Install Windows hotfixes (.MSU) during OS deployment using MDT/SCCM2012.

Recently, our local desktop support team came to me with an issue they had discovered in the image that is deployed via SCCM.  The issue was that when they attempted to “Turn Windows features on or off”, the dialog box shown was blank.  They had assumed that deploying the image via SCCM was somehow disabling this dialog box.

missingfeatures

While troubleshooting this issue, I had discovered that Microsoft was aware of this issue and they had created KB931712 in order to fix this.  However, this did not work for me.  Another MSDN post recommended to run the System Update Readiness Tool (SURT) in order to fix any Windows Update corruption.  Again, this did not work for me either.

I started to dig deeper into this issue and found that SURT creates a log file of anything it finds.  The log file is located at C:\Windows\Logs\CBS\CheckSUR.log.  For help with reading the log file, I found this very good tutorial.

Here is the content of the log file:

Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 19.0
2013-12-18 15:57

Checking Windows Servicing Packages

Checking Package Manifests and Catalogs
(w) CBS Catalog Expired 0x800B0101 servicing\Packages\Package_5_for_KB2722913~31bf3856ad364e35~amd64~~6.1.1.0.cat

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store

Summary:
Seconds executed: 1424
 No errors detected
 CSI Catalog Expired Total count: 0
 CBS Catalog Expired Total count: 1

Even though no errors were detected, I found that update KB2722913 had an expired catalog file.  I then opened the properties to the referenced catalog file in C:\Windows\servicing\Packages and sure enough, under the “Digital Signatures” tab, the certificate that was used to sign the catalog file had expired as of 06/27/2013.  This expired certificate was preventing the Windows features from being displayed in the dialog box.

cert

To workaround this issue, we could have just uninstalled the affected Windows update(s), but this approach does not address the root cause.  Instead, Microsoft has released KB2749655 in order to resolve this issue.  There are several ways we could use to deploy the hotfix via SCCM, for example, we could create a package with the MSU and create a program to install it using the following command:

wusa.exe Windows6.1-KB2749655-x64.msu /quiet /norestart

Similarly, you can follow this post which uses a VBScript to install multiple hotfixes to a collection.  However, I’m only interested in deploying the hotfix with an OS deployment.  In order to accomplish this we will leverage the power of an MDT/ SCCM 2012 integrated task sequence in order to apply the Windows hotfix (.msu file) to an image right after deployment.  The Powershell script and idea came from the following post at “The Knack” but I found I had to add a “Restart Computer” action to the task sequence in order to allow the hotfix to fully install.

Powershell Script (ApplyHotfixes.ps1):

$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
$folder = $scriptPath += "\hotfix"
$total = gci $folder *.msu | measure | Select-Object -expand Count
$i = 0
gci $folder *.msu | foreach {
        $i++
        WUSA ""$_.FullName /quiet /norestart""
        while(get-process wusa -ErrorAction SilentlyContinue)
        {Write-Progress -activity "Applying Windows Hotfixes" -status "Installing $_ .. $i of $total" -percentComplete (($i / $total) * 100)}
        Write-Progress -activity "Applying Windows Hotfixes" -status "Installed $_ .. $i of $total" -percentComplete (($i / $total) * 100)
        }
  1. Make a folder in your SCCM software repository and put the Powershell script along with a subfolder named “Hotfix”.  Inside the subfolder, place the .MSU files you would like to install.12-18-2013 10-10-39 PM
  2. Create a package out of the previously created folder and do not create a program.  Don’t forget to distribute the package to your distribution points.12-18-2013 10-14-12 PM
  3. Add a folder at the end of your OSD task sequence to group the MDT actions together.  The add the below MDT actions.12-18-2013 10-17-48 PM
  4. In the “Use Toolkit Package” action, select your MDT 2012 package.12-18-2013 10-19-07 PM
  5. In the “Gather” action, select your MDT CustomSettings.ini package.12-18-2013 10-19-21 PM
  6. In the “Run PowerShell Script” action, select the package we created with the script and if you named the script “ApplyHotfixes.ps1”, type its name in the space provided.12-18-2013 10-19-34 PM
  7. Last but not least, add a standard “Restart Computer” action to allow the MSU installation to finish.  Make sure the “Default Operating System” is selected or else it will boot back into the task sequence.12-18-2013 10-19-44 PM

This is all that is needed to get this working folks!  The powershell script will continue to recurse the directory until all .MSU files are installed and upon booting into Windows, you should be able to view the install updates under “Programs and Features” in Control Panel.

In the context of my particular issue, we were able to deploy the OS image, install KB2749655 and upon booting into Windows, the “Turn Windows features on or off” dialog box looked like this:

12-18-2013 10-32-22 PM

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s