Author: Peter Barnett Date: Apr 03, 2020
In this article, we will look at an example of integrating security updates from WSUS Offline Update tool into a Windows 10 installation task over a network using the Microsoft Deployment Toolkit (MDT). Thus, you can configure the automatic deployment of a fully patched Windows 10 image. There are other ways to install Windows updates or integrate it into a system image, for example, directly into a WIM file of a system image or using the built-in MDT tool.
Fully functional for 50 endpoints, never expires. More details >
First of all, we need to download the latest version of WSUS Offline Update tool (http://download.wsusoffline.net/).
WSUS Offline Updater is a free utility designed to automatically retrieve all security updates for a specific Microsoft product from the Microsoft Update website or local WSUS server. Updates are saved in a local folder and the administrator can then install these updates offline on isolated computers, without the need to connect them to the Internet or local network. The utility allows you to download updates for all supported versions of Windows (Vista, 7, 8,10 / Windows Server 2008, 2008 R2, 2012, 2012 R2), Office 2010, 2013 and 2016, .Net Frameworks, C ++ Runtime libraries, databases Windows Defender updates, Microsoft Security Essentials, etc.
Download and unzip the contents of the wsusoffline107.zip archive to any directory. In my case, this is C:\Distr\wsusoffline.
Run the UpdateGenerator.exe executable file (WSUS Offline Update Tool Generator)
Select the version of Windows for which you want to receive a list of required security updates. For example, for Windows 10, you need to select the required bit depth (x64 Global (multilingual updates) in the Windows 10/Server 2016 (w100 / w100-x64) section and click Start.
The utility will receive a list of available updates and start downloading files that have not yet been received. This means that the program can be run periodically to download only the latest missing updates without having to re-download all the packages again. Depending on the speed of Internet access, downloading all product updates may take quite a while.
All downloaded updates are saved in the Client directory.
To install updates on the client, the program with the graphical interface UpdateInstaller.exe is used. In our case, a GUI is not required, because updates should be installed automatically without user interaction. In this case, it is better to use the script file Update.cmd (it, in turn, runs the script \cmd\DoUpdate.cmd). Therefore, MDT should run the update.cmd file when deploying Windows 10 on the client.
After all the updates have been downloaded to the local drive, close the WSUS Offline Updater window and copy the contents of the Client folder to your north MDT. I placed it in the C:\DeploymentShare\Scripts folder.
Now you need to add the task of starting the update installation to the Windows 10 installation task.
Open the Deployment Workbench (MDT) console, and in the Task Sequences section, find the desired task to which you want to add the update installation step. In our example, this is Deploy Win 10 x64 Pro. Open its properties and go to the Task Sequence tab.
Create a new MDT task that mounts the network folder with updates (Client) to a separate drive (the update.cmd file does not work with UNC paths) and runs the update.cmd file to start installing updates.
In the task group State Restore -> Custom Task, after we create two new tasks:
Create a new task (Add-> General-> Run Command Line) named Mount Network Folder
In the line Command line indicate the following command:
cscript.exe "%SCRIPTROOT%\ZTIConnect.wsf" /uncpath:\\10.10.0.70\DeploymentShare\Scripts\client
Tip. The ZTIConnect script mounts the network directory to a drive with the letter Y:
The second task, named Install Windows Updates Offline, should contain the following startup line:
Cmd.exe /c “Y:\DeploymentShare\Scripts\client\update.bat”
Update the distribution directory by using right mouse click on the root of the MDT share and selecting “Update Deployment Share”.
You can test the operation of the Windows 10 deployment task on the client (it can be a virtual or physical machine). Turn on the test machine and start the network boot using PXE.
Select the desired Task Sequence and wait until the installation of Windows 10 is completed. After the installation is complete, a window with the heading “Administrator DoUpdate” should appear, in which the process of installing Windows security updates will be displayed.
Wait for the installation to complete and restart the computer.
So, we have configured the automatic installation of Windows security updates during the deployment of Windows 10 on clients using the Microsoft Deployment Toolkit and WSUS Offline Updater.
Action1 is a cloud-based platform for patch management, software deployment, remote desktop, software/hardware inventory, endpoint management and endpoint configuration reporting.
Fully functional free edition for up to 50 endpoints with no expiration date. More details >