Hey Guys,

I have a golden image on Hyper V that needs to run Windows Updates. I ran PS scripts that another helpful user provided me with which work great, however the same script doesn't work to fix this issue after the updates run. Sysprep runs fine if the updates do not run. Setupact.txt shows it is usually one of the built in apps/appxpackage (Windows.Miracast... in this case).


Are there any commands for cmd or PowerShell that run only Critical and Security updates? Or a setting that disables Store, Appx, feature, etc updates running as part of a Windows update?

I tried enabling a local policy prior to and still the same issue. My concern with not running the updates before capture is that a MASSIVE list of updates will be required for each image deployed in that quarter.


- W10 Pro x64

- Build 1703

- Image built in Hyper V from K2000

- Scripted install with unattend file which enabled the built in admin account, so there has only ever been one account

Any advice would be great.


1 Comment   [ + ] Show Comment


  • It sounds like your Windows got an Application via Internet.

    Two golden rules that we use to avoid this:

    1-The VM holding the golden image, NEVER gets access to the outside world. (internet)

    2-We patch our golden Image via WSUS or K1000, not using Windows Updates, since I can't control what is being installed.

    NOTE: I have never used the built-in account, we always create our own Local Admin account during both scripted install and System image deployment.
    NOTE 2: Gotta be careful with those provisioned apps, adding and removing them is not easy.
    • Thanks for your suggestions. We do have a server admin that looks after some updates with WSUS. I was just afraid of a bulk update post deployment which will just add time to the image process.
      Can I ask, what would you include as part of your Golden Image? Just base install, updates and some customizing of tiles/built in apps etc?
      And to avoid accessing the internet, do you install all software as post tasks or add installers to an internal server and install from there instead of the web?
      Thanks again.
      • If you are using the K2 you do not need Internet access for post install tasks, unless some of those post install tasks require internet access for let's say activation.

        Bulk update?, I just update the Golden Image and then capture it, another option is to look in your Volume License Portal or in MSDN, there are ISOs that already have patches installed.

        i.e. "en_windows_10_enterprise_version_1703_updated_march_2017_x64_dvd_10189290"
        This ISO contains all the patches up to March 2017, the newest one is from September I think...

        If you build a Windows OS from that ISO\media, you know you'll only need to worry about patches from April to Today, better than ALL existing patches for 1703.

        i.e. We have images bases on Department needs, they have the same base image, with different software installed. (Adobe Photosop, PeachTree, AutoCAD, etc.).
Please log in to comment

There are no answers at this time


Answer this question or Comment on this question for clarity