

if you browse this temp folder in Windows Explorer you can see the WIM file and some other temp folders used for the CBS injection process (via DISM)

offline image servicing temp folder.png

Note: make sure to close Windows Explorer or browse to a different folder than the one above as if you are browsing it during Commit, then the process will fail to delete the temp files/folders.

keep watching the log in CMTrace as it will tell you what percentage is done, for example, 25% of the copying is completed

copying 25% complete.png

once it's done copying the WIM file it mounts it to inject the CBS updates

copying done mounting image at index 1.png

and after some time it will check all available updates to see if they are applicable or not, each update will have an Applicability State which can be listed as any of the following:-

  • NOT_REQUIRED
  • INSTALLED
  • APPLICABLE
  • APPLICABILITY_CHECK_NOT_SUPPORTED

applicability_check_not_supported.png




finally you can see how many updates are being applied to the mounted image

total number of updates that are successfully applied on the mounted image is 9.png

and then it commits those changes, verify that all is well in the OfflineServicingMgr.log file before continuing, note that in addition to unmounting the image (commiting changes) it then creates a backup copy of the original WIM file (with a file extension of BAK). Also look for the line saying Schedule Processing Completed, this notifies you that all is done.

backing up and schedule processing completed.png

Now Browse to where your original captured WIM file is stored and you should see the original WIM file is renamed to BAK and the new file (larger file as it has updates applied) is in it's place. If you need to keep the original file copy it elsewhere or give it a new name.

two wim files.png


Step 5. Review our updated Image in the ConfigMgr Console.

Now that the OfflineServicing process is complete, lets examine the WIM file in Operating System Images (click refresh to update the display). You should see that the Scheduled Update Status says Successful, and that the Update Status tab lists the state applicability of the 78 updates it referenced in the OfflineServicingMgr.log file.

update status tab is full with 78 updates state applicability.png

Right click on our Windows 7 X64 Enterprise image and choose Properties, click on the Installed Updates tab, here you can see when any updates were added via Offline Servicing (in our case, it was 9 updates and they are indeed listed in the Date Installed column.

date installed.png


Step 6. Update your image to your Distribution Points

The last part of this process is to update your newly updated image to our Distribution Points, this is not done automatically you must do it yourself, this means that the scheduled task can run (Offline Servicing) and when it's done, you have to review the changes made before you decide if you want to update the image to your DP's or not.

Select our image and click on Update Distribution Points in the ribbon

update distribution point.png

click ok When prompted

ok to update.png

That's it, you've now injected Windows Updates (CBS) using a new feature in ConfigMgr 2012 called Offline Servicing, once the WIM image has completed updating to the DP's your Task Sequence will reference the New updated image and your Enterprise (LAB) will be using the most secure, most up to date image available.

 

Related reading

 


  • Atomic12 likes this
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#2 iburnell

iburnell

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 05 March 2012 - 02:09 PM

Two quick questions NIall

1) If you patch up your .WIM each month how does it cope with the older/superceded patches in the .WIM file?.
2) Could the "patched up" WIM be copied to a 2007 site so builds benefit from fully patched image

#3 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,842 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 05 March 2012 - 02:27 PM

good questions,

1. not sure yet, will have to find out when that happens but i would assume that the superseded updates will overwrite the old ones. (ie: replace)
2. yes it's just a wim file after all so why not
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#4 Iroqouiz

Iroqouiz

    Advanced Member

  • Members
  • PipPipPip
  • 323 posts
  • Gender:Male

Posted 25 April 2012 - 03:10 PM

Would like to know that as well. Any updates on that?

Thanks for all the great guides, they've helped me a lot.

#5 itkroplis

itkroplis

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 12 May 2012 - 11:04 AM

Hi!
When I add a new win7 wim file and the executive "distribute content", is created in C:\ SMSPKGSIG new folder (for example PRI00014.1). Copying process is interrupted and win7.wim size is 20MB !?
If I try to execute this win7.wim "Shedule Updates". I get the response "Failed to copy the image from the package source location to the siteserver machine."

OfflineServicingMgr.log:
There is an image associated with this schedule.
Total number of individual updates to be installed is 90.
STATMSG: ID=7903 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_OFFLINE_SERVICING_MANAGER" SYS=SCCM2012.LV SITE=GS0 PID=3884 TID=2968 GMTDATE=se mai 12 08:56:28.559 2012 ISTR0="GS000015" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
Package source location for image GS000015 is not writable. GLE=5
STATMSG: ID=7915 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_OFFLINE_SERVICING_MANAGER" SYS=SCCM2012.LV SITE=GS0 PID=3884 TID=2968 GMTDATE=se mai 12 08:56:28.568 2012 ISTR0="GS000015" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
Schedule processing failed

The problem is probably here:
Package source location for image GS000015 is not writable. GLE=5
What rights and where to be?
-------


Update:
Create a new sharing folder. I gave the right to sharing and security rights of every all / full. Began to work well. Lack of understanding of how SCCM authenticate. Although SCCM admin users and SCCM server account is given full rights.


Update2:

Sharing Permission change to Everyone to full controll.
Interestingly, with an account sccm2012 the authorization? Maybe the system!
  • Lightjm likes this

#6 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,842 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 12 May 2012 - 11:25 AM

well in my example above SMSadmin is the user running the configmgr console and that user is a local administrator of the same box, are you performing this as a user that has local administrative permissions on that server or has the user rights to read/write to that folder (the package source folder mentioned in your log file)
  • Lightjm likes this
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#7 itkroplis

itkroplis

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 12 May 2012 - 09:03 PM

My user has domain Enterprise Administrator. And has a maximum right. It turned out that sccm2012 authenticate the System.
  • Lightjm likes this

#8 hhancock

hhancock

    Advanced Member

  • Members
  • PipPipPip
  • 73 posts

Posted 30 October 2012 - 06:13 PM

Does the Windows 7 Updates Software Update Group need to be deployed before it can be added to the WIM? I have not deployed the Software Update Group yet and noticed that the Schedule Updates Wizard doesn't populate with any information.

* I just need to deploy to the All Unknown Computers Device Collection.

#9 hhancock

hhancock

    Advanced Member

  • Members
  • PipPipPip
  • 73 posts

Posted 31 October 2012 - 01:37 PM

Okay, I've gotten Offline Servicing to work thanks to this guide. I have a quick question with regards to adding updates to the Windows 7 Updates SUG (Software Update Group). Do I just do the following?
  • Download update (if it isn't already)
  • Edit membership (to make it a part of my Windows 7 Updates SUG)
  • Schedule Updates on the Operating System Installer Image
  • Update Distribution Points
Is that it?

#10 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,842 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 31 October 2012 - 02:33 PM

that;'s about it, but i'd review the logs between point 3 and 4 to be sure the wim was updated successfully, in addition you may want to deploy the new wim image using a separate duplicate task sequence to verify it's working ok prior to rolling it out.
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#11 hhancock

hhancock

    Advanced Member

  • Members
  • PipPipPip
  • 73 posts

Posted 31 October 2012 - 03:30 PM

that;'s about it, but i'd review the logs between point 3 and 4 to be sure the wim was updated successfully, in addition you may want to deploy the new wim image using a separate duplicate task sequence to verify it's working ok prior to rolling it out.


The process I listed above didn't work for me. I go to "Schedule Updates" on the Operating System Installer Image yet the new updates are not listed. In fact, nothing is listed.

Specifically, I am trying to add Internet Explorer 9 to my image but it doesn't seem to be included in the update. It shows in my Windows 7 Updates SUG but it doesn't appear to get installed during the Offline Servicing.

In the OfflineServicingMgr.log file I noticed the following:

Applicability State = APPLICABILITY_CHECK_NOT_SUPPORTED, Update Binary = \\SCCM01\Sources\Updates\Windows7\ed9979fd-98b0-478d-a792-10ac1409756b\WU-IE9-Windows7-x64.exe. $$<SMS_OFFLINE_SERVICING_MANAGER><10-30-2012 18:37:03.435+240><thread=5160 (0x1428)>

What does APPLICABILITY_CHECK_NOT_SUPPORTED mean exactly. Is this why it isn't installed on my image?

#12 hhancock

hhancock

    Advanced Member

  • Members
  • PipPipPip
  • 73 posts

Posted 31 October 2012 - 07:49 PM

I believe my issue is because Offline Servicing only installs core OS updates (Component-based Servicing). When I added the "Install Software Updates" to the task sequence it appears to have installed IE9 properly. However, I did notice that it didn't install those updates that were not marked as "required" during this pass (which included some cumulative security updates for IE9). Is this because I choose to "Install Mandatory Software Updates?"

#13 Peter van der Woude

Peter van der Woude

    Advanced Member

  • Moderators
  • PipPipPip
  • 2,332 posts
  • Gender:Male
  • Location:The Netherlands

Posted 31 October 2012 - 08:00 PM

First part is correct, you can only use offline servicing for OS updates and not for added applications.

My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude


#14 hhancock

hhancock

    Advanced Member

  • Members
  • PipPipPip
  • 73 posts

Posted 31 October 2012 - 08:20 PM

Is it possible to automate this process at all with the Automatic Deployment Rules? I would like to apply new updates to my image automatically.

#15 Peter van der Woude

Peter van der Woude

    Advanced Member

  • Moderators
  • PipPipPip
  • 2,332 posts
  • Gender:Male
  • Location:The Netherlands

Posted 01 November 2012 - 07:53 PM

You can not use ADR to Offline Service an image.

My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude


#16 fxcat

fxcat

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 11 November 2012 - 09:51 PM

Thank you, Great Article!!

Quick question,
Lets say my WIM file is 4GB and the updates added are 50MB.
when you “update” your distribution points. Does it copy the full WIM file again everywhere or just the part that have been changed ?

Thank you

#17 67_dbc

67_dbc

    Advanced Member

  • Members
  • PipPipPip
  • 34 posts

Posted 08 August 2013 - 07:12 PM

I am having issues with my Offline Imaging in a sense that nothing is wrong with the process being done with Offline Scheduling but once the image is applied during the TS phase on the client, login and review the Windows Update History, all the updates appear up as fail?

 

Where do you suggest troubleshooting this issue? Do I have an issues with an update(s) injected in the WIM which is causing all the others to fail?

 

I haven't started over with a new WIM with a new sync of updates but I wanted to reach out to the community to see if anyone has had this issue or not.

 

Eric



#18 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,842 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 08 August 2013 - 08:30 PM

did you do multiple offline servicing attempts for this or just one ? can you show me a screenshot of what the updates appear like in the operating system


Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#19 67_dbc

67_dbc

    Advanced Member

  • Members
  • PipPipPip
  • 34 posts

Posted 08 August 2013 - 10:42 PM

Yes this image was ran a couple times due to recent issues McAfee Access Protection was blocking the updates being applied to the WIM. Now our environment is heavy on security so my SCCM server 'had' McAfee installed at the time. Once I removed it, I've was able to successfully patch my WIM's. But to think of it, with McAfee involved at the time, it could have messed up this WIM even though SCCM says everything is successful on the console once I moved forward.

 

If I may just to help with the community, here is a KB that McAfee does not want to own this problem when it is there problem....

https://kc.mcafee.co...UCTS& actp=LIST

 

Here are the updates applied to the image so we know logically they should be in the WIM.

Updates_on_Image.PNG

 

And the other image refers to the machine that recieved that image.

Client_Updates.PNG

 

Successful_Updates.PNG

 

OFFLine_Logs.PNG

 

Perhaps while you are thinking about it, I will create a freash copy of this WIM, and re-apply the same updates to and see how it goes.

 

 

As always Niall, I love your sccm knowledge, keep up the good work! I hope you can let me PM you on SUP questions if you have 15 minutes of time.

 

Eric



#20 67_dbc

67_dbc

    Advanced Member

  • Members
  • PipPipPip
  • 34 posts

Posted 14 August 2013 - 03:18 PM

I did recreate the WIM, installed a fresh set of Updates on using the same steps above. Still getting the same issue on the clients not installing the updates in the Windows Update History. I don't know of any other way beside viewing that GUI if that is truely a failed update that didn't apply. Are there logs else where that would support that these updates are really failing during install?

 

Eric






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Locations of visitors to this page