Looks like this is an issue with sysprep and Windows Update. (Don't know if it is by design at Microsoft or not). I found a couple others who saw it.
Looks like another registry key might be needed?
Another option would be to use LANDESK Patch Manager to manage, update and deploy patches to your environment, and you wouldn't need Windows Update turned on.
I tried adding the key suggested in the link, but no luck.
One thing I noticed once while generalizing the image was that it would briefly flash that updates had been turned off before it shut the image down for capture. I will try quitting the sysprep gui instead of shutting down after generalizing to see if I can go back in and turn updates on.
I haven't been able to test this yet since my vm image won't PXE boot for some reason... another thing to figure out.
Thanks for the suggestion.
Well, I didn't figure out how to turn updates back on through a provisioning action. But I found a way to get them turned back on before capturing the image.
As I was playing with the base image, generalizing a snapshot, I noticed a quick flash that updates were turned off. I normally shut the vm down with the shutdown switch in sysprep, so I decided to keep it running after sysprep finished generalizing. I went in and turned Windows updates back on before shutting down the vm to capture.
That is working for me now. Updates are now turned on after image deployment. Still would be nice to know why this is happening in the first place, but on to the next battle.
1 of 1 people found this helpful
I'm thinking that turning off the updates is a "by design" sort of thing from Microsoft. Because you are running sysprep with the /generalize switch (which is what you should do) Microsoft is clearing a lot of things to make the image more "generic" and function on any number of machines and potentially different environments or use cases. I think changing the update setting qualifies as something they are "resetting". It especially makes sense considering OEM deployments. OEMs create their image to ship out on new computers (with all their "value added software and such) and then they use sysprep to prep the image for other machines as well as influence the OOB experience their customers get. Because that computer could end up in any number of environments, they have to defer/allow the end user to select the option, so Microsoft resets/clears the option - effectively turning it off.
That is a bit of supposition on my part because I can't find official documentation indicating that is the case. At any rate, I'm glad you found a way to address your use case. I'm also thinking that Tom's idea might prove useful as well if needed.
I just tried setting the ProtectYourPC in the unattend as follows:
2 Specifies that only updates are installed.
This did not work. I agree with Tom that it would have been a cleaner way.
I tried rebuilding my base image, still the same. The only difference in my previous base image, which did not do this, was that it was bios based, not UEFI. Not sure why UEFI would cause this action, or if it does at all.
I'll continue playing with this and report back if I stumble across anything.
Thanks for the input.
This used to work but I am now seeing the same thing.. I wonder if this has anything to do with the window update patch that came out.
I think you may be right about the Windows Update patch doing this. Unfortunately, there isn't any good way around this if that is true.
I tried starting an image from scratch and updates are turned off until you go through the control panel to turn them on. Once you turn them on, it goes out and tries to patch the update agent with the most recent patch before it will load any other updates. So in order to get the all the current patches on the image, you need to install that Windows Update patch.
There really has to be a way to get them turned off post deployment with a provisioning action, but I haven't found it yet. I'm going to get a case opened with Microsoft and will post back if I get anything from them.