Integrate WSUS Offline Updater with MDT 2013 to Deploy Windows 10

In this article we will show you how to install updates offline gained using WSUS Offline Updater, inside MDT 2013 (Microsoft Deployment Toolkit) task sequences to deploy fully patched Windows 10 image over network.

Although most customers use Windows Server Update Services (WSUS) or SCCM SUP (Software Update Point) to install Microsoft updates on desktops and servers, there are a number of issues with installing security updates on newly deployed computers. The main problem is that the updates are installed on new deployed operating systems not immediately, but after a certain period of time (it takes some time to apply WSUS domain policies, to send and receive reports from the WSUS server and download update files to a computer). Thus, for a long time, unpatched computers may be located in the corporate network, which may be infected or hacked before installing fresh security updates. It would be better to install the updates early in the OS deployment process or integrate the updates directly into the Windows image used for the installation.

How to Install Updates Offline on MDT 2013?

The first thing you need to do — download the latest version of WSUS Offline Updater from this website. At this moment the last available version of WSUS Offline Updater is 11.5.

With WSUS Offline, you can safely and quickly update any computer running Microsoft Windows and Office even without an Internet connection.

mdt install updates offline

Note. WSUS Offline Updater is a free utility which is designed to automatically download all critical and security updates for specified Microsoft products from Microsoft Update or local WSUS server. Updates are stored in the local folder, so Administrator can install updates offline on any system without internet connection or an internal WSUS server. The utility allows you to download updates for all supported versions of Windows (Windows Vista, 7, 8, 10 / Windows Server 2008, 2008 R2, 2012, 2012 R2), Office 2010, 2013 and 2016, .Net Frameworks, C ++ Runtime libraries, Windows Defender definitions, Microsoft Security Essentials and so on.

Now we need to download and extract wsusoffline107.zip to any folder (C:Distrwsusoffline in our case).

Launch executable file UpdateGenerator.exe (WSUS Offline Update Generator).

mdt wsus

Select Windows OS version which you want to receive the list of mandatory security updates for. This time in section Windows 10/Server 2016 (w100/w100-x64) we choose version x64 Global (multilingual updates) and click on Start.

wsus offline mdt

At first the program will get a list of available patches and then begin to download ones that have not yet been downloaded. This means that you can run the program periodically to check for new updates without having to download all completely anew (you must perform these actions at least every month as new Microsoft security updates are released). Depending on your internet channel and product selection download, it can take a long time.

mdt wsus offline

Tips.

  • In the programs settings you can specify that the updates were taken not from the Microsoft Update site, but from internal WSUS server (WSUS button);
  • If you connect to the internet using proxy server, the address of proxy and credentials can be set by pressing on button Proxy.

Please note that depending on the selected Windows editions, you may need several additional gigabytes of free space to store the update files on the MDT server disk.

All downloaded updates are stored in Client folder.

wsus mdt

To install updates on the clients computers use program UpdateInstaller.exe with graphical interface. But in our case we will not use it, because GUI is not needed. For this case, there is a file with a batch script Update.cmd (which runs another script — cmdDoUpdate.cmd). MDT 2013 will run file update.cmd when deploying Windows 10 on clients.

  • Folder wsus contains the latest version of the Windows Update Agent;
  • Folder w100-x64glb — contains downloaded update files for Windows 10 in the *.cab format.
    wsus offline mdt cab

After all update files are downloaded on your local disk, close WSUS Offline Updater application and fully copy folder Client to your MDT deployment server to folder C:DeploymentShareScripts (by default).

wsus offline mdt scripts

It remains to integrate the installation of downloaded updates into the MDT Task Sequence.

Integrate Installation of Updates Offline into MDT

Open Deployment Workbench (MDT) console, go to the Task Sequences and select Deployment task in which you want to add a task to install updates (in our example task name Deploy Win 10 x64 Pro). Open its Properties and click on the Task Sequence tab.

mdt wsus server

With MDT task we need to create a script that would be mounted Client folder as a network drive (because the batch file update.cmd is not working with UNC path) and run update.cmd, which will start updates installation.

Select group named Custom Task, which is located in the State Restore section right after Windows Update (Post-Application Installation) task.

Within this group, we need to create two tasks:

  1. Mount UNC share Client as a network drive;
  2. Run script update.cmd, which performs the installation of updates.

Create a new task (Add > General > Run Command Line) with name Mount Network Folder.

mdt wsus command line

In Command line field you need to specify the following command:

cscript.exe "%SCRIPTROOT%ZTIConnect.wsf" /uncpath:10.24.0.70DeploymentShare$Scriptsclient

mdt wsus mount folder

Tip. ZTIConnect script mount network folder as a drive with Y: letter.

Create following task called Install Windows Updates Offline:

Cmd.exe /c “Y:DeploymentShareScriptsclientupdate.bat”

mdt apply patches

Preform the update of deployment share and MDT regenerates images and configuration files for OS deployment.

install updates offline wsus mdt

It remains to check Windows 10 MDT deployment task on a virtual or physical machine. Power on your test system and boot it from LAN using PXE loader.

Select your Task Sequence and wait for the Windows 10 installation. After installation is complete, a window will appear with title Administrator DoUpdate, string Starting WSUS Offline Update… indicates that installation of updates is started successfully.

install updates offline mdt wsus

Wait for the update is installed and restart your computer.

Integrating Updates from WSUS Offline Into a Windows 10 Image on MDT

The above method of installing updates on Windows 10 is inconvenient because with each new OS deployment it is necessary to wait until the installation of dozens of Windows updates is completed. It is much easier to integrate updates directly into a Windows 10 image on an MDT server.

  1. Open the MDT 2013 console and go to the Packages section;
  2. Create a new package, right click on it and select “Import OS Package”; deployment workbench "install updates offline"
  3. Specify the path to the directory in which the updates downloaded by the WSUS Offline Updater utility are stored (C:DeploymentShareScriptsclient in our case), click Next and wait until the Windows updates are imported to the MDT server; wsus offline command line
  4. Now in the MDT console, go to the Advance Configuration > Selection Profiles section;
  5. In the list of images on the MDT server in the right window, select the image, open the Windows 10 image in which you want to integrate the security updates;
  6. Open its Properties. Select the package name with updates you created earlier and click OK;
  7. Now in the Media section, right click your Windows 10 deploy image and select “Update Media Content”;
  8. Wait until the process is complete, after which all the necessary security updates will be imported into your Windows 10 image and you’ll be able to deploy this image to your computers over the network.

So, this time we have configured an automatic install updates offline in the process of deploying Windows 10 using MDT 2013. Hope it was useful for you!

8 comments

  1. First, a big thank you for creating this walkthrough. First, are we to run the Wsus Offline Updater on the computer we are updating, or on the computer containing MDT? I ask because is WOU getting all the updates possible, or only the updates the image requires? Second, the uncpath:\10.24.0.70DeploymentShareScriptsclient, is that the same everywhere, for everyone? I would think the IP address would be based on your network infrastructure, but from the directions, everyone is to use the same path. Lastly, what if this is an offline MDT installation, how do you configure your path statements? Thank you.

    1. We are glad that you liked it! Here are the answers:

      1) You can run WSUS Offline Updater on any computer
      connected to the Internet. All security updates for the selected system will be downloaded;

      2) Change \10.24.0.70 to the Name/IP of your MDT server;

      3) To install updates in this way, your client must have
      network access to the MDT server.

  2. Microsoft Deployment Workbench
    Microsoft
    Version: 6.3.8443.1000

    Thanks for the detailed notes. I’ve run into a problem, however. The network share never connects. It appears that there are several mistakes in your documentation:

    DeploymentShare should be DeploymentShare$ (It’s a hidden Windows share, you won’t be able to attach without the dollar sign)

    There is no need to include DeploymentShareScriptsclient in the path for the second command. (Your mounting to this point, hence it shouldn’t be in the path.)

    After correcting these mistakes, unfortunately, it still does not work.

    That being said, your the second “helpful” guide that has gotten the details completely wrong.

    Has anyone actually gotten this to work?

    1. you right i also fix his mistake and still won’t work, the command wont run the file and there is no update.bat

  3. worked like a charm..came across the same issue as Bill missed the damn $
    sign.. and now application install stage start along with the windows
    updates.. is there any way i could delay the application install till
    windows updates finishes. Because im pushing out Visual Studio and some
    MS applications which requires some windows updates installed first….
    :D

  4. Hi,
    I simply run this in the application section for quiet install command: cmd\doupdate.cmd %*

    It’s working for me with Windows 10 1709 and 1803.

    Thanks,

    1. Hi, Can you tell me on how you resolved it on ver 1709? it keeps aborting on me, already put my correct IP address, keeps changing letters and not mapping. If I put x for the offline command, it bombs out and maps it to Y when I go into the Windows 10 vm.

  5. Hi
    I have the following problem when integrating “WSUS Offline Updater” in MDT.
    I want to run the updates at the end of all Task Secuence.
    Now have MDT the drive Z: connected to the DeploymentShare.

    Offline Updater always disconnects my network connection and reconnects it to Y: and then the installation aborts..

    How do I make use of the existing connection on Z:?
    Can anybody help me?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.