Microsoft Deployment Toolkit has a built-in script designed to update images, with Microsoft Updates, during a Lite-Touch deployment. I’ve been meaning to write this article for a while now but the enormity of the topic has deterred me from seeing it through to completion. This post also applies to MDT 2010.
To be clear, this article does not relate to implementing a patch management strategy. It does however, demonstrate how to deploy fully patched machines during a Lite-Touch deployment. Also, how to create up-to-date reference images or deployment templates. Most organisations recreate their images on a regular basis to ensure that newly deployed machines do not require excessive patching after their initial deployment. This is usually to reduce the load on the WSUS server.
These are the techniques I use in my test-lab and enterprise Lite-Touch deployments to ensure Windows XP, Vista, 7 and 2008 server editions are fully patched at the time of deployment.
Contents:
- Enabling updates within your Lite-Touch Deployments
- How does it work?
- Managing Lite-Touch Deployment updates in the Enterprise
- Skipping updates during your Lite-Touch Deployments
- Checking for updates only
Enabling updates within your Lite-Touch Deployments
The Windows Update task sequence steps are built into the standard operating system deployment templates but are disabled by default. To use them, simply edit your task sequence and un-tick the ‘Disable this step’ button. Now during your Lite-Touch deployments this Task Sequence Step will download all available updates automagically from Microsoft Update rebooting and resuming as needed.
The task sequence step is repeated post application installation. It can be useful to enable the Windows Update (Post application installation) step during deployments when you’re installing Microsoft Office 2010 or another product that can be patched using Microsoft Update.
How does it work?
The task sequence steps run a script called ZTIWindowsUpdate.wsf. The script uses the Windows Update Agent API to manage the downloading and installation of updates. All audit information is written to the ZTIWindowsUpdate.log file. If you find any unusual error codes in your log returned from the API (although I never have) you can compare the codes here. The script will also check and update the Windows Update Agent(WUA) as needed at the start.
In its default state, the ZTIWindowsUpdate.wsf script will connect to Microsoft Update then search for and download all available updates including Security Patches, Drivers, Browser Updates and Service Packs. This is essentially the same as opening the GUI and selecting check for updates.
Managing Lite-Touch Deployment updates in the Enterprise
Many corporate environments block Microsoft Update and have an internal Windows Server Update Services (WSUS) server. In these scenarios you can configure MDT to connect to your WSUS server and download the updates internally. This is done in the CustomSettings.ini file by adding a single line targeting the WSUS server as demonstrated in this example:
WSUSServer=http://ScriptimusWSUSServer:8530
What this does is points the client to an internal WSUS server by creating the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer, "http: //ScriptimusWSUSServer", "REG_SZ" HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer, "ScriptimusWSUSServer", "REG_SZ"
Skipping updates during your Lite-Touch Deployments
Now, you may not want MDT to download all updates, for example, the latest Internet Explorer or the annoying Microsoft Browser Choice Screen update. In this case you can create an exclusion list using the customsettings.ini property WUMU_ExcludeID or WUMU_ExcludeKB. You can add as many of these lines as you like by incrementing a number at the end. In this example I use WUMU_ExcludeKB to exclude 3 windows updates and have added a label just for show.
WUMU_ExcludeKB001=KB976002 ;Microsoft Browser Choice Screen Update for EEA WUMU_ExcludeKB002=KB2267621 ;Microsoft Security Essentials WUMU_ExcludeKB003=KB2434419 ;Windows Live Essentials 2011
In the ZTIWIndowsUpdate.log file you can see that it has skipped over them without having installed them.
Checking for updates only
One final tip, is that you may wish to discover which updates are going to be applied during your deployment without actually downloading them. This is done by editing the task sequence step and adding the /query switch to the command line.
The results can be seen in the ZTIWindowsUpdate.log file. It will list which updates will be installed or skipped.
You can test this using a Post OS Installation Task Sequence. It can also be useful to discover which updates are needed to download and place in the Packages folder of your deployment share.
Andrew is it possible to run Windows Update (Post Application Install) on a non sys prep image? I can’t seem to make that happen
You certainly can. Just create a Post OS task sequence.
I have done that but it only seems to work on a sys prep image.
I dont know what you mean by a ‘sys prep image’. Try posting a full question in the MDT Forum http://social.technet.microsoft.com/Forums/en/mdt/threads .
Excuse me, i have wsus server , i use MDT 2012 RC1 for deploy Windows 7, i have domain, i included line like this
WSUSServer=http://wsus.domain.com:8530
in my customsettings.ini file in [Default] section
But after deploy, nothing happened, updates did`t install?
It is important to turn on Windows Update in Task Sequence for Enterprise?
Yes. Enable the task sequence steps or nothing will happen.
Sent from Samsung Mobile
And one more question, it is important to include PC in domain during deploy?
Lite Touch show me
“Configuration manager client installation…”
after PC reboot, and this step repeat again and again.
and after when I stoped it, Deployment summary showed me
FAILURE (9902): ZTIWindowsUpdate has run and failed too many times. Count = 8
Sounds like you’ve deployed the configmgr client to your wsus server.
Get the id of that update and add it to an exclusion list in the cs.ini
Sent from Samsung Mobile
This article was helpful to me. My updates are installed. However, my Windows Update settings are grayed out and says that they are being managed by policy. How can I change that?
That gets set in the local registry and can be turned off. Read here: http://technet.microsoft.com/en-us/library/cc708554(v=ws.10).aspx
I am interested in any Task Sequence customizations that you perform on a regular basis. We have a MDT 2012 and SCCM 2012 instance that serves around 250 Win 7 SP1 Ent 64 Bit Clients. Most of our customizations take place in the “State Restore” area of the TS. In the coming months I will be adding more consolidated PS scripts instead of several (many) Run Command Line options. What do you think about starting a post or thread which goes through each area of the TS (Initialization, Validation, State Capture, etc.) and detailing customizations, best practices, etc? Most of them aren’t really touched, but a better understanding of what each TS sequence step does would be greatly helpful.
Hi Josh, I have a number of PowerShell posts coming up over the next few days.
As for the Out-of-Box Task Sequence Steps question. There’s loads of information on each step in the Microsoft Deployment Toolkit Documentation Library that comes with MDT. It’s also available online – http://systemscenter.ru/mdt2012.en/outofboxtasksequencesteps.htm
Hope this helps
/Andrew
Thanks anyways. I’m sure your new PS posts will be interesting.
Hi Andrew,
I am having trouble with MDT 2012 excluding IE9 from my task sequence. The exclusion is necessary in my enterporise because many of our in-house apps do not work properly with IE9. I have tried the following in my custmsettings.ini file to no avail:
WUMU_ExcludeKB1=KB982861
WUMU_ExcludeKB1=982861
WUMU_ExcludeID1={1b1d178a-c052-4e9c-a814-700823bd410e}
–
Here is sample of the zt1windowsupdate.log:
INSTALL – 1b1d178a-c052-4e9c-a814-700823bd410e – Windows Internet Explorer 9 for Windows 7 [ KB982861 ] – 19 MB ZTIWindowsUpdate 10/20/2012 3:59:15 AM 0 (0×0000)
SKIP – 1bddbe8d-16ef-4e1d-a8eb-826691a014f6 – Bing Desktop [ KB2694771 ] – 1 MB ZTIWindowsUpdate 10/20/2012 3:59:15 AM 0 (0×0000)
As you can see, it is skipping over other updates I don’t want installed so I don’t know what else I am missing for it to skip the IE9 update! I have tried updating the deployment share, and deleting the customsettings.ini file as well.
Any suggestions would be greatly appreciated.
Kevin
Must have not properly deleted custom settings.ini per previous post. Recreated file and IE9 mnow skips just fine. Awesome!
Hi
I’m trying to exclude IE9 for vista deployment in the customsettings.ini. but it still gets installed.
It works for win7, but not for vista.
setting in customsettings.ini is : WUMU_ExcludeID002=737c4e80-0731-4bb5-bdaf-a49512e4591c
i have set the gather local only to point at customsettings.ini.
But in the ztiwindowsupdate.log it says Install.
Is vista and win7 behaving differently??
You can exclude an update via its ID or its KB number. I’d first copy and paste the ID from the log files. If that doesn’t work then try using its KB number –
WUMU_ExcludeKB002=KB982861
is there any way to use exclusions without having MDT installed? I have ZTIupdates working but would like to exclude some and installing MDT is not an option at this time.
If you look at the code, you’ll find its usage parameters. And also in the manual.
Question: If MDT 2012 is not integrated with SCCM 2007, and SCCM handles updates in an enterprise, is there a way to pull updates from the SCCM repositories during the MDT task sequence without “integrating” MDT into SCCM?
I’m not sure on that one. However, SCCM uses WSUS so you may be able to target the WSUS server directly for the updates. Never tried this though.
You could create a WSUS down or upstream server and use this for MDT deployments.
Hi Andrew,
Is it possible to stop all updates? I have an automatic task sequence which builds a reference image, installs applications then pauses so we can make a manual change to the image then it captures the image. During the pause windows automatically updates itself which we don’t want. I have tried joining the reference image to a domain then using group policy to stop updates but when it comes to capturing the image wont work because we’re joined to a domain. I’m trying to automate as much as possible.
Hi, In this scenario I would say simply don’t join the domain during the reference image build. If your machine is finding updates from WSUS then it will not have a policy to find and register with the wsus server. If it’s getting its updates from the Microsoft Update, then without authentication, it shouldn’t be able to access the internet.
Thanks for the reply.
I worked out that I can run a command line task using “sc config wuauserv start= disabled” which so far seems to be working.
I am experimenting with MDT2012 update 1 on Windows 8 running the ADK and I am having issues installing offline updates in the package folder for a Windows 8 install being tested in a vm.
Is the correct phase to install the offline updates at “Post Install” between “Add Windows Recovery (WinRe)” and “Next Phase”
The standard task sequence already does that so take a look and replicate its method.