MDT: Install updates with WSUS

In this tutorial, I’ll explain how to enable Windows updates to a WSUS server when deploying an image with MDT.

Enable updates

Open the properties of an installation sequence, go to the Task Sequence 1 tab and activate one of the two update patches 2 by unchecking the Disable this step 3> box. > and click on the Apply 4 and OK 5 buttons.

Enable update task

Open the properties of the Deployment Share, go to the Rules 1 tab, in the Default section add the parameter WSUSServer 2 and click on Apply 3 and OK 4 .

WSUSServer parameter

At the next deployment the updates will be installed.

Installing updates during deployment

Set up client-side targeting

If client-side targeting is enabled on your WSUS server, there are small additional changes that must be made to perform updates when deploying with MDT.

Go into the properties of the task sequence and add a new task. Click on Add 1 / General 2 / Set Task Variable Sequence 3 .

Add task

Edit the new task, enter a name 1 , in the field Task Sequence Variable put WSUSGroup 2 , in the field Value indicate the name of the group WSUS 3 and click Apply 4 then OK 5 .

Edit task

It is now necessary to modify the ZTIWindowsUpdate.wsf file located in the Scripts folder of the Deployment Share folder.


oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer", oEnvironment.Item("WsusServer"), "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer", oEnvironment.Item("WsusServer"), "REG_SZ"

Add  :

If oEnvironment.Item("WSUSGroup") <> "" then
	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("WSUSGroup"), "REG_SZ"
	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 00000001, "REG_DWORD"
End if