8 Replies Latest reply on Oct 31, 2014 6:52 AM by davidg5700

    Windows updates turned off after sysprep

    davidg5700 Specialist

      I've asked Mr. Google about this, but he hasn't been very helpful. 


      I've created my thin base image of Win7 x64 Enterprise and generalize it before capture.  I have steps in the System Configuration phase that set the registry keys for pointing updates to our WSUS server.


      I just recently noticed that updates are off after the template has finished.  A simple click of the button will turn them on, but that leaves it up to the technician to ensure that is done.


      I went back to my base image vm and the updates are turned on before generalization, but when I generalize the vm, sysprep appears to be turning it off before shutting the vm down for capture.


      I am running 9.5 SP2 and am planning on moving to 9.6 soon, but this doesn't seem to be a problem with LD.  Am I missing a reg key that turns them on?  Below are the registry settings that are being made in my template:




        • 1. Re: Windows updates turned off after sysprep
          Tanner Lindsay SupportEmployee

          Looks like this is an issue with sysprep and Windows Update. (Don't know if it is by design at Microsoft or not). I found a couple others who saw it.


          Sysprep resets Windows Update settings



          Looks like another registry key might be needed?


          Another option would be to use LANDESK Patch Manager to manage, update and deploy patches to your environment, and you wouldn't need Windows Update turned on.

          • 2. Re: Windows updates turned off after sysprep
            davidg5700 Specialist



            I tried adding the key suggested in the link, but no luck.


            One thing I noticed once while generalizing the image was that it would briefly flash that updates had been turned off before it shut the image down for capture.  I will try quitting the sysprep gui instead of shutting down after generalizing to see if I can go back in and turn updates on.


            I haven't been able to test this yet since my vm image won't PXE boot for some reason... another thing to figure out.


            Thanks for the suggestion.

            • 3. Re: Windows updates turned off after sysprep
              davidg5700 Specialist

              Well, I didn't figure out how to turn updates back on through a provisioning action.  But I found a way to get them turned back on before capturing the image.


              As I was playing with the base image, generalizing a snapshot, I noticed a quick flash that updates were turned off.  I normally shut the vm down with the shutdown switch in sysprep, so I decided to keep it running after sysprep finished generalizing.  I went in and turned Windows updates back on before shutting down the vm to capture.


              That is working for me now.  Updates are now turned on after image deployment.  Still would be nice to know why this is happening in the first place, but on to the next battle.

              • 4. Re: Windows updates turned off after sysprep
                Tom Farrugia SupportEmployee

                This might be a cleaner way to handle it, making the changes in the unattend.xml.



                1 of 1 people found this helpful
                • 5. Re: Windows updates turned off after sysprep
                  Tanner Lindsay SupportEmployee

                  I'm thinking that turning off the updates is a "by design" sort of thing from Microsoft. Because you are running sysprep with the /generalize switch (which is what you should do) Microsoft is clearing a lot of things to make the image more "generic" and function on any number of machines and potentially different environments or use cases. I think changing the update setting qualifies as something they are "resetting". It especially makes sense considering OEM deployments. OEMs create their image to ship out on new computers (with all their "value added software and such) and then they use sysprep to prep the image for other machines as well as influence the OOB experience their customers get. Because that computer could end up in any number of environments, they have to defer/allow the end user to select the option, so Microsoft resets/clears the option - effectively turning it off.


                  That is a bit of supposition on my part because I can't find official documentation indicating that is the case. At any rate, I'm glad you found a way to address your use case. I'm also thinking that Tom's idea might prove useful as well if needed.

                  1 of 1 people found this helpful
                  • 6. Re: Windows updates turned off after sysprep
                    davidg5700 Specialist



                    I just tried setting the ProtectYourPC in the unattend as follows:










                    2 Specifies that only updates are installed.


                    This did not work.  I agree with Tom that it would have been a cleaner way.


                    I tried rebuilding my base image, still the same.  The only difference in my previous base image, which did not do this, was that it was bios based, not UEFI.  Not sure why UEFI would cause this action, or if it does at all.


                    I'll continue playing with this and report back if I stumble across anything.


                    Thanks for the input.

                    • 7. Re: Windows updates turned off after sysprep

                      This used to work but I am now seeing the same thing..  I wonder if this has anything to do with the window update patch that came out.

                      • 8. Re: Windows updates turned off after sysprep
                        davidg5700 Specialist



                        I think you may be right about the Windows Update patch doing this.  Unfortunately, there isn't any good way around this if that is true.


                        I tried starting an image from scratch and updates are turned off until you go through the control panel to turn them on.  Once you turn them on, it goes out and tries to patch the update agent with the most recent patch before it will load any other updates.  So in order to get the all the current patches on the image, you need to install that Windows Update patch.


                        There really has to be a way to get them turned off post deployment with a provisioning action, but I haven't found it yet.  I'm going to get a case opened with Microsoft and will post back if I get anything from them.