安裝軟體更新Install Software Updates

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

安裝軟體更新步驟常用於 Configuration Manager 工作順序中。The Install Software Updates step is commonly used in Configuration Manager task sequences. 安裝或更新 OS 時,它會觸發軟體更新元件來進行掃描及部署更新。When installing or updating the OS, it triggers the software updates components to scan for and deploy updates. 此步驟可能會對某些客戶形成挑戰,例如,很長的逾時延遲或遺漏更新。This step can cause challenges for some customers, such as long timeout delays or missed updates. 使用此文章中的資訊,以協助減少此步驟的常見問題,並在發生錯誤時進行更好的排解疑難。Use the information in this article to help mitigate common issues with this step, and for better troubleshooting when things go wrong.

如需步驟的詳細資訊,請參閱安裝軟體更新For more information on the step, see Install Software Updates

建議Recommendations

為了協助此流程成功,請使用下列建議:To help this process be successful, use the following recommendations:

使用離線服務Use offline servicing

使用 Configuration Manager,定期將適用的軟體更新安裝至您的映像檔案。Use Configuration Manager to regularly install applicable software updates to your image files. 這種做法接著能減少您需要在工作順序期間安裝的更新數目。This practice then reduces the number of updates that you need to install during the task sequence.

如需詳細資訊,請參閱將軟體更新套用至映像For more information, see Apply software updates to an image.

單一索引Single index

許多映像檔案都包含多個索引,例如,針對不同版本的 Windows。Many image files include multiple indexes, such as for different editions of Windows. 將映像檔案減少為您所需的單一索引。Reduce the image file to a single index that you require. 這種做法可減少將軟體更新套用至映像的時間量。This practice reduces the amount of time to apply software updates to the image. 它也會讓下一個建議能夠減少映像大小。It also enables the next recommendation to reduce the image size.

從 1902 版開始,當您將 OS 映像新增至站台時,即會將此程序自動化。Starting in version 1902, automate this process when you add an OS image to the site. 如需詳細資訊,請參閱新增 OS 映像For more information, see Add an OS image.

減少映像大小Reduce image size

當您將軟體更新套用至映像時,請移除任何已取代的更新來將輸出最佳化。When you apply software updates to the image, optimize the output by removing any superseded updates. 使用 DISM 命令列工具,例如:Use the DISM command-line tool, for example:

dism /Mount-Image /ImageFile:C:\Data\install.wim /MountDir:C:\Mountdir
dism /Image:C:\Mountdir /Cleanup-Image /StartComponentCleanup /ResetBase
dism /Unmount-Image /MountDir:C:\Mountdir /Commit  

從 1902 版開始,有一個新選項可將此程序自動化。Starting in version 1902, there's a new option to automate this process. 如需詳細資訊,請參閱最佳化的映像服務For more information, see Optimized image servicing.

映像工程決策Image engineering decisions

當您設計映像處理流程時,有數個可能影響軟體更新安裝的選項:When you design your imaging process, there are several options that can impact the installation of software updates:

定期重新擷取映像Periodically recapture the image

您必須有一個自動化流程可定期排程來擷取自訂的 OS 映像。You have an automated process to capture a custom OS image on a regular schedule. 此擷取工作順序會安裝最新的軟體更新。This capture task sequence installs the latest software updates. 這些更新可以包括累積、非累積和其他重大更新,例如,服務堆疊更新 (SSU)。These updates can include cumulative, non-cumulative, and other critical updates such as servicing stack updates (SSU). 部署工作順序會安裝自擷取之後的任何其他更新。The deployment task sequence installs any additional updates since capture.

如需此流程的詳細資訊,請參閱建立工作順序以擷取 OSFor more information on this process, see Create a task sequence to capture an OS.

優點Advantages

  • 每個用戶端上要在部署期間套用的更新較少,可在部署期間節省時間與頻寬Fewer updates to apply at deployment time per client, which saves time and bandwidth during deployment
  • 擔心會導致重新啟動的更新較少Fewer updates to worry about causing restarts
  • 適用於組織的自訂映像Customized image for the organization
  • 部署階段的變數較少Fewer variables at deployment time

缺點Disadvantages

  • 需要建立和擷取映像的時間,即使它大部分會自動進行Time to create and capture image, even though it's mostly automated
  • 將映像發佈至發佈點的時間增加,這可視為使用中部署的中斷Increased time to distribute the image to distribution points, which can be seen as outage for active deployments
  • 透過進入生產階段前的環境進行測試的時間可能比 OS 修補週期更長,這可能使得更新的映像變成無關Time to test through pre-production environments may be longer than OS patch cycle, which can make the updated image irrelevant

使用離線服務Use offline servicing

排程 Configuration Manager 軟體以將更新套用至映像。Schedule Configuration Manager to apply software updates to your images.

如需詳細資訊,請參閱將軟體更新套用至映像For more information, see Apply software updates to an image.

優點Advantages

  • 每個用戶端上要在部署期間套用的更新較少,可在部署期間節省時間與頻寬Fewer updates to apply at deployment time per client, which saves time and bandwidth during deployment
  • 擔心會導致重新啟動的更新較少Fewer updates to worry about causing restarts
  • 您可以在站台上排程服務流程You can schedule the servicing process at the site

缺點Disadvantages

  • 手動選取更新Manual selection of updates
  • 將映像發佈至發佈點的時間增加Increased time to distribute the image to distribution points
  • 僅支援以 CBS 為基礎的更新。Only supports CBS-based updates. 其無法套用 Microsoft 365 Apps 更新It can't apply Microsoft 365 Apps updates

提示

您可以使用 PowerShell 自動選取軟體更新。You can automate the selection of software updates using PowerShell. 使用 Get-CMSoftwareUpdate Cmdlet 來取得更新清單。Use the Get-CMSoftwareUpdate cmdlet to get a list of updates. 然後使用 New-CMOperatingSystemImageUpdateSchedule Cmdlet 來建立離線服務排程。Then use the New-CMOperatingSystemImageUpdateSchedule cmdlet to create the offline servicing schedule. 下列範例示範一個可自動執行此動作的方法:The following example shows one method to automate this action:

# Get the OS image
$Win10Image = Get-CMOperatingSystemImage -Name "Windows 10 Enterprise"

# Get the latest cumulative update for Windows 10 1809
$OSBuild = "1809"
$LatestUpdate = Get-CMSoftwareUpdate -Fast | Where {$_.LocalizedDisplayName -Like "*Cumulative Update for Windows 10 Version $OSBuild for x64*" -and $_.LocalizedDisplayName -notlike "*Dynamic*"} | Sort-Object ArticleID -Descending | Select -First 1
Write-Host "Latest update for Windows 10 build" $OSBuild "is" $LatestUpdate.LocalizedDisplayName

# Create a new update schedule to apply the latest update
New-CMOperatingSystemImageUpdateSchedule -Name $Win10Image.Name -SoftwareUpdate $LatestUpdate -RunNow -ContinueOnError $True

只使用預設映像Use default image only

在您的部署工作順序中,使用預設的 Windows install.wim 映像檔案。Use the default Windows install.wim image file in your deployment task sequences.

優點Advantages

  • 已知良好的來源,可減少映像損毀成為潛在問題的風險A known good source, which reduces the risk of image corruption as a possible issue
  • 使修改映像不會成為潛在問題Eliminates modifications to image as a possible issue

缺點Disadvantages

  • 可能在部署期間進行大量更新Potential for high volume of updates during the deployment
  • 每部裝置的部署時間增加Increased deployment time for every device
  • 可能沒有所需的自訂,需要額外的工作順序步驟來自訂May not have needed customizations, requires additional task sequence steps to customize

流程圖Flowchart

此流程圖顯示當您在工作順序中包含「安裝軟體更新」步驟時的流程。This flowchart diagram shows the process when you include the Install Software Updates step in a task sequence.

檢視完整大小的圖表View the diagram at full size

適用於「安裝軟體更新」工作順序步驟的流程圖

  1. 在用戶端上啟動流程:用戶端上執行的工作順序包含「安裝軟體更新」步驟。Process starts on the client: A task sequence running on a client includes the Install Software updates step.
  2. 編譯和評估原則:用戶端會將所有軟體更新原則編譯至 WMI RequestedConfigs 命名空間。Compile and evaluate policies: The client compiles all software update policies into WMI RequestedConfigs namespace. (CIAgent.log)(CIAgent.log)
  3. 這個執行個體是第一次呼叫嗎?Is this instance the first time it's called?
    1. :移至「完整掃描」 Yes: Go to Full scan
    2. :此步驟會將選項設定為 [從快取掃描結果評估軟體更新] 嗎? No: Is the step configured with the option to Evaluate software updates from cached scan results?
      1. :移至「從快取的結果掃描」 Yes: Go to Scan from cached results
      2. :移至「完整掃描」 No: Go to Full scan
  4. 掃描流程:完整掃描或從快取的結果掃描,與監視流程同時進行。Scan process: either a full scan or scan from cached results, with monitoring process in parallel.
    1. 完整掃描:工作順序引擎會透過更新掃描 API 來呼叫軟體更新代理程式,以進行「完整」 掃描。Full scan: The task sequence engine calls the software update agent via Update Scan API to do a full scan. (WUAHandler.log、ScanAgent.log)(WUAHandler.log, ScanAgent.log)
      1. SUM 代理程式掃描 - 完整:透過 Windows Update 代理程式 (WUA) 的標準掃描流程,與執行 WSUS 的軟體更新點進行通訊。SUM agent scan - full: Normal scan process via Windows Update Agent (WUA), which communicates with software update point running WSUS. 它會在本機更新存放區中新增任何適用的更新。It adds any applicable updates to the local update store. (WindowsUpdate.log、UpdateStore.log)(WindowsUpdate.log, UpdateStore.log)
    2. 從快取的結果掃描:工作順序引擎會透過更新掃描 API 來呼叫軟體更新代理程式,以根據已快取的中繼資料進行掃描。Scan from cached results: The task sequence engine calls the software update agent via Update Scan API to scan against cached metadata. (WUAHandler.log、ScanAgent.log)(WUAHandler.log, ScanAgent.log)
      1. SUM 代理程式掃描 - 已快取:Windows Update 代理程式 (WUA) 會針對已經快取於本機更新存放區中的更新進行檢查。SUM agent scan - cached: The Windows Update Agent (WUA) checks against updates already cached in the local update store. (WindowsUpdate.log、UpdateStore.log)(WindowsUpdate.log, UpdateStore.log)
    3. 啟動掃描計時器:工作順序引擎會啟動計時器並進行等候。Start scan timer: The task sequence engine starts a timer and waits. (此流程會與完整掃描或從已快取的結果流程中進行掃描同時發生)。(This process happens in parallel with either the full scan or scan from cached results process.)
      1. 監視:工作順序引擎會監視 SUM 代理程式以取得狀態。Monitoring: The task sequence engine monitors the SUM agent for status.
      2. 來自 SUM 代理程式的回應是什麼? What's the response from the SUM agent?
        • 進行中:計時器是否已達到工作順序變數 SMSTSSoftwareUpdateScanTimeout 中的值?In progress: Has the timer reached the value in task sequence variable SMSTSSoftwareUpdateScanTimeout? (預設值為 1 小時)(Default 1 hour)
          • :步驟失敗。Yes: The step fails.
          • :移至「監視」 No: Go to Monitoring
        • 失敗:步驟失敗。Failed: The step fails.
        • 完成:移至「列舉更新清單」 Complete: Go to Enumerate update list
  5. 列舉更新清單:SUM 代理程式會列舉掃描所傳回的更新清單,以判斷更新為可用或必要。Enumerate update list: The SUM agent enumerates the list of updates returned by the scan, determining which are available or mandatory.
  6. 掃描結果清單中是否有任何更新? Are there any updates in the list of scan results?
    • :移至「安裝更新」 Yes: Go to Install updates
    • :不需安裝任何項目,步驟已順利完成。No: Nothing to install, the step successfully completes.
  7. 部署流程:安裝更新流程會與部署監視流程同時發生。Deployment process: The install updates process happens in parallel with the deployment monitoring process.
    1. 安裝更新:工作順序引擎會透過更新部署 API 來呼叫 SUM 代理程式,以安裝所有可用更新或僅安裝強制更新。Install updates: The task sequence engine calls the SUM agent via Update Deployment API to install all available or only mandatory updates. 此行為會以步驟的設定為基礎:您選取的是 [安裝必備 - 僅限強制軟體更新] 或 [可供安裝 - 所有軟體更新] 。This behavior is based on the configuration of the step, whether you select Required for installation - Mandatory software updates only or Available for installation - All software updates. 您也可以使用 SMSInstallUpdateTarget 變數來指定此行為。You can also specify this behavior using the SMSInstallUpdateTarget variable.
      1. SUM 代理程式安裝:透過標準內容下載,使用現有已快取之更新清單的標準安裝流程。SUM agent install: Normal install process using existing cached list of updates, with standard content download. 透過 Windows Update 代理程式 (WUA) 安裝更新。Install update via Windows Update Agent (WUA). (UpdatesDeployment.log、UpdatesHandler.log、WuaHandler.log、WindowsUpdate.log)(UpdatesDeployment.log, UpdatesHandler.log, WuaHandler.log, WindowsUpdate.log)
    2. 開始部署計時器並顯示進度:工作順序引擎會啟動安裝計時器,在 TS 進度 UI 中以 10% 時間間隔來顯示子進度,然後等候。Start deployment timer and show progress: The task sequence engine starts an installation timer, shows sub-progress at 10% intervals in TS Progress UI, and waits.
      1. 監視:工作順序引擎會輪詢 SUM 代理程式以取得狀態。Monitoring: The task sequence engine polls the SUM agent for status.
      2. 來自 SUM 代理程式的回應是什麼? What's the response from the SUM agent?
        • 進行中:安裝流程是否已有 8 小時處於非使用中狀態? In progress: Has the installation process been inactive for 8 hours?
          • :步驟失敗。Yes: The step fails.
          • :移至「監視」 No: Go to Monitoring
        • 失敗:步驟失敗。Failed: The step fails.
        • 完成:移至「此步驟會將選項設定為 [從快取掃描結果評估軟體更新] 嗎?」 Complete: Go to Is the step configured with the option to Evaluate software updates from cached scan results?

逾時Timeouts

此圖表包含兩個適用於此步驟的逾時變數。The diagram includes two of the timeout variables that apply to this step. 有其他來自可能影響此流程之其他元件的標準計時器。There are other standard timers from other components that can impact this process.

  • 更新掃描逾時:1 小時 (smsts.log)Update scan timeout: 1 hour (smsts.log)
  • 位置要求逾時:1 小時 (LocationServices.log、CAS.log)Location request timeout: 1 hour (LocationServices.log, CAS.log)
  • 內容下載逾時:1 小時 (DTS.log)Content download timeout: 1 hour (DTS.log)
  • 非使用中的發佈點逾時:1 小時 (LocationServices.log、CAS.log)Inactive distribution point timeout: 1 hour (LocationServices.log, CAS.log)
  • 安裝非使用中逾時總計:8 小時 (smsts.log)Total install inactive timeout: 8 hours (smsts.log)

疑難排解Troubleshooting

使用下列資源和其他資訊,以協助您針對此步驟的問題進行疑難排解:Use the following resources and additional information to help you troubleshoot issues with this step: