Microsoft Deployment Toolkit has a built-in script designed to update images, with Microsoft Updates, during a Lite-Touch deployment. I’ve been meaning to write this article for a while now but the enormity of the topic has deterred me from seeing it through to completion. This post also applies to MDT 2010.
To be clear, this article does not relate to implementing a patch management strategy. It does however, demonstrate how to deploy fully patched machines during a Lite-Touch deployment. Also, how to create up-to-date reference images or deployment templates. Most organisations recreate their images on a regular basis to ensure that newly deployed machines do not require excessive patching after their initial deployment. This is usually to reduce the load on the WSUS server.
These are the techniques I use in my test-lab and enterprise Lite-Touch deployments to ensure Windows XP, Vista, 7 and 2008 server editions are fully patched at the time of deployment.
Contents:
- Enabling updates within your Lite-Touch Deployments
- How does it work?
- Managing Lite-Touch Deployment updates in the Enterprise
- Skipping updates during your Lite-Touch Deployments
- Checking for updates only
Enabling updates within your Lite-Touch Deployments
The Windows Update task sequence steps are built into the standard operating system deployment templates but are disabled by default. To use them, simply edit your task sequence and un-tick the ‘Disable this step’ button. Now during your Lite-Touch deployments this Task Sequence Step will download all available updates automagically from Microsoft Update rebooting and resuming as needed.
The task sequence step is repeated post application installation. It can be useful to enable the Windows Update (Post application installation) step during deployments when you’re installing Microsoft Office 2010 or another product that can be patched using Microsoft Update.
How does it work?
The task sequence steps run a script called ZTIWindowsUpdate.wsf. The script uses the Windows Update Agent API to manage the downloading and installation of updates. All audit information is written to the ZTIWindowsUpdate.log file. If you find any unusual error codes in your log returned from the API (although I never have) you can compare the codes here. The script will also check and update the Windows Update Agent(WUA) as needed at the start.
In its default state, the ZTIWindowsUpdate.wsf script will connect to Microsoft Update then search for and download all available updates including Security Patches, Drivers, Browser Updates and Service Packs. This is essentially the same as opening the GUI and selecting check for updates.
Managing Lite-Touch Deployment updates in the Enterprise
Many corporate environments block Microsoft Update and have an internal Windows Server Update Services (WSUS) server. In these scenarios you can configure MDT to connect to your WSUS server and download the updates internally. This is done in the CustomSettings.ini file by adding a single line targeting the WSUS server as demonstrated in this example:
WSUSServer=http://ScriptimusWSUSServer:8530
What this does is points the client to an internal WSUS server by creating the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer, "http: //ScriptimusWSUSServer", "REG_SZ" HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer, "ScriptimusWSUSServer", "REG_SZ"
Skipping updates during your Lite-Touch Deployments
Now, you may not want MDT to download all updates, for example, the latest Internet Explorer or the annoying Microsoft Browser Choice Screen update. In this case you can create an exclusion list using the customsettings.ini property WUMU_ExcludeID or WUMU_ExcludeKB. You can add as many of these lines as you like by incrementing a number at the end. In this example I use WUMU_ExcludeKB to exclude 3 windows updates.
WUMU_ExcludeKB001=976002 WUMU_ExcludeKB002=2267621 WUMU_ExcludeKB003=2434419
In the ZTIWIndowsUpdate.log file you can see that it has skipped over them without having installed them.
Checking for updates only
One final tip, is that you may wish to discover which updates are going to be applied during your deployment without actually downloading them. This is done by editing the task sequence step and adding the /query switch to the command line.
The results can be seen in the ZTIWindowsUpdate.log file. It will list which updates will be installed or skipped.
You can test this using a Post OS Installation Task Sequence. It can also be useful to discover which updates are needed to download and place in the Packages folder of your deployment share.
Scriptimus Ex Machina 
Andrew is it possible to run Windows Update (Post Application Install) on a non sys prep image? I can’t seem to make that happen
LikeLike
You certainly can. Just create a Post OS task sequence.
LikeLike
I have done that but it only seems to work on a sys prep image.
LikeLike
I dont know what you mean by a ‘sys prep image’. Try posting a full question in the MDT Forum http://social.technet.microsoft.com/Forums/en/mdt/threads .
LikeLike
Excuse me, i have wsus server , i use MDT 2012 RC1 for deploy Windows 7, i have domain, i included line like this
WSUSServer=http://wsus.domain.com:8530
in my customsettings.ini file in [Default] section
But after deploy, nothing happened, updates did`t install?
It is important to turn on Windows Update in Task Sequence for Enterprise?
LikeLike
Yes. Enable the task sequence steps or nothing will happen.
Sent from Samsung Mobile
LikeLike
And one more question, it is important to include PC in domain during deploy?
Lite Touch show me
“Configuration manager client installation…”
after PC reboot, and this step repeat again and again.
and after when I stoped it, Deployment summary showed me
FAILURE (9902): ZTIWindowsUpdate has run and failed too many times. Count = 8
LikeLike
Sounds like you’ve deployed the configmgr client to your wsus server.
Get the id of that update and add it to an exclusion list in the cs.ini
Sent from Samsung Mobile
LikeLike
Andrew,Ours is a small environment where we use only MDT 2010 to deploy Windows 7 using a bootable media. We are using lite touch installation. We have problems adding updates. We use the packages node in deployment workbench to import the cab files.
When we run the task sequence, immediately after image extraction the task sequence fails, with a message about the DISM updating the unattend.xml. We do not have SCCM, but still we tried using ‘install updates offline’, after disabling ‘Apply patches ‘ step in preinstall. The task sequence is successful but none of the updates are installed.
Without adding the software updates the TS runs successfully, but even with just one update the task sequence breaks while reading form the unattend.xml.
Can you guide me of any way that I can use to install the updates?
LikeLike
This article was helpful to me. My updates are installed. However, my Windows Update settings are grayed out and says that they are being managed by policy. How can I change that?
LikeLike
That gets set in the local registry and can be turned off. Read here: http://technet.microsoft.com/en-us/library/cc708554(v=ws.10).aspx
LikeLike
I am interested in any Task Sequence customizations that you perform on a regular basis. We have a MDT 2012 and SCCM 2012 instance that serves around 250 Win 7 SP1 Ent 64 Bit Clients. Most of our customizations take place in the “State Restore” area of the TS. In the coming months I will be adding more consolidated PS scripts instead of several (many) Run Command Line options. What do you think about starting a post or thread which goes through each area of the TS (Initialization, Validation, State Capture, etc.) and detailing customizations, best practices, etc? Most of them aren’t really touched, but a better understanding of what each TS sequence step does would be greatly helpful.
LikeLike
Hi Josh, I have a number of PowerShell posts coming up over the next few days.
As for the Out-of-Box Task Sequence Steps question. There’s loads of information on each step in the Microsoft Deployment Toolkit Documentation Library that comes with MDT. It’s also available online – http://systemscenter.ru/mdt2012.en/outofboxtasksequencesteps.htm
Hope this helps
/Andrew
LikeLike
Thanks anyways. I’m sure your new PS posts will be interesting.
LikeLike
Hi Andrew,
I am having trouble with MDT 2012 excluding IE9 from my task sequence. The exclusion is necessary in my enterporise because many of our in-house apps do not work properly with IE9. I have tried the following in my custmsettings.ini file to no avail:
WUMU_ExcludeKB1=KB982861
WUMU_ExcludeKB1=982861
WUMU_ExcludeID1={1b1d178a-c052-4e9c-a814-700823bd410e}
—
Here is sample of the zt1windowsupdate.log:
INSTALL – 1b1d178a-c052-4e9c-a814-700823bd410e – Windows Internet Explorer 9 for Windows 7 [ KB982861 ] – 19 MB ZTIWindowsUpdate 10/20/2012 3:59:15 AM 0 (0x0000)
SKIP – 1bddbe8d-16ef-4e1d-a8eb-826691a014f6 – Bing Desktop [ KB2694771 ] – 1 MB ZTIWindowsUpdate 10/20/2012 3:59:15 AM 0 (0x0000)
As you can see, it is skipping over other updates I don’t want installed so I don’t know what else I am missing for it to skip the IE9 update! I have tried updating the deployment share, and deleting the customsettings.ini file as well.
Any suggestions would be greatly appreciated.
Kevin
LikeLike
Must have not properly deleted custom settings.ini per previous post. Recreated file and IE9 mnow skips just fine. Awesome!
LikeLike
Hi
I’m trying to exclude IE9 for vista deployment in the customsettings.ini. but it still gets installed.
It works for win7, but not for vista.
setting in customsettings.ini is : WUMU_ExcludeID002=737c4e80-0731-4bb5-bdaf-a49512e4591c
i have set the gather local only to point at customsettings.ini.
But in the ztiwindowsupdate.log it says Install.
Is vista and win7 behaving differently??
LikeLike
You can exclude an update via its ID or its KB number. I’d first copy and paste the ID from the log files. If that doesn’t work then try using its KB number –
WUMU_ExcludeKB002=KB982861
LikeLike
is there any way to use exclusions without having MDT installed? I have ZTIupdates working but would like to exclude some and installing MDT is not an option at this time.
LikeLike
If you look at the code, you’ll find its usage parameters. And also in the manual.
LikeLike
Question: If MDT 2012 is not integrated with SCCM 2007, and SCCM handles updates in an enterprise, is there a way to pull updates from the SCCM repositories during the MDT task sequence without “integrating” MDT into SCCM?
LikeLike
I’m not sure on that one. However, SCCM uses WSUS so you may be able to target the WSUS server directly for the updates. Never tried this though.
You could create a WSUS down or upstream server and use this for MDT deployments.
LikeLike
Hi Andrew,
Is it possible to stop all updates? I have an automatic task sequence which builds a reference image, installs applications then pauses so we can make a manual change to the image then it captures the image. During the pause windows automatically updates itself which we don’t want. I have tried joining the reference image to a domain then using group policy to stop updates but when it comes to capturing the image wont work because we’re joined to a domain. I’m trying to automate as much as possible.
LikeLike
Hi, In this scenario I would say simply don’t join the domain during the reference image build. If your machine is finding updates from WSUS then it will not have a policy to find and register with the wsus server. If it’s getting its updates from the Microsoft Update, then without authentication, it shouldn’t be able to access the internet.
LikeLike
Thanks for the reply.
I worked out that I can run a command line task using “sc config wuauserv start= disabled” which so far seems to be working.
LikeLike
I am experimenting with MDT2012 update 1 on Windows 8 running the ADK and I am having issues installing offline updates in the package folder for a Windows 8 install being tested in a vm.
Is the correct phase to install the offline updates at “Post Install” between “Add Windows Recovery (WinRe)” and “Next Phase”
LikeLike
The standard task sequence already does that so take a look and replicate its method.
LikeLike
Derek, did you ever find a solution? I’m trying to do the same thing (except I’m using Windows 7). I can’t get it to install offline patches that I imported into the packages folder in MDT2012. If I can just manually download and install my list of Windows updates instead of using WSUS, it would actually be easier in my environment. (Getting things like WSUS approved at my job has too much red tape…)
LikeLike
Hi Andrew,
Thank you for the great information here. I do have an issue though. MDT successfully queries our internal WSUS server and pulls updates, but does not automatically install them. I would like to include this step. How do I go about accomplishing this? Thank you.
-Mark
LikeLike
You should approve the updates in WSUS then then they will be applied.
LikeLike
I’ve been struggling to get MDT 2012u1 to skip some Windows Updates, and figured out what was wrong with my configuration today – thought I’d share here since this is a great link for the rest of the MDT Windows Update information, and it gets a high rank in search results for this problem.
I was adding the lines as described above to exclude the KB numbers for IE9 and IE10:
WUMU_ExcludeKB001=KB982861 ;Internet Explorer 9
WUMU_ExcludeKB002=KB2718695 ;Internet Explorer 10
When that didn’t work, I tried with the ID numbers:
WUMU_ExcludeID001=0ab15e4e-31ae-4aca-9c41-727bfd643fea ;Internet Explorer 9
WUMU_ExcludeID002=c0b3230a-bb79-4e44-b771-177bc224fcbf ;Internet Explorer 10
That still didn’t work. Finally, I removed the comments from the lines:
WUMU_ExcludeID001=0ab15e4e-31ae-4aca-9c41-727bfd643fea
WUMU_ExcludeID002=c0b3230a-bb79-4e44-b771-177bc224fcbf
Removing the comments worked using the ID numbers, so I went back and tried with the KBs but it still didn’t work. Then I tried using the KB numbers without the “KB” prefix, and that worked:
WUMU_ExcludeKB001=982861
WUMU_ExcludeKB002=2718695
Thanks for the reference!
LikeLike
Thanks for the write-up Mark. Great catch.
I think the KB actually worked in my XP lab when I did this. I know the semi-colons worked also. I’ll update the post. Here’s the correct info from the library.
WUMU_ExcludeID. A list of UpdateIDs to exclude; The UpdateID property is in GUID form, such as 67da2176-5c57-4614-a514-33abbdd51f67.
WUMU_ExcludeKB. A list of QNumbers to exclude; The QNumber property is a numerical value, such as 987654.
LikeLike
Hi Andrew, I’m seeing some inconsistent behaviour with WUMU_Exclude properties. WUMU_ExcludeKB1 seems to work, but WUMU_ExcludeKB01 doesn’t. Have you seen this as well?
LikeLike
I havn’t sorry. What kind of issues are you seeing?
LikeLike
If I use WUMU_ExcludeKB01, WUMU_ExcludeID01, WUMU_ExcludeKB001 etc., the updates are not skipped. If I instead use WUMU_ExcludeKB1, the updates are skipped.
Plenty of examples around the tubes of WUMU_ExcludeKB01 working and I presume that it works for you as you’re using similar in your own example. I have something that works, but stumped as to why WUMU_ExcludeKB01 would work for other environments and not mine.
Especially interesting given that other properties like MandatoryApplications001 works. I probably just need to crack open ZTIWindowsUpdate.wsf to understand why.
LikeLike
This post is freaking awsome, would be nice if you could post how to use this in the CM task sequence to! Nice Work.
LikeLike
I wouldn’t use this method for CM but use the built in software updates.
LikeLike
Any chance there’s a print friendly version of this? Andrew, your guides are awesome. Thanks so much for providing this great repository of information. I’ve been referring to your entire site for my entire MDT proof of concept.
Can’t say enough good about the resource you’re providing. Thanks again.
LikeLike
Sorry, unless there’s a wordpress exporter out there. Thanks for visiting, I’m glad my posts are helping in some small part. 🙂
LikeLike
No worries, I’m able to get by. I think this particular blog is one I’ve been referring to throughout my entire MDT test setup. I ran into a snag just now trying to finally sysprep and capture my image but I think I’m all set now. Thanks again for taking the time to write all of this. I’m sure between work and all the other things you’ve got going on it’s tough to keep a resource like this updated constantly.
Hope you can keep the great material coming!
LikeLike
Great post, just wish I´d read this one before I manually uninstalled the IE10 from my patched reference image.. 😉
LikeLike
Hi!
Great post!
What if i specified my SCCM 2012 WSUS? Would the MDT TS be able to install updates that i advertised to Unknown computers collection? I Suspect that it need the ConfigMgr Agent to be able to download them right?
Thanks!
LikeLike
Correct, the approval is configured in WSUS.
LikeLike
As I reached compleation of the install I realized the WSUS server actually was off line.
Obviously the script falls back on Microsofts servers if WSUS is unavailable.
…Didn’t know that.
LikeLike
I didn’t know that either. The default is WUMU but I didn’t know it would fallback. Good find.
LikeLike
Hi This is a GReat Post Thanks Alot
LikeLike
I followed your instructions above and added the WSUS entry for my offline WSUS server in my CustomSettings.ini file. My MDT task sequence is checking my WSUS server but its only installing 3 patches on the initial check. After the task sequence completes, I reboot the machine and run Windows update manually on the machine and it says I have 6 more new patches, reboot, run it again and I have 10 patches, so forth and so on. I want to capture all the patches (to date) in my image but it seems I cant do that. Am I doing something wrong? or is this just how it works?
LikeLike
Yes, its kinda like that. But you only need to do it once. You can stick some updates in the packages folder to try to speed things up.
LikeLike
Andrew,
I’m just now playing with MDT and creating a Windows 7 x64 image including Sp1. (All new to me). Anyway, I did the WSUSServer=myserver in the properties of the deployment share.. seems to work well. However, when I boot the pe environment and it gets to the Windows Update (Pre-application installation) step.. I watched it waste a bunch of time applying IE8 updates, then rebooted and installed IE10. How do you .. say.. push out IE10 first so it doesn’t waste time?
LikeLike
Hi Andrew,
Laptops reboot in between task is running. this happens because of windows updates. can we stop the reboot of windows while tasks are running ?
regards
Reji
LikeLike
I’ve never seen the task sequence reboot during update patching, sorry. You should raise an issue with Microsoft regarding this.
LikeLike
Hi
thank you for such a great post!
im at the stage where i have MDT on an external hard drive and deploy OS via the USB hard drive.
is there a way i can get the machines to update from my “WSUS Offline” program folder?
this would speed all my computers up alot
LikeLike
Hi Andrew,
These are the steps that I ran through to complete the WSUS Install on Server 2012:
1. Installed WSUS role using the Windows Internal DB.
2. Set the classifications and Product and Synced it up over the internet with Microsoft Updates.
3. Set the automatic approval rule settings. Also Approved all the wanted updates for all Computers including unassigned computers.
3. Enabled the WSUSServer property reference in the custom settings file.
Unfortunately, my Reference Image creation process still doesn’t pick up anything against my WSUS Server.
Ami I missing something? Please help me get this working.
regards
Mohammed
LikeLike
Hello Andrew,
I am using WSUS server and I added wsus in customsettings.ini. But while imaging, it takes long time for ” Searching for windows updates”.
Could you help to figure out.
LikeLike
@nbn
Have you resolved this Issue….No I am having same issue.Can you help me on this.
LikeLike
.I have created only one rule in wsus to install the win7 updates to all computer groups…wsus stored all the updates locally and downloaded only approved updates.. now the wsuscontent folder size is after updates download 9GB and after this I have edited task sequence that the option is widows updates(post deployment)…when i run the task sequence deployment of os is good when this update step comes its showing searching for updates,restarted couple of times it self and searching for updates many hours and on this i have checked ZTIwindowsupdate.log there the status is searching for the updates.When I see the status of detected computer in wsus all computers group the specific computer status is not yet reported almost i have observer this update sequence 8 hours..
LikeLike