Jump to content


WIM Patching and Patch Deployments detection

Recommended Posts

Config mgr 2012 sp1

All, just trying to figure out if anyone else runs into this problem. My company deploys patches quarterly, I read all the kbs, verify which patches I need, and also which patches need to be deployed by themselves. Set up deployments that runs overnight. I break up the deployments based on prereq’s and if a kb says is has to be installed solo, of if a reboot is necessary etc.

Offices are on a 12am to 6am maintenance window. Patches are deployed during this time. Option to install outside maintenance window is unchecked. Deadlines are set to 15 ~ 30 minutes after available time. 90 restart time if user is logged in.

Each deployment is given a lot of thought, deployment + install + reboot timer ( if logged in )

Brief overview of a recent patch deployment

12:00 am critical updates first round
12:30 am critical updates second round

(patch restart if necessary)
2:30 am powershell script to force policy retrieval, software update scan, software update deployment.
3:00 am Security Updates


Once the patches reach 90~100% compliance for my offices I start to patch my wim a few days later

This time I patched the wim using the sccm gui on a copy of the current patch. I carefully selected only the patches I have pushed out in the recent update I did the gui patching in the same method I did the deployment, so start with the critical updates first round let it patch the wim, the once successful I start the process again with the next set. End result wim grows in size. Imagex is used to update the wim description and version #

The wim was not distributed to my test dp’s until all of this is completed.

I made a copy of my existing task sequence, then updated the install operating system step with the newly updated wim. Install updates step is disabled in task sequence. ( should be in the wim )

The imaged test machine is placed into a collection that sets the maintenance window to 24 hours

I keep an eye on the wuahandler.log and updates deployment log to see if patches are triggered.

Sadly all of the patches I updated in the gui redeploy to the test workstation.


My question is, why are the patches not detected as installed and skipped.

I compared the logs with the installed updates from the server and see the same kb numbers in both. Not sure why it is patching an already “patched” wim.


My other option is to copy the wim, extract the patches to a folder and use dism /add-package switch to install the patches. ( I did this on the last version of the wim) really didn’t want to do this since not all patches are cab files that can be installed this way ( like .net updated)

Any information would be greatly appreciated.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.