~ Bryan Xiao
When deploying an operating system to clients using an OS image with either System Center Configuration Manager 2007 (ConfigMgr 2007) or System Center 2012 Configuration Manager (ConfigMgr 2012), even if there's an "Install Software Update" step in the Task Sequence, computers will try to connect to Windows Update to download some updates before initiating the "Install Software Update" step. This is a normal behavior and we can monitor this via Windowsupdate.log by looking for the following entries:
1004 7bc Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
1004 7bc Agent *********
1004 7bc Agent * Online = Yes; Ignore download priority = No
1004 7bc Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
1004 7bc Agent * ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update
1004 7bc Agent * Search Scope = {Machine}
1004 7bc Setup Checking for agent SelfUpdate
While this behavior is normal, it can potentially introduce a couple of issues:
- If the computers do not have Internet access they will retry the connection several times before proceeding with next action, thus prolonging the overall execution time of the Task Sequence.
- If the computers do have Internet access, this may cause high utilization of the Internet connection if many computers are running the Task Sequence.
Fortunately for us there is a way we can modify this behavior. To suppress the Windows Update Agent until the "Install Software Update" step runs in the Task Sequence, you can use an unattend.xml file to set the "ProtectYourPC" property to "3" in OOBE and add it in the Task Sequence.
Microsoft recommends using Windows System Image Manager (Windows SIM) when creating your unattend.xml file. The Windows System Image Manager technical reference can be found here: http://technet.microsoft.com/en-us/library/cc722301(v=ws.10).aspx
For reference, here is an example of how one such file might look for Windows 7 x86:
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<OOBE>
<ProtectYourPC>3</ProtectYourPC>
</OOBE>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog://cm12std-sp1/dsources/install_windows 7 enterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
Hope this helps!
Bryan Xiao | Support Engineer | Microsoft
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/