MDT 2012: Automating updates in Lite-Touch Deployments

Microsoft Deployment Toolkit has a built-in script designed to update images, with Microsoft Updates, during a Lite-Touch deployment. I’ve been meaning to write this article for a while now but the enormity of the topic has deterred me from seeing it through to completion. This post also applies to MDT 2010.

To be clear, this article does not relate to implementing a patch management strategy. It does however, demonstrate how to deploy fully patched machines during a Lite-Touch deployment. Also, how to create up-to-date reference images or deployment templates. Most organisations recreate their images on a regular basis to ensure that newly deployed machines do not require excessive patching after their initial deployment. This is usually to reduce the load on the WSUS server.

These are the techniques I use in my test-lab and enterprise Lite-Touch deployments to ensure Windows XP, Vista, 7 and 2008 server editions are fully patched at the time of deployment.

Contents:

Enabling updates within your Lite-Touch Deployments

The Windows Update task sequence steps are built into the standard operating system deployment templates but are disabled by default. To use them, simply edit your task sequence and un-tick the ‘Disable this step’ button. Now during your Lite-Touch deployments this Task Sequence Step will download all available updates automagically from Microsoft Update rebooting and resuming as needed.

The task sequence step is repeated post application installation. It can be useful to enable the Windows Update (Post application installation) step during deployments when you’re installing Microsoft Office 2010 or another product that can be patched using Microsoft Update.

How does it work?

The task sequence steps run a script called ZTIWindowsUpdate.wsf. The script uses the Windows Update Agent API to manage the downloading and installation of updates. All audit information is written to the ZTIWindowsUpdate.log file. If you find any unusual error codes in your log returned from the API (although I never have)  you can compare the codes here. The script will also check and update the Windows Update Agent(WUA) as needed at the start.

In its default state, the ZTIWindowsUpdate.wsf script will connect to Microsoft Update then search for and download all available updates including Security Patches, Drivers, Browser Updates and Service Packs. This is essentially the same as opening the GUI and selecting check for updates.

Managing Lite-Touch Deployment updates in the Enterprise

Many corporate environments block Microsoft Update and have an internal Windows Server Update Services (WSUS) server. In these scenarios you can configure MDT to connect to your WSUS server and download the updates internally. This is done in the CustomSettings.ini file by adding a single line targeting the WSUS server as demonstrated in this example:

WSUSServer=http://ScriptimusWSUSServer:8530

What this does is points the client to an internal WSUS server by creating the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer, "http: //ScriptimusWSUSServer", "REG_SZ"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer, "ScriptimusWSUSServer", "REG_SZ"

Skipping updates during your Lite-Touch Deployments

Now, you may not want MDT to download all updates, for example, the latest Internet Explorer or the annoying Microsoft Browser Choice Screen update. In this case you can create an exclusion list using the customsettings.ini property WUMU_ExcludeID or WUMU_ExcludeKB. You can add as many of these lines as you like by incrementing  a number at the end. In this example I use WUMU_ExcludeKB to exclude 3 windows updates.

WUMU_ExcludeKB001=976002 
WUMU_ExcludeKB002=2267621
WUMU_ExcludeKB003=2434419

In the ZTIWIndowsUpdate.log file you can see that it has skipped over them without having installed them.

Checking for updates only

One final tip, is that you may wish to discover which updates are going to be applied during your deployment without actually downloading them. This is done by editing the task sequence step and adding the /query switch to the command line.

The results can be seen in the ZTIWindowsUpdate.log file. It will list which updates will be installed or skipped.

imageYou can test this using a Post OS Installation Task Sequence. It can also be useful to discover which updates are needed to download and place in the Packages folder of your deployment share.

About these ads

About Andrew Barnes

A Scipting and Deployment Specialist.
This entry was posted in Deployment, MDT 2010, MDT 2012 and tagged , , , , , . Bookmark the permalink.

48 Responses to MDT 2012: Automating updates in Lite-Touch Deployments

  1. Tracey Boynton says:

    Andrew is it possible to run Windows Update (Post Application Install) on a non sys prep image? I can’t seem to make that happen

    Like

  2. Alexandr says:

    Excuse me, i have wsus server , i use MDT 2012 RC1 for deploy Windows 7, i have domain, i included line like this
    WSUSServer=http://wsus.domain.com:8530

    in my customsettings.ini file in [Default] section
    But after deploy, nothing happened, updates did`t install?
    It is important to turn on Windows Update in Task Sequence for Enterprise?

    Like

    • Yes. Enable the task sequence steps or nothing will happen.

      Sent from Samsung Mobile

      Like

      • Alexandr says:

        And one more question, it is important to include PC in domain during deploy?
        Lite Touch show me
        “Configuration manager client installation…”
        after PC reboot, and this step repeat again and again.
        and after when I stoped it, Deployment summary showed me
        FAILURE (9902): ZTIWindowsUpdate has run and failed too many times. Count = 8

        Like

      • Sounds like you’ve deployed the configmgr client to your wsus server. 

        Get the id of that update and add it to an exclusion list in the cs.ini 

        Sent from Samsung Mobile

        Like

  3. Sirish says:

    Andrew,Ours is a small environment where we use only MDT 2010 to deploy Windows 7 using a bootable media. We are using lite touch installation. We have problems adding updates. We use the packages node in deployment workbench to import the cab files.

    When we run the task sequence, immediately after image extraction the task sequence fails, with a message about the DISM updating the unattend.xml. We do not have SCCM, but still we tried using ‘install updates offline’, after disabling ‘Apply patches ‘ step in preinstall. The task sequence is successful but none of the updates are installed.

    Without adding the software updates the TS runs successfully, but even with just one update the task sequence breaks while reading form the unattend.xml.

    Can you guide me of any way that I can use to install the updates?

    Like

  4. Oneil Matlock says:

    This article was helpful to me. My updates are installed. However, my Windows Update settings are grayed out and says that they are being managed by policy. How can I change that?

    Like

  5. Josh Padilla says:

    I am interested in any Task Sequence customizations that you perform on a regular basis. We have a MDT 2012 and SCCM 2012 instance that serves around 250 Win 7 SP1 Ent 64 Bit Clients. Most of our customizations take place in the “State Restore” area of the TS. In the coming months I will be adding more consolidated PS scripts instead of several (many) Run Command Line options. What do you think about starting a post or thread which goes through each area of the TS (Initialization, Validation, State Capture, etc.) and detailing customizations, best practices, etc? Most of them aren’t really touched, but a better understanding of what each TS sequence step does would be greatly helpful.

    Like

  6. Kevin says:

    Hi Andrew,

    I am having trouble with MDT 2012 excluding IE9 from my task sequence. The exclusion is necessary in my enterporise because many of our in-house apps do not work properly with IE9. I have tried the following in my custmsettings.ini file to no avail:

    WUMU_ExcludeKB1=KB982861
    WUMU_ExcludeKB1=982861
    WUMU_ExcludeID1={1b1d178a-c052-4e9c-a814-700823bd410e}


    Here is sample of the zt1windowsupdate.log:

    INSTALL – 1b1d178a-c052-4e9c-a814-700823bd410e – Windows Internet Explorer 9 for Windows 7 [ KB982861 ] – 19 MB ZTIWindowsUpdate 10/20/2012 3:59:15 AM 0 (0×0000)
    SKIP – 1bddbe8d-16ef-4e1d-a8eb-826691a014f6 – Bing Desktop [ KB2694771 ] – 1 MB ZTIWindowsUpdate 10/20/2012 3:59:15 AM 0 (0×0000)

    As you can see, it is skipping over other updates I don’t want installed so I don’t know what else I am missing for it to skip the IE9 update! I have tried updating the deployment share, and deleting the customsettings.ini file as well.

    Any suggestions would be greatly appreciated.

    Kevin

    Like

  7. Kevin says:

    Must have not properly deleted custom settings.ini per previous post. Recreated file and IE9 mnow skips just fine. Awesome!

    Like

  8. Kim says:

    Hi
    I’m trying to exclude IE9 for vista deployment in the customsettings.ini. but it still gets installed.
    It works for win7, but not for vista.
    setting in customsettings.ini is : WUMU_ExcludeID002=737c4e80-0731-4bb5-bdaf-a49512e4591c
    i have set the gather local only to point at customsettings.ini.
    But in the ztiwindowsupdate.log it says Install.
    Is vista and win7 behaving differently??

    Like

    • You can exclude an update via its ID or its KB number. I’d first copy and paste the ID from the log files. If that doesn’t work then try using its KB number –
      WUMU_ExcludeKB002=KB982861

      Like

  9. Cary Wells says:

    is there any way to use exclusions without having MDT installed? I have ZTIupdates working but would like to exclude some and installing MDT is not an option at this time.

    Like

  10. Frank says:

    Question: If MDT 2012 is not integrated with SCCM 2007, and SCCM handles updates in an enterprise, is there a way to pull updates from the SCCM repositories during the MDT task sequence without “integrating” MDT into SCCM?

    Like

    • I’m not sure on that one. However, SCCM uses WSUS so you may be able to target the WSUS server directly for the updates. Never tried this though.

      You could create a WSUS down or upstream server and use this for MDT deployments.

      Like

  11. jaminben says:

    Hi Andrew,
    Is it possible to stop all updates? I have an automatic task sequence which builds a reference image, installs applications then pauses so we can make a manual change to the image then it captures the image. During the pause windows automatically updates itself which we don’t want. I have tried joining the reference image to a domain then using group policy to stop updates but when it comes to capturing the image wont work because we’re joined to a domain. I’m trying to automate as much as possible.

    Like

    • Hi, In this scenario I would say simply don’t join the domain during the reference image build. If your machine is finding updates from WSUS then it will not have a policy to find and register with the wsus server. If it’s getting its updates from the Microsoft Update, then without authentication, it shouldn’t be able to access the internet.

      Like

      • jaminben says:

        Thanks for the reply.
        I worked out that I can run a command line task using “sc config wuauserv start= disabled” which so far seems to be working.

        Like

  12. Derek says:

    I am experimenting with MDT2012 update 1 on Windows 8 running the ADK and I am having issues installing offline updates in the package folder for a Windows 8 install being tested in a vm.

    Is the correct phase to install the offline updates at “Post Install” between “Add Windows Recovery (WinRe)” and “Next Phase”

    Like

    • The standard task sequence already does that so take a look and replicate its method.

      Like

    • Bryan says:

      Derek, did you ever find a solution? I’m trying to do the same thing (except I’m using Windows 7). I can’t get it to install offline patches that I imported into the packages folder in MDT2012. If I can just manually download and install my list of Windows updates instead of using WSUS, it would actually be easier in my environment. (Getting things like WSUS approved at my job has too much red tape…)

      Like

  13. Mark says:

    Hi Andrew,

    Thank you for the great information here. I do have an issue though. MDT successfully queries our internal WSUS server and pulls updates, but does not automatically install them. I would like to include this step. How do I go about accomplishing this? Thank you.

    -Mark

    Like

  14. Mark says:

    I’ve been struggling to get MDT 2012u1 to skip some Windows Updates, and figured out what was wrong with my configuration today – thought I’d share here since this is a great link for the rest of the MDT Windows Update information, and it gets a high rank in search results for this problem.

    I was adding the lines as described above to exclude the KB numbers for IE9 and IE10:
    WUMU_ExcludeKB001=KB982861 ;Internet Explorer 9
    WUMU_ExcludeKB002=KB2718695 ;Internet Explorer 10

    When that didn’t work, I tried with the ID numbers:
    WUMU_ExcludeID001=0ab15e4e-31ae-4aca-9c41-727bfd643fea ;Internet Explorer 9
    WUMU_ExcludeID002=c0b3230a-bb79-4e44-b771-177bc224fcbf ;Internet Explorer 10

    That still didn’t work. Finally, I removed the comments from the lines:
    WUMU_ExcludeID001=0ab15e4e-31ae-4aca-9c41-727bfd643fea
    WUMU_ExcludeID002=c0b3230a-bb79-4e44-b771-177bc224fcbf

    Removing the comments worked using the ID numbers, so I went back and tried with the KBs but it still didn’t work. Then I tried using the KB numbers without the “KB” prefix, and that worked:
    WUMU_ExcludeKB001=982861
    WUMU_ExcludeKB002=2718695

    Thanks for the reference!

    Like

    • Thanks for the write-up Mark. Great catch.

      I think the KB actually worked in my XP lab when I did this. I know the semi-colons worked also. I’ll update the post. Here’s the correct info from the library.

      WUMU_ExcludeID. A list of UpdateIDs to exclude; The UpdateID property is in GUID form, such as 67da2176-5c57-4614-a514-33abbdd51f67.

      WUMU_ExcludeKB. A list of QNumbers to exclude; The QNumber property is a numerical value, such as 987654.

      Like

  15. Aaron says:

    Hi Andrew, I’m seeing some inconsistent behaviour with WUMU_Exclude properties. WUMU_ExcludeKB1 seems to work, but WUMU_ExcludeKB01 doesn’t. Have you seen this as well?

    Like

    • I havn’t sorry. What kind of issues are you seeing?

      Like

      • Aaron says:

        If I use WUMU_ExcludeKB01, WUMU_ExcludeID01, WUMU_ExcludeKB001 etc., the updates are not skipped. If I instead use WUMU_ExcludeKB1, the updates are skipped.

        Plenty of examples around the tubes of WUMU_ExcludeKB01 working and I presume that it works for you as you’re using similar in your own example. I have something that works, but stumped as to why WUMU_ExcludeKB01 would work for other environments and not mine.

        Especially interesting given that other properties like MandatoryApplications001 works. I probably just need to crack open ZTIWindowsUpdate.wsf to understand why.

        Like

  16. This post is freaking awsome, would be nice if you could post how to use this in the CM task sequence to! Nice Work.

    Like

  17. xsnakedoctor says:

    Any chance there’s a print friendly version of this? Andrew, your guides are awesome. Thanks so much for providing this great repository of information. I’ve been referring to your entire site for my entire MDT proof of concept.

    Can’t say enough good about the resource you’re providing. Thanks again.

    Like

    • Sorry, unless there’s a wordpress exporter out there. Thanks for visiting, I’m glad my posts are helping in some small part. :)

      Like

      • xsnakedoctor says:

        No worries, I’m able to get by. I think this particular blog is one I’ve been referring to throughout my entire MDT test setup. I ran into a snag just now trying to finally sysprep and capture my image but I think I’m all set now. Thanks again for taking the time to write all of this. I’m sure between work and all the other things you’ve got going on it’s tough to keep a resource like this updated constantly.

        Hope you can keep the great material coming!

        Like

  18. Tony L says:

    Great post, just wish I´d read this one before I manually uninstalled the IE10 from my patched reference image.. ;-)

    Like

  19. David says:

    Hi!
    Great post!
    What if i specified my SCCM 2012 WSUS? Would the MDT TS be able to install updates that i advertised to Unknown computers collection? I Suspect that it need the ConfigMgr Agent to be able to download them right?
    Thanks!

    Like

  20. Johnny says:

    As I reached compleation of the install I realized the WSUS server actually was off line.
    Obviously the script falls back on Microsofts servers if WSUS is unavailable.
    …Didn’t know that.

    Like

  21. Shakiel says:

    Hi This is a GReat Post Thanks Alot

    Like

  22. Troy S. says:

    I followed your instructions above and added the WSUS entry for my offline WSUS server in my CustomSettings.ini file. My MDT task sequence is checking my WSUS server but its only installing 3 patches on the initial check. After the task sequence completes, I reboot the machine and run Windows update manually on the machine and it says I have 6 more new patches, reboot, run it again and I have 10 patches, so forth and so on. I want to capture all the patches (to date) in my image but it seems I cant do that. Am I doing something wrong? or is this just how it works?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s