Still not quite sure what your environment is below, I assume that you are running SCCM with MDT integration with a OSD Windows 7 SP1 task sequence initiated from SCCM (as compared to a MDT Litetouch deployment).
Say you import a QFE Fix into your SCCM environment: KBXXXXXXX, inside it contains only one update, to file: notepad.exe However sometime later, Microsoft releases a new QFE Fix: KBYYYYYYYY, inside it also only contains an update to one file: notepad.exe Which one will be used? Hopefully, Microsoft has done their job and marked KBXXXXXXX as superseded by KBYYYYYYYY within the manifest of KBYYYYYYYY. Of course you *can* leave both on your SCCM server, but if the OS installs both you are just wasting time, because any installation of KBXXXXXXX will eventually be overridden by KBYYYYYYYY. That is what is meant by superseded. AS for the rest of your Task Sequence, I can't tell what the order is, or what your are running, so I can't comment. You mention some manual steps, but I don't know what they are. In my test environment at home, I will just bulk install every patch from MSFT from my WSUS server during my Litetouch image build and capture process. If I wanted to streamline some things, I would install any .NET Frameworks and IE first, Re-running the update after office is installed to ensure that any Microsoft Updates are also installed. -k From: [email protected] [mailto:[email protected]] On Behalf Of Nasse, Thorsten Sent: Monday, July 28, 2014 2:12 AM To: [email protected] Subject: [MDT-OSD] AW: Deploying security updates within MDT - superseded updates vs. superseding updates Anyone? Von: [email protected] <mailto:[email protected]> [mailto:[email protected]] Im Auftrag von Nasse, Thorsten Gesendet: Montag, 21. Juli 2014 10:36 An: [email protected] <mailto:[email protected]> Betreff: [MDT-OSD] AW: Deploying security updates within MDT - superseded updates vs. superseding updates Thanks for your answer, but I know the different ways to inject updates technically. My question was to clarify whether it is right in principle what Microsoft write in my named article below. We integrate updates by the way I described below. We don't want to change our method if it is not necessary. Could anyone confirm that our method is basically OK? Von: [email protected] <mailto:[email protected]> [mailto:[email protected]] Im Auftrag von [email protected] <mailto:[email protected]> Gesendet: Montag, 21. Juli 2014 06:17 An: [email protected] <mailto:[email protected]> Betreff: [MDT-OSD] RE: Deploying security updates within MDT - superseded updates vs. superseding updates If you have SCCM, you can just offline inject them. Another way is the following, and have a separate WSUS server that your MDT build TS uses. https://mdtcustomizations.codeplex.com/releases/view/111427 _____ From: [email protected] <mailto:[email protected]> [[email protected]] on behalf of Nasse, Thorsten [[email protected]] Sent: Thursday, July 17, 2014 10:31 AM To: [email protected] <mailto:[email protected]> Subject: [MDT-OSD] Deploying security updates within MDT - superseded updates vs. superseding updates Hello folks, in the technet article http://technet.microsoft.com/en-us/library/hh848254.aspx there is listed Operational Concerns for superseded updates in SCCM: When possible, deploy the superseding software update to client computers instead of the superseded software update. You can display a list of the software updates that supersede the software update on the Supersedence Information tab in the software update properties. What does it mean for deploying updates within MDT reference installation production? It is really "dangerous" to install all missing updates in the reference image even if several updates have to be updated by a newer one? In our Lab deployment share we build the reference image by installing first Windows 7 SP1 with all missing patches (up to date) - by using MDT-TS-step and the internal function of unattend.xml. After that we install all missing patches that could not be installed via MDT internal steps (actually 6 updates). Then we install Internet Explorer and all missing patches for the actual configuration. Then we install Office and all missing patches for that. Then we install .NET 4.5.1 and all missing patches for that. We even make several reboots between the steps above. What do you mean - is the way we install the patches above basically wrong ? Best regards, T.N.
