First, I honestly don’t know which updates are all CBS and which are not. I know that Office updates are not CBS (as mentioned by the others). I don’t think .Net Framework in Win 7 are either although they are in Win 8 – not sure on this though as I haven’t explicitly looked. I don’t think there’s a comprehensive list anywhere either ☹
As for what servicing buys you over installation during a build and capture: Technically, not much except side-stepping the double-reboot issues (although I’ve heard this isn’t even the case). Servicing has the advantage that you can add updates not in WSUS though (like 2775511 among a few others) – you need to this servicing manually though with DISM. The other advantage to servicing is that you don’t have to re-run your build and capture TS to inject the new monthly updates assuming they are all CBS based. If you are comparing servicing to deploy updates in a normal deployment ts, then I’d say a lot because you are deploying a completely unpatched image which to me is a huge security risk. My normal thing to do is use manual servicing to inject non-WSUS updates (like 2775511) and double-reboot updates into the base image and then use a build and capture TS to inject the rest and put any other polish on the image. Then, on a monthly basis, use servicing to inject new monthly updates. Then once every 6 months (or so), re-run the build and capture TS to add all (even non-CBS) updates. I guess you/I could simply add the manual servicing steps to the build and capture TS also but just haven’t done that. There’s lots of middle ground and minor difference possible here also. J From: [email protected] [mailto:[email protected]] On Behalf Of Dwayne Allen Sent: Wednesday, October 29, 2014 9:42 AM To: [email protected] Subject: Re: [mssms] RE: Patch/WIM Injection But what does that buy you over having an apply software updates step in your task sequence? ----- Dwayne Allen [email protected]<mailto:[email protected]> (479) 310-0027 On Wed, Oct 29, 2014 at 8:40 AM, Jason Wallace <[email protected]<mailto:[email protected]>> wrote: They are deployed as the OS boots for the first time so from a security perspective it is better than having a vulnerable system on the LAN while updates are deployed. On 29 Oct 2014, at 14:08, Bradley, Matt <[email protected]<mailto:[email protected]>> wrote: When you say not all updates can be injected, do you mean things like Office updates, or are there others that a person would miss? I also didn’t realize injecting the updates to the image didn’t actually install them. If they are only the installed after an OSD, then I’m even more inclined not to inject. I might image two PC’s as a test, one with the patches already installed, one with them injected, and see which one builds faster. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Tuesday, October 28, 2014 10:06 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Patch/WIM Injection First, not all updates can be injected into a WIM so even if you do employ image servicing, it is not sufficient to deploy a fully patched image. Thus, you really should be capturing a new image periodically no matter what – if you are using a build and capture task sequence (whether in MDT or ConfigMgr) then this is a trivial task (beware of the double reboots in ConfigMgr though ☹). Offline servicing in ConfigMgr has had issues (not really ConfigMgr’s fault to my knowledge but that’s beside the point) and is why some/many people shy away from using image servicing. Also note that image servicing doesn’t actually install the updates. It merely injects them into the WIM for installation during Windows Setup so it really doesn’t save you as much as you think it does in terms of time or space. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Bradley, Matt Sent: Tuesday, October 28, 2014 9:55 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Patch/WIM Injection I’ve read that some people do not like injecting monthly patches directly into the OS WIM. Some prefer to just capture reference images. Being that a bad patch could be removed from a WIM if it was determined to be bad, I’d like to hear some feedback on why some choose to still stay away from this method, and stay with reference image capture. Thanks.
