For numerous reasons, not every organization have a fully deployed SCCM environment. Some might use Operating System Deployment (OSD) but not Software Update Point (SUP). In this common scenario, systems are often patched through WSUS infrastructure but only once the operating system is deployed. This can be an irritant for end users if they have to wait half an hour to update their newly delivered machine.
This patching process with WSUS can be configured in a task sequence so it can be automatically execute during the OS deployment. To achieve this, you need to configure the task sequence variable WSUSServer to point to your existing WSUS server and then run the ZTIWindowsUpdate.wsf script from the Microsoft Deployment Toolkit (MDT). This post will show each step to accomplish this … and off course make your users happy.
- Microsoft Deployment Toolkit (for this post we will use MDT 2013 Update 2 that can be download from here)
Preparing ZTIWindowsUpdate package
- Install the Microsoft Deployment Toolkit on any machine, which can be your own workstation or test machine
- Once installed, navigate to Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Scripts
- Create a folder called ZTIWindowsUpdate somewhere in your SCCM source folders
- Then copy ZTIUtility.vbs and ZTIWindowsUpdate.wsf in the ZTIWindowsUpdate folder you created
You are now ready to create the package that will be use in a task sequence to patch systems with your existing WSUS server.
Creating ZTIWindowsUpdates Package
- In your Configuration Manager console, navigate to Software Library \ Application Management \ Packages
- In the ribbon, click on Create and then on Create Package
- In the Create Package and Program Wizard, fill out all the information on the package
- Check the box This package contains source files
- Click on Browse and navigate to the ZTIWindowsUpdate folder where you previously copied the two MDT scripts
- Then click Next
- For the Program Type, select Do not create a program (command line will be specified later in the task sequence)
- Then click on Next
- Review the details and click Next to create the package
- Right click on your package and click on Distribute Content
- Then distribute it to your Distribution Point
Configuring Task Sequence
For this post I’m using the default OS deployment task sequence :
- In your Configuration Manager console, navigate to Software Library \ Operating Systems \ Task Sequences
- Right click your task sequence and click on Edit
- From the Add menu, click on New Group
- Then move it somewhere toward the end of your task sequence with the Move Down button
*** It’s recommended to place it after any software installation task so they can also be patch during the deployment
- Give a name to the new group (description is optional)
- From the Add menu, go in General and click on Set Task Sequence Variable
- Give a name to the Set Task Sequence Variable action
- In the Task Sequence Variable field, type WSUSServer
- In the Value, type your WSUS server name and its port
TIP: if you are not sure about your WSUS server name or port number then you can go check in this registry key on any machine who receive updates from your WSUS server:
- Go in the Add menu and under General click on Run Command Line
- Give a name to the Run Command Line action
- In the Command line field, type: cscript.exe ZTIWindowsUpdate.wsf
- Then click on the Package checkbox
- Click on Browse and navigate to the ZTIWindowsUpdate package you previously created
- In the Options tab, make sure to check Continue on error
- Finally, you can save and close your task sequence
- Your task sequence is now ready to be deploy and patch new machines
Missing Updates after Deployment
Once the deployment is done, their might be some updates that were not installed. Make sure you did place the Install WSUS Updates group after any software installation.
Depending on your environment, the other possible cause could be that you have so many updates to apply that you exceed the number of trips allowed to a WSUS server, which is hardcoded to 200. The simple workaround is to add another Install WSUS Updates task right after the initial one so your machine can do a second scan cycle.
- Right click on Install WSUS Updates and select Copy
- Right click again on Install WSUS Updates but this time choose Paste
- You should now see the same task twice
First, we had to download and install MDT. Then we took two scripts from the toolkit and created a package with it. After that, within a task sequence we configured the WUSUSServer variable to point to our existing WSUS server and instruct our package to execute the patching. All that was implemented in probably less than 30 minutes. It’s not how it’s done that count but the result … happy users!
Now for whatever reason you are still using WSUS, when you will be ready we can help you implement SCCM Software Update Management. We also got you covered with this Software Update Point Installation step-by-step guide. You will quickly find out all the cool features such as Offline Servicing or reports that give you better visibility on vulnerable systems. You can also leverage all these new features in your organization to minimize operational tasks … happy bosses!
Also, credit goes to Chris Nacker who shared the solution many years ago. I just wanted to add a little more detailed step-by-step.