Hello World,
It has been some time since our last post about the MDT technology. We have been discussed quite a lot about how to use it effectively and how to set it up in a custom (and standard) configuration. You can have a look to our section called Deployment technics where you can find back information about MDT technology and some tips and tricks we have provided.
Today, we will briefly explain how to integrate Windows updates during the deployment Process. You will see this is quite easy and fast to implement and quite useful. Note that they are multiple ways to deploy Windows Updates on a system ranging from manual installation, adding updates into your MDT infrastructure or using WSUS Server infrastructure.
In this post, We want to demonstrate that you can deploy or create up to date images with a minimum of effort.So, Let’s go !
Updates and MDT
The problem we are trying to solve
You have setup your MDT server and create the perfect task sequence that does everything for you. However, you have received complains from the user community. When they start there newly delivered workstations, they still have to wait between 30 to 60 minutes before they can effectively work. Why ? Because when the system is joined to the domain, it connects to the patch management infrastructure which enforce the deployment of windows patches.
This is annoying but MDT Team has thought about that. Yes, you read it correctly, there is a way to obtain and install updates on the fly while performing the MDT Deployment activities.
Depending on your situation/infrastructure and the way you are performing the deployment activities, you might need to adapt your infrastructure accordingly. You can have two situations :
- situation 1 : your MDT/WDS infrastructure is part of the domain and you have access to the patch management infrastructure from where you can get the patches.
- situation 2 : you are working in a staging area where you do not have access to the patch management infrastructure. You are in a standalone configuration.
Whatever the situation you are, the principle and concept remains the same. In my scenario; let’s assume that I have access to the Patch management infrastructure (i.e. WSUS). To integrate windows updates into my MDT infrastructure, I would need to perform two easy actions
- Step 1 – Configure the MDT Rules to have the MDT server knowing where to get the patches
- Step 2 – Modify one of the Task sequence steps to allow Post-Updates actions on the system
That’s it ! You do not need more than this. Let’s see how to do this in the next section
Configure MDT To deploy updates
Step 1 – Adding WSUS Server in the MDT Rules
As mentioned earlier, you have to tell the MDT server where to find the WSUS server where the patches will be available. To do that, you will simply need to modify the MDT Rules you have configured. The MDT rules are basically stored in the CustomSettings.ini file. In this file, you will need to append the following line
WSUSServer=http://YourWSUS_Server_Name:8530
Note :
In the WSUS server, you should put the FQDN url used by your wsus server. Because we are using a WSUS 2012 R2 server, the port used is set to 8530. You might have changed this port or you are still using an wsus server hosted on a windows 2003 or 2008 server which use the port 80 by default.
So, to modify the customsettings.ini file, perform the following actions
- In the deployment workbench, right-click your MDT Share and select properties
Click on Picture for Better Resolution
- In the MDT Deployment Share Properties, go to the tab Rules. On this screenshot, you can see that no Wsus Servers have been inserted.
Click on Picture for Better Resolution
- In the Default section ([Default]), Append the line WSUSServer=http://url_path:port. Again, on the screenshot, you can see that we now have added the WSUSServer option in our CustomSettings.ini file.
Click on Picture for Better Resolution
- Press Apply and OK to close the dialog box and you have completed the first part of the process
Step 2 – Modify the Task sequence to perform Windows Updates
You do not need to create any scripts or command line for that. In fact, MDT 2013 offers out of the box the possibility to perform windows updates via the standard Client Deployment Task.
If you open your task sequence, expande the State Restore Node, you will see that there are steps related to Windows Updates
Click on Picture for Better Resolution
You have two steps available to you. You have
- Windows Updates (Pre-Applications Installation)
- Windows Updates (Post-Applications Installation)
These two tasks are disabled by default. The question you might have is which one to choose. This would depend on your requirements but most of the time I would recommend using the Post-Applications installation. Why ? Simply because I’m assuming that you are deploying office 2013 (or 2010) on the system so you might need patches and updates for this software as well. So, it probably better to install all the applications you need (which certainly contains Microsoft ones) and patch your system afterwards. This way you can ensure that all the patches have been deployed and users will not have much to complain about.
As I said these two tasks are disabled by default. In my scenario; I want to enable the Windows Updates (Post-Applications Installation). So, if you click on the step, and in the right pane, you click on the Options tab, you should see something like this
Click on Picture for Better Resolution
Uncheck the box, Disable this step, to have MDT perform Windows updates deployment actions.
Click on Picture for Better Resolution
How do you know this is working ?
If everything has been configured correctly, while MDT finalize implementing settings on the operating system, in the installation progress bar, you should see information about the Windows Update process. If you look at the screenshot below, you can see that in the Installation progress bar, you see information about the Windows Update step which is running and you can see that some patches are getting installed
Click on Picture for Better Resolution
If you are wondering how MDT is performing the updates, simply have a look at the vbs script used to perform this steps. In a few words, the script will configure the registry key needed to have the Windows Update service configured accordingly based on the information provided in the CustomSettings.ini file. That’s it. Once the install is completed, these registry keys will be deleted.
This is important to know. If you have your machine joined to the domain during the MDT Deploy and that the machine is receiving GPO, the MDT updates process might fail. The Domain GPO will override the settings configured by the MDT Server. A simple solution for that would be to have the machines joining the domain located under an OU where no gpos are applied. At the end of the deployment, you could then move the computer accounts into the final OU
Final Notes
In this post, we have quickly explained how to configure the MDT to deploy windows Updates on the target machines. This is a great feature because it allows you to deliver up to dates systems to your customer. On the other hand, the deployment process take more time as you have to install additional patches.
For the records, If you look at your MDT task sequence, you will see that there is also another option called Apply Patches. This option as you have guessed can be used to update your windows image as well. The downside of this approach is that you need to manually download and import the Windows Updates into your MDT Share (OS Packages node). This would requires you much more time (to prepare,configure and maintain) that the solution presented above. Obviously, you would need to ensure that your WSUS is up to date, and patches have been approved and downloaded which also represent some work to be done (but far less than the manual process)
I hope this tip would be useful to you
Till next time
See ya
Hi,
Thank you for the tips !
But can you correct this line WSUSServer=:8530 into this
WSUSServer=http://YourWSUS_Server_Name:8530 ?
Don’t know why i paste those with the whole code into customsettings.ini file, but with it i got an error like, it didn’t reach the specified server…
I just realized my mistake when i was making some internet search about wsus and mdt.
Good bye !
Hello there,
no problem for the tip
and we do not have anything to change as the post shows
WSUSServer=<%http://YourWSUS_Server_Name%>:8530
where anything between the <% %> needs to be replaced by your computer name
Till next time
See ya
I agree that this syntax is strange and confusing to readers:
Hello Cole,
Thank you for the feedback… We will update the syntax to avoid any confusions
Till ntext time
See ya
Hi Griffon,
I have a MDT 2013 setup, installing an Fully windows updated Windows 7 x64 Enterprise Image, and several applications in the deployment process.
When installing Office 2013, and afterwards entering the Windows Update (Post-Application Installation) the update hangs (i know it is not our WSUS, as it confirms all the windows updates are installed), however if i start up the Office pack, lets say, i start Word for example: the system updates the office pack with the registry for the windows updates and the installation goes on. but if i don’t run Word, excel etc.. just one of them, it hangs!
Is there some way around this problem?
@Anders,
never encountered this kind of issues, so I do not have really an answer for you…..
have you go a look at these posts (http://c-nergy.be/blog/?p=4721 and http://c-nergy.be/blog/?p=4760 )
How do you deploy your office application ? do you perform a customization install ?
Again, no really a clue as we never saw this kind of issue so far…
Hope this help
Till next time
See ya
Thanks
Hi Griffon,
I have configured mdt 2013 rules to look for my wsus server for updates, and enabled TS for Windows update- Post application installation. However, it seems to stuck on Running Action: Windows Update (Post- Application Installation) Search for updates – it already more than 2 hours. Any suggestions?
Regards
AMK
@AMK,
Not really, I do not know what the problem can be, check the log files this might provide your some hints and move forward
Till next time
See ya
AMK there are a couple of KB you need to install manually to get the windows update agent up to date most likely.
Hey,
SOLVED, I just sorted All Updates and declined all superseded updates, I also removed the Drivers and Updates (option updates) from the classification.
Oooh you’re such a tease. What about “situation 2”???
@Mike,
If you do not have a WSUS Server (by the way, you could have a stand alone WSUS server in your staging area), you will need to download all the updates packages you need, import them in MDT under the packages node, create a profile (would be cleaner) and configure your task sequence to apply patches
another option would be then to have a fully patched image, capture it and use this as Base OS image for your MDT deployment
Hope this answer your question
Till next time
See ya
Hi Griffon,
I have configured everything mdt ad and wsus,all settings are good but dont reason when os deployment finish client should install updates from wsus…but it is searching lot of hours for updates
I checked all the settings but unable to fix it…can anyone suggest me on this?
http://wsusservername:8530——-in mdt rules
In wsus server I found that computer not yet reported…what will be the step to avoid this?
@Mahender,
You are not the first one complaining about not getting updates…I would check the WindowsUpdate.log file to see what’s happening.
You would need to ensure that the WSUS has downloaded the updates as well on the WSUS server. (it’s not because you can see a list of all updates that they are indeed available on the server immediatetly
Check if this update could help. if yes ,you would need to create an additional step in you task sequence to add this updates
hope this help
till next time
@Griffon…really thanks for the reply
before running task sequence i have verified wsus completely…Let me share the details
.I have created only one rule in wsus to install the win7 updates to all computer groups…wsus stored all the updates locally and downloaded only approved updates.. now the wsuscontent folder size is after updates download 9GB and after this I have edited task sequence that the option is widows updates(post deployment)…when i run the task sequence deployment of os is good when this update step comes its showing searching for updates,restarted couple of times it self and searching for updates many hours and on this i have checked ZTIwindowsupdate.log there the status is searching for the updates.When I see the status of detected computer in wsus all computers group the specific computer status is not yet reported almost i have observer this update sequence 8 hours..I am unable to clear the issue and please correct me if I did any wrong step or if forgot to create the step
Any reply from anybody can be help full to me
Didn’t work for me, the deployment runs the post application and the updates apparently say they’re installing but all fail
@Brett;
Thank you for the feedback…currently no time to check out this issue but will try to look into it
Till next time
see ya
OK. So it seems something is broken in either WSUS or the Windows Update. I have created a new Windows 10 ver 1607 deployment and when it gets to installing the updates from the WSUS server, it sees the updates and then nothing happens further. I have left it on that screen for more than 8 hours without any progress. So I had a look in the Event Viewer of the PC. Here I found an Svchost_Wuauserv error. Doing some Googling, it seems that there is something wrong with Windows update after the anniversary update. It seems it has to do with one of the Cumulative updates that broke something. During the Googling I came onto a fix in the form of KB3193494. I downloaded this and ran it on the PC with the MDT screen still sitting there. Nothing. Restarted the PC and the MDT screen came up again, BUT!!! Now the updates were being installed. And the error was not reported in Event Viewer. Just to make sure it was this that fixed it, I went through the whole process of deploying the image again, without installing KB3193494, same problem stuck on the updates, same error in Event Viewer. I then put KB3193494 in the Task Sequence as an Install Updates Offline step with a added Restart Computer step also. Now my deploy runs perfect, updates are installed with not hang ups. 🙂
@Alexander,
Thank you very much for providing feedback and solution on this topic… We have been notified indeed that problems with Updates and MDT were present but never got time to have a look on it… You have performed a good job in finding out the root cause and fixing it
Thank for your efforts and your visit…. and sharing your findings with us 🙂
Till next time
See yq
Hi!
In customsettings.ini
If I remove the WSUS line.
Will it go to Microsoft Update online?
Would prefer to do so, please.
@Mans,
yes, normally if you do not specify WSUS Server, you should be using the Windows Update from internet
hope this help
Till next time
See ya