For numerous reasons, not every organization have a fully deployed SCCM environment. Some might use Operating System Deployment (OSD) but not Software Update Point (SUP). In this common scenario, systems are often patched through WSUS infrastructure but only once the operating system is deployed. This can be an irritant for end users if they have to wait half an hour to update their newly delivered machine.

This patching process with WSUS can be configured in a task sequence so it can be automatically execute during the OS deployment. To achieve this, you need to configure the task sequence variable WSUSServer to point to your existing WSUS server and then run the ZTIWindowsUpdate.wsf script from the Microsoft Deployment Toolkit (MDT). This post will show each step to accomplish this … and off course make your users happy.

Prerequisites

  • Microsoft Deployment Toolkit (for this post we will use MDT 2013 Update 2 that can be download from here)

Preparing ZTIWindowsUpdate package

  • Install the Microsoft Deployment Toolkit on any machine, which can be your own workstation or test machine
  • Once installed, navigate to Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Scripts
  • Create a folder called ZTIWindowsUpdate somewhere in your SCCM source folders
  • Then copy ZTIUtility.vbs and ZTIWindowsUpdate.wsf in the ZTIWindowsUpdate folder you created

Patch WSUS SCCM OSD

You are now ready to create the package that will be use in a task sequence to patch systems with your existing WSUS server.

 Creating ZTIWindowsUpdates Package

  • In your Configuration Manager console, navigate to Software Library \ Application Management \ Packages
  • In the ribbon, click on Create and then on Create Package

Patch WSUS SCCM OSD

  • In the Create Package and Program Wizard, fill out all the information on the package
  • Check the box This package contains source files
  • Click on Browse and navigate to the ZTIWindowsUpdate folder where you previously copied the two MDT scripts
  • Then click Next

Patch WSUS SCCM OSD

  • For the Program Type, select Do not create a program (command line will be specified later in the task sequence)
  • Then click on Next

Patch WSUS SCCM OSD

  • Review the details and click Next to create the package

Patch WSUS SCCM OSD

  • Right click on your package and click on Distribute Content
  • Then distribute it to your Distribution Point

Patch WSUS SCCM OSD

Configuring Task Sequence

For this post I’m using the default OS deployment task sequence :

  • In your Configuration Manager console, navigate to Software Library \ Operating Systems \ Task Sequences
  • Right click your task sequence and click on Edit
  • From the Add menu, click on New Group
  • Then move it somewhere toward the end of your task sequence with the Move Down button

*** It’s recommended to place it after any software installation task so they can also be patch during the deployment

Patch WSUS SCCM OSD

  • Give a name to the new group (description is optional)

Patch WSUS SCCM OSD

  • From the Add menu, go in General and click on Set Task Sequence Variable

Patch WSUS SCCM OSD

  • Give a name to the Set Task Sequence Variable action
  • In the Task Sequence Variable field, type WSUSServer
  • In the Value, type your WSUS server name and its port

TIP: if you are not sure about your WSUS server name or port number then you can go check in this registry key on any machine who receive updates from your WSUS server:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

Patch WSUS SCCM OSD

  • Go in the Add menu and under General click on Run Command Line
Patch WSUS SCCM OSD
  • Give a name to the Run Command Line action
  • In the Command line field, type: cscript.exe ZTIWindowsUpdate.wsf
  • Then click on the Package checkbox
  • Click on Browse and navigate to the ZTIWindowsUpdate package you previously created

Patch WSUS SCCM OSD

  • In the Options tab, make sure to check Continue on error

Patch WSUS SCCM OSD

  • Finally, you can save and close your task sequence
  • Your task sequence is now ready to be deploy and patch new machines

Missing Updates after Deployment

Once the deployment is done, their might be some updates that were not installed. Make sure you did place the Install WSUS Updates group after any software installation.

Depending on your environment, the other possible cause could be that you have so many updates to apply that you exceed the number of trips allowed to a WSUS server, which is hardcoded to 200. The simple workaround is to add another Install WSUS Updates task right after the initial one so your machine can do a second scan cycle.

  • Right click on Install WSUS Updates and select Copy
  • Right click again on Install WSUS Updates but this time choose Paste
  • You should now see the same task twice

Patch WSUS SCCM OSD

Conclusion

First, we had to download and install MDT. Then we took two scripts from the toolkit and created a package with it. After that, within a task sequence we configured the WUSUSServer variable to point to our existing WSUS server and instruct our package to execute the patching. All that was implemented in probably less than 30 minutes. It’s not how it’s done that count but the result … happy users!

Now for whatever reason you are still using WSUS, when you will be ready we can help you implement SCCM Software Update Management. We also got you covered with this Software Update Point Installation step-by-step guide. You will quickly find out all the cool features such as Offline Servicing or reports that give you better visibility on vulnerable systems. You can also leverage all these new features in your organization to minimize operational tasks … happy bosses!

Also, credit goes to Chris Nacker who shared the solution many years ago. I just wanted to add a little more detailed step-by-step.

 

Patching with WSUS Server during OSD
4.2 - 5 votes
Comments
  • Olli Rajala
    Posted at 6:30 AM February 16, 2017
    Olli Rajala
    Reply
    Author

    Hi,
    And thanks for this good tip. It seems to work almost fine for us, but unfortunately almost is not good enough in this case. I really would like to get this solved, because with this WSUS task included things would be really good for us.

    The last step in our task sequence is to Enable Bitlocker. This ‘Install updates from Wsus’ -task is put just before enable Bitlocker-task, but Bitlocker is not enabled anymore.

    Is it possible to run tasks after the WSUS task? Or do we have some other issue ongoing? Any thoughts?

    • Jonathan Lieng
      Posted at 10:44 PM February 16, 2017
      Jonathan Lieng
      Reply
      Author

      Hi Olli,

      Did you check the smsts.log? What does it say?

      If you have the “Enable command support” activated in your boot image, then you could add a pause before and after the “Enable BitLocker” task, this way you would be able to run the Manage-bde command to troubleshoot or monitor the smsts.log live.

      Let us know.
      Jonathan

  • Leave a Reply