KB2775511 deployment for the SCCM Admin

This week Microsoft rolled out a BIG hotfix (90 hotfixes) rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.  To better understand all the goodness it gives you check out the AskPFEPlat blog or go to the source of one of the guys who helped put it together, my fellow PFE Jeff Stokes.  It is being distributed as an enterprise hotfix and so I think it likely that a lot of you folks running SCCM to manage your enterprise might want to roll out this hotfix.  One big advantage that comes to mind is including it in your OSD image capture to cut down on patch install time for future deployments.   The trick is that “out of the box” you can’t deploy this.  It does not sync to WSUS and your SCCM software update point (SUP) automatically.  There are some simple steps you can take to get it there, however.

NOTE – As of 5/16 there is a new update rollup available in KB 3125574 .  This can also be deployed using steps similar to below.

  1. On your central site/CAS SUP open up the Windows Server Update Services admin console
    1. It is worth noteing that we see SCCM folks do more harm than good in the WSUS admin console, but this is one of those exception times you need to go in there.  Do so carefully.
  2. Go to updates and select Import Updates to launch a webpage to the Microsoft Update Catalog.
    1. image
  3. Search on 2775511 and then add all that you are interested in getting for your environment
    1. image
  4. Make sure the checkbox to import directly is selected then hit the import button.
    1. Another box will come up tracking the download and show success when completed
      1. image
  5. Verify that your SCCM site is set to sync “Updates” classification, becase that is what this is (as compared to “service packs” or “security updates”).
  6. Once that download is complete you can sync SCCM and then you should see the updates in SCCM to deploy as you would any other update
    1. image
    2. image


3-14-13 update – Added links to AskPFEPlat and Jeff Stokes’ blogs along with warning about using WSUS admin console

3-14-13 update #2 – added clarity about fix classification

5/18/16 – Update for kb3125574

Comments (26)

  1. Stewart – That is a very good observation and question.  At this time, I have no great answer to go with it.  You could kick a patch install process followed by the new KB but all in one task sequence to minimize the delay between the two, but that's not a good scenario for many folks.  You may just have to push out 2732673 as a SWDist on a collection setup to minimize the delta window between the two as much as possible.

  2. Anonymous says:

    Excellent information.

  3. Pete – Good to know.  Thanks for sharing that with everyone…, it saves me some time trying to setup the test myself. 🙂

  4. Jeff Stokes says:

    It should be in ARP – would expect to find something in CBS.log about it at that point…

  5. Datakonsulenten says:

    Impossible to download this Update from Microsoft Update Catalog, when put in "basket" and I open basket, the updates disappear. Maybe since I run Windows 8.1 and IE 11?
    But I want this update for our W2008R2 servers.
    Why can’t MS give us this update the ordinary way?
    Regards Håkon

  6. Robert Kruk says:

    Thanks. This makes things easy 🙂

  7. Anonymous says:

    Michael, we have to deploy this as a regular SCCM Deployment, not via SUP.  Problem is, we don't see anything showing up on ARP, or on the computer, to tell if it is deploying–how do you inventory for the existence of this hotfix rollup?

    We are deploying using this commandline:  wusa.exe <filename>.msu /quiet /norestart  , where filename = AMD64-all-windows6.1-kb2775511-v2-x64_ec18cc10e27faf443c17e7a8073c9eba773eb13e.msu


  8. Ronny – I did not try offline servicing with this.  See the criteria on blogs.technet.com/…/3418243.aspx.  With all this KB contains I suspect that it is not CBS based.  You probably have to include it in a build and capture.

  9. Did you verified if Offline Servicing is working as well for this update? Using Offline Servicing I receive the following message – Not applying this update binary, it is not supported – while other updates injected successfully. Is this because the update comes with 2 binaries? Using DISM I can insert KB2775511 with success to my wim images.

  10. Keith – I don’t think there is a native way to control the order. There are "tricks" out there, such as deploying each to a separate collection and then having machines fall in to a collection when they need a patch and have the prior one, then fall out
    once they get it, now falling into the next collection. You could also bundle each as an application/package then link those natively or via a task sequence. I haven’t had a customer ask me to dig into it yet so my focus has ben on other things. The question
    did come up in general conversation with one of my customers so I may get a chance to dig in, in which case I will post back with my solution.

  11. EGP says:

    Nice write up, thanks.

  12. Sven says:

    A little bit more searching and I found it on the Ribon bar 😉

  13. Pete Mitchell says:

    I just added this to my Windows 7 SP1 WIM via SCCM 2012 SP1 scheduled updates and it said it was successful.  Looks like it works with offline servicing.

  14. Stewart says:


    Now that 2775511 has been updated to state that after installation you must install 2732673, is there a recommended deployment strategy for SCCM customers? I'm keen to deploy the hotfix rollup in our environment but according to this: blogs.msdn.com/…/roll-up-update-kb-2775511-reports-with-smb-2-0-data-truncation.aspx 2732673 will not be added to the Update Catalogue. It would be much nicer to be able to deliver both hotfixes in a single package as otherwise there will be a delay before 2732673 can be installed.


  15. Stewart says:

    Hi Mike

    That was the best solution I could come up with too. I was hoping there was a more elegant way of doing it but that approach will have to do. Thanks for your response.


  16. russell says:

    KB2775511 is available in SUP, but KB2732673 is not.  Now that KB2775511 is published, is KB2732673 still needed?

  17. Anonymous says:

    Pingback from Internet Explorer 11 Silent Install

  18. Chris says:

    us SCCM admins have to be very careful in WSUS. We were hired directly off the streets afterall. 🙂

  19. Keith says:

    Want about the additional hotfixes that are required POST installation of KB2775511 (KB2732673, KB2728738 and KB2878378)? Is there a way to ensure the installation order in WSUS?


  20. Kevin says:

    Does anyone know if this patch will overright the June 2015 Security updates?
    Some of the DLL's were replaced in June, but my vendor want me to apply the rollup anyway.

  21. lenny says:

    When you import the POST 2775511 hotfixes into WSUS (KB2732673, KB2728738 and KB2878378) they are Classified as "Hotfixes". In SCCM there is no Hotfixes classification, so it does not pull in those 3 patches?

    Is there a way around it?

  22. Eric says:

    Lenny, I simply downloaded them and packaged them in SCCM and have 3 command line steps in my TS right after the Install Updates step.

    Here's the first command line (Sub in whichever regression HF you're installing for the next two.)
    wusa.exe AMD64-all-windows6.1-kb2732673-v4-x64_801bb11beb007464927d0988992005f63899dab2.msu /quiet /norestart

  23. Gonzo says:

    When I try to install KB2732673 only it works like a charm but if I try to deploy it after KB2775511 I got the message: 'The update is not applicable to your computer'. On the other hand KB2728738 installs just fine in the same scenario. Any ideas?

  24. Steve Sweeny says:

    I am using MDT to build and capture my base image and when trying to install this hotfix it never finishes the install. I have tried manually installing, scripted install and added it to wsus allowing the windows updates step to try to install. All times
    it never finishes. Using Win 7 enterprise iso from Microsoft licensing website. Maybe there are some services that need to be stopped or disabled before install?

  25. Michel L says:

    It seems that kb2878378 is no more required if kb3080149 or kb2882822 is installed. Then what is the right install order now ?