Updating The Windows 7 Update Agent in a MDT or SCCM Task Sequence Prior to Installing Updates


Overview:

If you haven’t been keeping up with the recent issues around the Windows Update Agent, I will give you a quick rundown.

You can skip to the resolution if you just want to see how to update the Windows Update Agent and skip the details.

Issue:

In July 2015, we started seeing issues with the Windows Update Agent using very high memory utilization during update scans. The scans would eventually time out with error: WARNING: ISusInternal::GetUpdateMetadata2 failed, hr=8007000E

There are two parts to this issue as shown below (More detailed info in this blog post):

  1. The Microsoft Update / WSUS Catalog is becoming very large over time with all the updates being released. There is a way to help keep your local WSUS update catalog smaller by declining superseded updates. You can review this blog post for more info on that.
  2. Windows Update Agents older than version 7.6.7601.19077 (Dec 2015) on Windows 7 are susceptible to the higher memory utilization and timeouts. The timeout happens more often on Windows 7 x86, but can also happen on Windows 7 x64.

Research:

I ran some tests during a MDT build and capture task sequence for Windows 7 SP1 (x86 and x64). Below is a set of different scenarios I tested. In all these tests, the Windows Update Agent was version 7.6.7600.320 this is what’s baked into Windows 7 with SP1. You can check the file version of: c:\windows\System32\wuapi.dll to verify the Windows Update Agent version. The virtual machine I used was 4 cores, 4 – 8 GB RAM, and SSD.

  1. I used WSUS and Microsoft Updates by changing the CustomSettings.ini in MDT to use or not to use my WSUS server.
  2. While using WSUS in the MDT task sequence, I configured WSUS differently for each test.
    1. The first test the WSUS catalog was only syncing the following products: Windows 7, Windows 8.1, Windows 10, and Windows Server 2012 R2.
    2. The second test WSUS was set to sync every product and classification.

Testing Results for WUAgent 7.6.7600.320:

1. Windows 7 x86 – Microsoft Updates -  (Logs Here)

  • After 3 minute and 30 seconds, the pre-application and post-application update steps both failed.
  • WindowsUpdate.log received: WARNING: WU client failed Searching for update with error 0x8007000e
  • ZTIWindowsUpdate.log received: FAILURE (Err): 7: Windows Update, search for updates. - Out of memory

2. Windows 7 x64 –  Microsoft Updates -  (Logs Here)

  • After 1 hour and 15 minutes, the Pre-Application update scan finally completed and started to download updates
  • No status in WindowsUpdate.log or ZTIWindowsUpdate.log during this long scan time
  • There was very high memory utilization from svchost.exe (WUAgent) during the scanMemoeryUtil

3. Windows 7 x86 – WSUS Catalog (Small) -  (Logs Here)

  • After 1 minute and 30 seconds, the pre-application update scan was complete and updates started to download.
  • The WSUS catalog was only syncing Windows 7, Windows 8.1, Windows 10, Server 2012 R2 and Superseded updates were being declines. There were only 1,574 updates in the WSUS catalog:
    WSUS

4. Windows 7 x64 – WSUS Catalog (Small) -  (Logs Here)

  • After 3 minute and 20 seconds, the pre-application update scan was complete and updates started to download.
  • The WSUS catalog was only syncing Windows 7, Windows 8.1, Windows 10, Server 2012 R2 and Superseded updates were being declines. There were only 1,574 updates in the WSUS catalog.

5. Windows 7 x86 – WSUS Catalog (Large) -  (Logs Here)

  • After 1 minute and 13 seconds, the pre-application update step failed.
  • WindowsUpdate.log received: WARNING: WU client failed Searching for update with error 0x8007000e
  • ZTIWindowsUpdate.log received: FAILURE (Err): 7: Windows Update, search for updates. - Out of memory
  • The second scan (Post-Application) did succeed. The second scan took 57 minutes to complete.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates
    image

6. Windows 7 x64 – WSUS Catalog (Large) -  (Logs Here)

  • After 32 minutes, the pre-application update scan was complete and updates started to download updates.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates

The Resolution:

I’ve done various test on updating the Windows Update Agent in a build and capture task sequence to: KB3112343 (December 2015). This Windows Update Agent update (7.6.7601.19077 / December 2015) fixed issues causing high memory utilization and timeouts during an update scan. This hotfix is a MSU update file.

Typically, you would just use wusa.exe to apply a MSU update, but this would cause issues since wusa.exe would initiate an update scan to check for applicability thus causing the high memory utilization and over an hour install time.

To work around this, I used pkgmgr.exe to apply the CAB file within the MSU update directly.

image

The install command is: pkgmgr /ip /m:"Windows6.1-KB<IDNumber>-x64.cab" /quiet /norestart /l:%temp%\WUAgentUpdate.log

You can download the Install Script and CAB files for use with a MDT by clicking the link below:

Download WUAgent 7.6.7601.19116 (February 2016) for use with MDT

This install script (Install.cmd) will handle Windows 7 x86 or x64 WUAgent update. You need to add this step prior to the Windows Update steps in MDT and create a reboot step after the application install. The reboot step is required in MDT in order for the update to install.

image

You can download a pre-built application for SCCM that includes the content, requirement rules, metadata, and detection logic by clicking the link below. You will just have to extract the “WUAgent 7.6.7601.19116 (February 2016) - Application for Importing.zip” and import the “WUAgent 7.6.7601.19116 (February 2016).zip” within the extracted zip from a UNC path.

Download WUAgent 7.6.7601.19116 (February 2016) for use with SCCM

This application will handle the reboot since it will receive exit code 3010 and reboot for you within the task sequence.

image

Testing Results for WUAgent 7.6.7601.19077:

1. Windows 7 x86 – Microsoft Updates -  (Logs Here)

  • After 2 minutes, the Pre-Application update scan completed and started to download updates.
  • Both update scans failed in this test with the 6.7600.320 Windows Update Agent

2. Windows 7 x64 –  Microsoft Updates -  (Logs Here)

  • After 4 minutes, the Pre-Application update scan completed and started to download updates
  • This saved 1 hour and 11 minutes by updating the Windows Update Agent for the first update scan

3. Windows 7 x86 – WSUS Catalog (Large) -  (Logs Here)

  • After 59 minutes, the pre-application update scan was complete and updates started to download.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates

4. Windows 7 x64 – WSUS Catalog (Large) -  (Logs Here)

  • After 32 minutes, the pre-application update scan was complete and updates started to download updates.
  • The WSUS catalog syncing all products and classifications. This was a total of around 95K updates

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in theTerms of Use

Comments (25)

  1. Mohammed says:

    What's wrong in injecting the latest WUAgent msu file via package method in MDT?

    1. Just tested this method works well will update the post soon since that is easier.

  2. @ Mohammed, I just didn't test it. That may work just fine, but I was looking at something simple the would work in MDT as well as ConfigMgr.

  3. Bill Dunn says:

    Referenced KB is NOT the latest WU Engine anymore...its now KB3135445
    .19116

  4. @ Bill, I'm not to worried about always using the latest WUAgent. This is to workaround to scanning issues in the WUAgent built into Windows 7 SP1. Once the machine becomes managed via SCCM/WSUS, it will self update itself anyway.

  5. Dave Stein says:

    Nice posting with good background detail. Thanks for sharing!

  6. Dean Buen says:

    Good work here Justin! This will help stabilize the Windows update process during image builds on MDT. For those that update their image on a quarterly basis, this is a must to implement in your MDT task sequence.

  7. Anonymous says:

    I’m sure you’ve noticed that when building a new Windows 7 SP1 image that there are a lot of updates

  8. We were just getting complaints from Tier 1 on how slow imaging has become with updates, you read my mind as I was about to start searching for a solution. Great timing.

  9. tom canellakis says:

    Thanks for sharing your highly technical effort to fix a very broken update process. Is there a simple or automated way for consumers to install the new 7.6.7601.19077 Windows Update Agent? When I last reinstalled Windows 7 two days ago (Feb 15), the update
    first downloaded a new WU Agent - the version is 7.6.7600.320. The help line is not much help - they mostly tried to upsell me on upgrading my system.

  10. @Tom, for consumer it should just update itself just fine. You could download the MDT update files and run the install.cmd as admin to manually update it just reboot after that.

  11. Phil Reda says:

    Thanks so much i've been on with microsoft 4 days now trying to fix this and you got the fix THANKS AGAIN

  12. Bolton says:

    This is a good read, I'll have to check my current WUAgent version in my Windows 7 images. I currently have a long deployment time with my Win8.1 x64 images, and it's largely due to the Windows Updates steps (pre and post application). I wonder, should
    I also be wary of the agent version for Windows 8.1 images? I have completely patched the image before capturing it.

  13. @Bolton, I haven't really seen any major issues with the Windows 8.1 or 10 RTM images around the WUAgent.

  14. Dean Buen says:

    Quick question, you mention that this is for Windows 7. Can this be applicable to Windows Server 2008 R2 images?

  15. @Dean, Yeah definitely can be. You will just need to get the CAB from the MSU file and create another command script to install it. I actually made this in my lab the other day give this a try:

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-99-57/WUAgent-7.6.7601.19116-for-Server-2008-R2-x64.zip this is only for Server 2008 R2 x64 not x86. I wouldn't think people would be deploying x86 at this
    point anyway though.

  16. russell says:

    I used SCCM 2012 Offline Imaging to update my base .wim with the KB3135445 update. That should handle it, no?

    1. Yes that should work did some testing.

  17. John Marcum says:

    Justin... Do you run fsutil.exe 8dot3name set c: 0 before your script in MDT? I put that cmd file in my build and capture TS but it just hangs. Looking at the script I see you are using "%~dps0" rather than "%~dp0".

  18. @Russel, No I didn't need to change anything.

  19. Awesome Justin! thanks a lot!

    1. Cool, I may create separate post for creating an application for the latest WUAgents

  20. Gamby35 says:

    FIVE STARS! This saved us many hours, thank you so much Justin! Amazing work!

  21. Chris says:

    Does anyone have in depth description of what KB3138612 address/fixes? I have been looking on the web and have not been able to find it.

Skip to main content