In this article, we will look at an example of integrating security updates from WSUS Offline Update tool into a Windows 10 installation task over a network using the Microsoft Deployment Toolkit (MDT). Thus, you can configure the automatic deployment of a fully patched Windows 10 image. There are other ways to install Windows updates or integrate it into a system image, for example, directly into a WIM file of a system image or using the built-in MDT tool. In this article, we will consider WSUS Offline Updater, as a fairly convenient and functional tool, and its ability to integrate with MDT.
What Is WSUS Offline Updater and How to Download This Tool
First, we need to download the latest version of WSUS Offline Update tool (https://download.wsusoffline.net/).
WSUS Offline Updater is a free utility designed to automatically retrieve all security updates for a specific Microsoft product from the Microsoft Update website or local WSUS server. Updates are saved in a local folder and the administrator can then install these updates offline on isolated computers, without the need to connect them to the Internet or local network. The utility allows you to download updates for all supported versions of Windows (Vista, 7, 8,10 / Windows Server 2008, 2008 R2, 2012, 2012 R2), Office 2010, 2013 and 2016, .Net Frameworks, C ++ Runtime libraries, databases Windows Defender updates, Microsoft Security Essentials, etc.
Download and unzip the contents of the wsusoffline107.zip archive to any directory. In my case, this is C:\Distr\wsusoffline.
Run the UpdateGenerator.exe executable file (WSUS Offline Update Tool Generator)
Select the version of Windows for which you want to receive a list of required security updates. For example, for Windows 10, you need to select the required bit depth (x64 Global (multilingual updates)) in the Windows 10/Server 2016 (w100 / w100-x64) section and click Start.
The utility will receive a list of available updates and start downloading files that have not yet been received. This means that the program can be run periodically to download only the latest missing updates without having to re-download all the packages again. Depending on the speed of Internet access, downloading all product updates may take quite a while.
- In the program settings, you can specify that updates are downloaded from the Internet (Microsoft Update site), and from the local WSUS server.
- When connecting to the Internet through a proxy, the proxy server settings can be set by clicking the Proxy button.
All downloaded updates are saved in the Client directory.
To install updates on the client, the program with the graphical interface UpdateInstaller.exe is used. In our case, a GUI is not required, because updates should be installed automatically without user interaction. In this case, it is better to use the script file Update.cmd (it, in turn, runs the script \cmd\DoUpdate.cmd). Therefore, MDT should run the update.cmd file when deploying Windows 10 on the client.
- The latest version of the Windows Update Agent is stored in the WSUS directory
- The w100-x64\glb directory contains the update files for Windows 10 themselves in * .cab format
Integration of WSUS Offline Updater with MDT
After all the updates have been downloaded to the local drive, close the WSUS Offline Updater window and copy the contents of the Client folder to your north MDT. I placed it in the C:\DeploymentShare\Scripts folder.
Now you need to add the task of starting the update installation to the Windows 10 installation task.
Open the Deployment Workbench (MDT) console, and in the Task Sequences section, find the desired task to which you want to add the update installation step. In our example, this is Deploy Win 10 x64 Pro. Open its properties and go to the Task Sequence tab.
Create a new MDT task that mounts the network folder with updates (Client) to a separate drive (the update.cmd file does not work with UNC paths) and runs the update.cmd file to start installing updates.
In the task group State Restore ⇨ Custom Task, after we create two new tasks:
- Mounts a network drive with the Client directory on the UNC path
- Runs the update.cmd script.
Create a new task (Add ⇨ General ⇨ Run Command Line) named Mount Network Folder
In the line Command line indicate the following command:
cscript.exe “%SCRIPTROOT%\ZTIConnect.wsf” /uncpath:\\10.10.0.70\DeploymentShare\Scripts\client
Tip. The ZTIConnect script mounts the network directory to a drive with the letter Y:
The second task, named Installation Windows Updates Offline, should contain the following startup line:
Cmd.exe /c “Y:\DeploymentShare\Scripts\client\update.bat”
Update the distribution directory by using right mouse click on the root of the MDT share and selecting “Update Deployment Share”.
Installing Updates When Deploying a Windows 10 PC over a Network
You can test the operation of the Windows 10 deployment task on the client (it can be a virtual or physical machine). Turn on the test machine and start the network boot using PXE.
Select the desired Task Sequence and wait until the installation of Windows 10 is completed. After the installation is complete, a window with the heading “Administrator DoUpdate” should appear, in which the process of installing Windows security updates will be displayed.
Wait for the installation to complete and restart the computer.
So, we have configured the automatic installation of Windows security updates during the deployment of Windows 10 on clients using the Microsoft Deployment Toolkit and WSUS Offline Updater.
Consider Using Action1 to Install Windows Updates if:
- You need to perform an action on multiple computers simultaneously.
- You have remote employees with computers not connected to your corporate network.