When I build our Windows 7 SP1 workstation images I will use Windows Update to install any missing security patches before running sysprep and sealing the image. During the OS deployment through MDT the deployment will slipstream OS patches on the fly with DISM. Once the system goes out on the floor to the users, we have Shavlik scan and deploy new patches as needed. Pretty straightforward.
The "problem" I am having is that the Shavlik scans do not detect any patches that I sealed into the image or that get deployed during the Image staging process with DISM as missing or installed.
For example, if I sealed up an image with KB2667402 and during the OS install had KB2978742 install with DISM via MDT deployment, then went and scanned the systems with my production Shavlik scan template neither of those patches will show up as installed or as missing in the scan results.
Now I know the correct patches are installed, and I can do into Installed Updates in Control Panel and see that they are installed. My problem is that if we have a security audit our patch scanning and deployment system (Shavlik) does not list installed patches as being installed.
So when I run a security patch scan from my Shavlik console the results for installed patches does not account for 150+ patches that are indeed installed. That means the patch status numbers in any reports are not going to be accurate for those patches on those machines and if I get audited and have to provide a detailed report on patches from my console the numbers are going to be off compared to what is actually out in my environment.
I'm wondering if this is a known behavior or something that can be corrected?
Thanks