Although most customers install Microsoft updates on desktops and servers using Windows Server Update Services (WSUS) or SCCM SUP (Software Update Point), there are a number of challenges with deploying security updates on newly deployed systems. The main issue is that updates are not installed promptly on newly deployed operating systems, but rather after a period of time (it takes some time to apply WSUS domain policies, to send and receive reports from the WSUS server and download updated files to a computer). As a result, unpatched machines may remain on the corporate network for an extended period of time, where they may be infected or hacked until new security upgrades are installed.. It would be better to install the updates early in the OS deployment process or integrate the updates directly into the Windows image used for the installation.
How Do I Install MDT 2013 Updates Offline?
The first step is to get the most recent version of WSUS Offline Updater from this website. The most recent version of WSUS Offline Updater is version 11.5.
Even if you don’t have an Internet connection, you can update any computer running Microsoft Windows and Office with WSUS Offline.
WSUS Offline Updater is a free program that downloads all critical and security updates for specified Microsoft products from Microsoft Update or a local WSUS server automatically. Administrators can install updates offline on any system without an internet connection or an internal WSUS server because updates are saved in the local folder. You can use the programme to download updates for all supported versions of Windows (Windows Vista, 7, 8, 10 / Windows Server 2008, 2008 R2, 2012, 2012 R2), Office 2010, 2013, and 2016, as well as Office 2010. Microsoft Security Essentials, Net Frameworks, C++ Runtime Libraries, Windows Defender Definitions, and so on.
Select the Windows OS version for which you want to receive the list of mandatory security updates. This time in section Windows 10/Server 2016 (w100/w100-x64) we choose version x64 Global (multilingual updates) and click on Start.
The application will first obtain a list of available patches, after which it will begin downloading those that have not yet been downloaded. This means you can run the application on a regular basis to check for new updates without having to re-download anything (you must perform these actions at least every month as new Microsoft security updates are released). It can take a long time to download depending on your internet channel and product choices.
In the program’s settings, you can indicate that updates are downloaded from an internal WSUS server rather than the Microsoft Update site (WSUS button); if you access to the internet using a proxy server, the proxy server’s IP and credentials can be provided by hitting the Proxy button.
Please keep in mind that depending on the Windows editions you choose, you may require several additional gigabytes of free space on the MDT server drive to store the update files.
The Client folder holds all of the downloaded updates.
To install updates on the clients computers use the program UpdateInstaller.exe with a graphical interface. But in our case we will not use it, because GUI is not needed. For this case, there is a file with a batch script Update.cmd (which runs another script — cmdDoUpdate.cmd). MDT 2013 will run file update.cmd when deploying Windows 10 on clients.
- Folder wsus contains the latest version of the Windows Update Agent;
- Folder w100-x64glb — contains downloaded update files for Windows 10 in the *.cab format.
After all update files are downloaded on your local disk, close WSUS Offline Updater application and fully copy folder Client to your MDT deployment server to folder C:DeploymentShareScripts (by default).
The installation of downloaded updates must still be included into the MDT Task Sequence.
Offline update installation should be integrated with MDT.
To add a job to install updates, open the Deployment Workbench (MDT) console, navigate to Task Sequences, and select Deployment task (in our example task name Deploy Win 10 x64 Pro). Click the Task Sequence tab in the Properties window.
Because the batch file update.cmd does not work with UNC paths, we need to write a script that mounts the Client folder as a network drive and runs update.cmd, which starts the update installation.
Select the Custom Task group, which is situated in the State Restore section immediately after the Windows Update (Post-Application Installation) task in the State Restore section.
We need to assign two tasks to this group:
Install updates by mounting UNC share Client as a network disc and running the script update.cmd.
Create a new task called Mount Network Folder (Add > General > Run Command Line).
In Command line field you need to specify the following command:
cscript.exe "%SCRIPTROOT%ZTIConnect.wsf" /uncpath:10.24.0.70DeploymentShare$
Tip. ZTIConnect script mount network folder as a drive with Y: letter.
Create following task called Install Windows Updates Offline:
Cmd.exe /c “Y:DeploymentShareScriptsclientupdate.bat”
Preform the update of deployment share and MDT regenerates images and configuration files for OS deployment.
Checking the Windows 10 MDT deployment step on a virtual or physical system is still required. Turn on your test machine and use the PXE loader to boot it from the LAN.
Choose a Task Sequence and wait for Windows 10 to install. After the installation is complete, a window with the title Administrator DoUpdate and the string Starting WSUS Offline Update… appears, indicating that the update installation has begun successfully.
Wait for the update is installed and restart your computer.
Using MDT to Integrate WSUS Offline Updates into a Windows 10 Image
The method for installing updates on Windows 10 described above is inconvenient because each new OS deployment necessitates the installation of dozens of Windows updates. Integrating updates directly into a Windows 10 image on an MDT server is much easier.
- Open the MDT 2013 console and go to the Packages section;
- Create a new package, right click on it and select “Import OS Package”;
Specify the path to the directory in which the updates downloaded by the WSUS Offline Updater utility are stored (C:DeploymentShareScriptsclient in our case), click Next and wait until the Windows updates are imported to the MDT server;
- Now go to the Advanced Configuration > Selection Profiles area of the MDT console;
- In the right box, pick the image, then open the Windows 10 image in which you want to integrate the security updates from the list of images on the MDT server.
6. Go to the Properties tab. Click OK after selecting the package name with the updates you created earlier.
7. Right-click your Windows 10 deploy image in the Media section and select “Update Media Content”;
8. Once the procedure is finished, all of the essential security updates will be imported into your Windows 10 image, and you’ll be ready to deploy it to your PCs via the network.