In this article we will show you how to install updates offline gained using WSUS Offline Updater, inside MDT 2013 (Microsoft Deployment Toolkit) task sequences to deploy fully patched Windows 10 image over network.
Although most customers use Windows Server Update Services (WSUS) or SCCM SUP (Software Update Point) to install Microsoft updates on desktops and servers, there are a number of issues with installing security updates on newly deployed computers. The main problem is that the updates are installed on new deployed operating systems not immediately, but after a certain period of time (it takes some time to apply WSUS domain policies, to send and receive reports from the WSUS server and download update files to a computer). Thus, for a long time, unpatched computers may be located in the corporate network, which may be infected or hacked before installing fresh security updates. It would be better to install the updates early in the OS deployment process or integrate the updates directly into the Windows image used for the installation.
How to Install Updates Offline on MDT 2013?
The first thing you need to do — download the latest version of WSUS Offline Updater from this website. At this moment the last available version of WSUS Offline Updater is 11.5.
With WSUS Offline, you can safely and quickly update any computer running Microsoft Windows and Office even without an Internet connection.
Note. WSUS Offline Updater is a free utility which is designed to automatically download all critical and security updates for specified Microsoft products from Microsoft Update or local WSUS server. Updates are stored in the local folder, so Administrator can install updates offline on any system without internet connection or an internal WSUS server. The utility allows you to download updates for all supported versions of Windows (Windows Vista, 7, 8, 10 / Windows Server 2008, 2008 R2, 2012, 2012 R2), Office 2010, 2013 and 2016, .Net Frameworks, C ++ Runtime libraries, Windows Defender definitions, Microsoft Security Essentials and so on.
Now we need to download and extract wsusoffline107.zip to any folder (C:Distrwsusoffline in our case).
Launch executable file UpdateGenerator.exe (WSUS Offline Update Generator).
Select Windows OS version which you want to receive the list of mandatory security updates for. This time in section Windows 10/Server 2016 (w100/w100-x64) we choose version x64 Global (multilingual updates) and click on Start.
At first the program will get a list of available patches and then begin to download ones that have not yet been downloaded. This means that you can run the program periodically to check for new updates without having to download all completely anew (you must perform these actions at least every month as new Microsoft security updates are released). Depending on your internet channel and product selection download, it can take a long time.
- In the programs settings you can specify that the updates were taken not from the Microsoft Update site, but from internal WSUS server (WSUS button);
- If you connect to the internet using proxy server, the address of proxy and credentials can be set by pressing on button Proxy.
Please note that depending on the selected Windows editions, you may need several additional gigabytes of free space to store the update files on the MDT server disk.
All downloaded updates are stored in Client folder.
To install updates on the clients computers use program UpdateInstaller.exe with graphical interface. But in our case we will not use it, because GUI is not needed. For this case, there is a file with a batch script Update.cmd (which runs another script — cmdDoUpdate.cmd). MDT 2013 will run file update.cmd when deploying Windows 10 on clients.
- Folder wsus contains the latest version of the Windows Update Agent;
- Folder w100-x64glb — contains downloaded update files for Windows 10 in the *.cab format.
After all update files are downloaded on your local disk, close WSUS Offline Updater application and fully copy folder Client to your MDT deployment server to folder C:DeploymentShareScripts (by default).
It remains to integrate the installation of downloaded updates into the MDT Task Sequence.
Integrate Installation of Updates Offline into MDT
Open Deployment Workbench (MDT) console, go to the Task Sequences and select Deployment task in which you want to add a task to install updates (in our example task name Deploy Win 10 x64 Pro). Open its Properties and click on the Task Sequence tab.
With MDT task we need to create a script that would be mounted Client folder as a network drive (because the batch file update.cmd is not working with UNC path) and run update.cmd, which will start updates installation.
Select group named Custom Task, which is located in the State Restore section right after Windows Update (Post-Application Installation) task.
Within this group, we need to create two tasks:
- Mount UNC share Client as a network drive;
- Run script update.cmd, which performs the installation of updates.
Create a new task (Add > General > Run Command Line) with name Mount Network Folder.
In Command line field you need to specify the following command:
cscript.exe "%SCRIPTROOT%ZTIConnect.wsf" /uncpath:10.24.0.70DeploymentShare$
Tip. ZTIConnect script mount network folder as a drive with Y: letter.
Create following task called Install Windows Updates Offline:
Cmd.exe /c “Y:DeploymentShareScriptsclientupdate.bat”
Preform the update of deployment share and MDT regenerates images and configuration files for OS deployment.
It remains to check Windows 10 MDT deployment task on a virtual or physical machine. Power on your test system and boot it from LAN using PXE loader.
Select your Task Sequence and wait for the Windows 10 installation. After installation is complete, a window will appear with title Administrator DoUpdate, string Starting WSUS Offline Update… indicates that installation of updates is started successfully.
Wait for the update is installed and restart your computer.
Integrating Updates from WSUS Offline Into a Windows 10 Image on MDT
The above method of installing updates on Windows 10 is inconvenient because with each new OS deployment it is necessary to wait until the installation of dozens of Windows updates is completed. It is much easier to integrate updates directly into a Windows 10 image on an MDT server.
- Open the MDT 2013 console and go to the Packages section;
- Create a new package, right click on it and select “Import OS Package”;
- Specify the path to the directory in which the updates downloaded by the WSUS Offline Updater utility are stored (C:DeploymentShareScriptsclient in our case), click Next and wait until the Windows updates are imported to the MDT server;
- Now in the MDT console, go to the Advance Configuration > Selection Profiles section;
- In the list of images on the MDT server in the right window, select the image, open the Windows 10 image in which you want to integrate the security updates;
- Open its Properties. Select the package name with updates you created earlier and click OK;
- Now in the Media section, right click your Windows 10 deploy image and select “Update Media Content”;
- Wait until the process is complete, after which all the necessary security updates will be imported into your Windows 10 image and you’ll be able to deploy this image to your computers over the network.
So, this time we have configured an automatic install updates offline in the process of deploying Windows 10 using MDT 2013. Hope it was useful for you!