Updating The Windows 7 Update Agent in a MDT or SCCM Task Sequence Prior to Installing Updates

Overview:

If you haven’t been keeping up with the recent issues around the Windows Update Agent, I will give you a quick rundown.

You can skip to the resolution if you just want to see how to update the Windows Update Agent and skip the details.

Issue:

In July 2015, we started seeing issues with the Windows Update Agent using very high memory utilization during update scans. The scans would eventually time out with error: WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E

There are two parts to this issue as shown below (More detailed info in this blog post) :

  1. The Microsoft Update / WSUS Catalog is becoming very large over time with all the updates being released. There is a way to help keep your local WSUS update catalog smaller by declining superseded updates. You can review this blog post for more info on that.
  2. Windows Update Agents older than version 7.6.7601.19077 (Dec 2015) on Windows 7 are susceptible to the higher memory utilization and timeouts. The timeout happens more often on Windows 7 x86, but can also happen on Windows 7 x64.

Research:

I ran some tests during a MDT build and capture task sequence for Windows 7 SP1 (x86 and x64). Below is a set of different scenarios I tested. In all these tests, the Windows Update Agent was version 7.6.7600.320 this is what’s baked into Windows 7 with SP1. You can check the file version of: c:\windows\System32\wuapi.dll to verify the Windows Update Agent version. The virtual machine I used was 4 cores, 4 – 8 GB RAM, and SSD.

  1. I used WSUS and Microsoft Updates by changing the CustomSettings.ini in MDT to use or not to use my WSUS server.
  2. While using WSUS in the MDT task sequence, I configured WSUS differently for each test.
    1. The first test the WSUS catalog was only syncing the following products: Windows 7, Windows 8.1, Windows 10, and Windows Server 2012 R2.
    2. The second test WSUS was set to sync every product and classification.

Testing Results for WUAgent 7.6.7600.320:

1. Windows 7 x86 – Microsoft Updates - ( Logs Here )

  • After 3 minute and 30 seconds, the pre-application and post-application update steps both failed.
  • WindowsUpdate.log received: WARNING: WU client failed Searching for update with error 0x8007000e
  • ZTIWindowsUpdate.log received: FAILURE (Err): 7: Windows Update, search for updates. - Out of memory

2. Windows 7 x64 – Microsoft Updates - ( Logs Here )

  • After 1 hour and 15 minutes, the Pre-Application update scan finally completed and started to download updates
  • No status in WindowsUpdate.log or ZTIWindowsUpdate.log during this long scan time
  • There was very high memory utilization from svchost.exe (WUAgent) during the scanMemoeryUtil

3. Windows 7 x86 – WSUS Catalog (Small) - ( Logs Here )

  • After 1 minute and 30 seconds, the pre-application update scan was complete and updates started to download.
  • The WSUS catalog was only syncing Windows 7, Windows 8.1, Windows 10, Server 2012 R2 and Superseded updates were being declines. There were only 1,574 updates in the WSUS catalog:
    WSUS

4. Windows 7 x64 – WSUS Catalog (Small) - ( Logs Here )

  • After 3 minute and 20 seconds, the pre-application update scan was complete and updates started to download.
  • The WSUS catalog was only syncing Windows 7, Windows 8.1, Windows 10, Server 2012 R2 and Superseded updates were being declines. There were only 1,574 updates in the WSUS catalog.

5. Windows 7 x86 – WSUS Catalog (Large) - ( Logs Here )

  • After 1 minute and 13 seconds, the pre-application update step failed.
  • WindowsUpdate.log received: WARNING: WU client failed Searching for update with error 0x8007000e
  • ZTIWindowsUpdate.log received: FAILURE (Err): 7: Windows Update, search for updates. - Out of memory
  • The second scan (Post-Application) did succeed. The second scan took 57 minutes to complete.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates
    image

6. Windows 7 x64 – WSUS Catalog (Large) - ( Logs Here )

  • After 32 minutes, the pre-application update scan was complete and updates started to download updates.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates

The Resolution:

I’ve done various test on updating the Windows Update Agent in a build and capture task sequence to: KB3112343 (December 2015) . This Windows Update Agent update (7.6.7601.19077 / December 2015) fixed issues causing high memory utilization and timeouts during an update scan. This hotfix is a MSU update file.

Typically, you would just use wusa.exe to apply a MSU update, but this would cause issues since wusa.exe would initiate an update scan to check for applicability thus causing the high memory utilization and over an hour install time.

To work around this, I used pkgmgr.exe to apply the CAB file within the MSU update directly.

image

The install command is: pkgmgr /ip /m:"Windows6.1-KB<IDNumber>-x64.cab" /quiet /norestart /l:%temp%\WUAgentUpdate.log

You can download the Install Script and CAB files for use with a MDT by clicking the link below:

Download WUAgent 7.6.7601.19116 (February 2016) for use with MDT

This install script (Install.cmd) will handle Windows 7 x86 or x64 WUAgent update. You need to add this step prior to the Windows Update steps in MDT and create a reboot step after the application install. The reboot step is required in MDT in order for the update to install.

image

You can download a pre-built application for SCCM that includes the content, requirement rules, metadata, and detection logic by clicking the link below. You will just have to extract the “WUAgent 7.6.7601.19116 (February 2016) - Application for Importing.zip” and import the “WUAgent 7.6.7601.19116 (February 2016).zip” within the extracted zip from a UNC path.

Download WUAgent 7.6.7601.19116 (February 2016) for use with SCCM

This application will handle the reboot since it will receive exit code 3010 and reboot for you within the task sequence.

image

Testing Results for WUAgent 7.6.7601.19077:

1. Windows 7 x86 – Microsoft Updates - ( Logs Here )

  • After 2 minutes, the Pre-Application update scan completed and started to download updates.
  • Both update scans failed in this test with the 6.7600.320 Windows Update Agent

2. Windows 7 x64 – Microsoft Updates - ( Logs Here )

  • After 4 minutes, the Pre-Application update scan completed and started to download updates
  • This saved 1 hour and 11 minutes by updating the Windows Update Agent for the first update scan

3. Windows 7 x86 – WSUS Catalog (Large) - ( Logs Here )

  • After 59 minutes, the pre-application update scan was complete and updates started to download.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates

4. Windows 7 x64 – WSUS Catalog (Large) - ( Logs Here )

  • After 32 minutes, the pre-application update scan was complete and updates started to download updates.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in theTerms of Use

Comments

  • Anonymous
    February 10, 2016
    What's wrong in injecting the latest WUAgent msu file via package method in MDT?
    • Anonymous
      March 16, 2016
      Just tested this method works well will update the post soon since that is easier.
  • Anonymous
    February 10, 2016
    @ Mohammed, I just didn't test it. That may work just fine, but I was looking at something simple the would work in MDT as well as ConfigMgr.
  • Anonymous
    February 11, 2016
    Referenced KB is NOT the latest WU Engine anymore...its now KB3135445
    .19116
  • Anonymous
    February 11, 2016
    @ Bill, I'm not to worried about always using the latest WUAgent. This is to workaround to scanning issues in the WUAgent built into Windows 7 SP1. Once the machine becomes managed via SCCM/WSUS, it will self update itself anyway.
  • Anonymous
    February 11, 2016
    Nice posting with good background detail. Thanks for sharing!
  • Anonymous
    February 12, 2016
    Good work here Justin! This will help stabilize the Windows update process during image builds on MDT. For those that update their image on a quarterly basis, this is a must to implement in your MDT task sequence.
  • Anonymous
    February 12, 2016
    I’m sure you’ve noticed that when building a new Windows 7 SP1 image that there are a lot of updates
  • Anonymous
    February 13, 2016
    We were just getting complaints from Tier 1 on how slow imaging has become with updates, you read my mind as I was about to start searching for a solution. Great timing.
  • Anonymous
    February 17, 2016
    The comment has been removed
  • Anonymous
    February 17, 2016
    @Tom, for consumer it should just update itself just fine. You could download the MDT update files and run the install.cmd as admin to manually update it just reboot after that.
  • Anonymous
    February 21, 2016
    Thanks so much i've been on with microsoft 4 days now trying to fix this and you got the fix THANKS AGAIN
  • Anonymous
    February 22, 2016
    This is a good read, I'll have to check my current WUAgent version in my Windows 7 images. I currently have a long deployment time with my Win8.1 x64 images, and it's largely due to the Windows Updates steps (pre and post application). I wonder, should I also be wary of the agent version for Windows 8.1 images? I have completely patched the image before capturing it.
  • Anonymous
    February 22, 2016
    @Bolton, I haven't really seen any major issues with the Windows 8.1 or 10 RTM images around the WUAgent.
  • Anonymous
    February 24, 2016
    Quick question, you mention that this is for Windows 7. Can this be applicable to Windows Server 2008 R2 images?
  • Anonymous
    February 24, 2016
    The comment has been removed
  • Anonymous
    February 24, 2016
    I used SCCM 2012 Offline Imaging to update my base .wim with the KB3135445 update. That should handle it, no?
    • Anonymous
      March 16, 2016
      Yes that should work did some testing.
  • Anonymous
    February 25, 2016
    Justin... Do you run fsutil.exe 8dot3name set c: 0 before your script in MDT? I put that cmd file in my build and capture TS but it just hangs. Looking at the script I see you are using "%~dps0" rather than "%~dp0".
  • Anonymous
    February 25, 2016
    @Russel, No I didn't need to change anything.
  • Anonymous
    March 01, 2016
    Awesome Justin! thanks a lot!
  • Anonymous
    March 10, 2016
    March update is outhttps://support.microsoft.com/en-us/kb/3138612
    • Anonymous
      March 15, 2016
      Cool, I may create separate post for creating an application for the latest WUAgents
  • Anonymous
    March 16, 2016
    FIVE STARS! This saved us many hours, thank you so much Justin! Amazing work!
  • Anonymous
    April 25, 2016
    Does anyone have in depth description of what KB3138612 address/fixes? I have been looking on the web and have not been able to find it.
  • Anonymous
    May 19, 2016
    Just wanted to add my thanks also for this post. Updating the WUAgent and installing the new Windows 7 Cumulative Update has drastically reduced the time I need to build and capture a Windows 7 image. Thank you!
  • Anonymous
    May 27, 2016
    The comment has been removed
  • Anonymous
    July 01, 2016
    http://www.infoworld.com/article/3086811/microsoft-windows/microsoft-releases-kb-3161647-kb-3161608-to-fix-slow-windows-7-update-scans.htmlI think we are finally done with these problems.
  • Anonymous
    September 26, 2016
    This fix worked for me !!! Thank you for solving my issue since about 6 months !!!
  • Anonymous
    November 09, 2016
    Is there any .CAB file for the March 2016 update (3138612)?