none
Brief question about MS Updates in MDT. RRS feed

  • Question

  • If I enable MS Updates in my TS, without using WSUS, do I get the same GPO policies as I would if I ran the Updates manually from the desktop, once MDT finished?
    I am testing out getting Updates in MDT, without WSUS, but it seems that when I try, I am getting the full slew of them. Running them manually from the desktop after MDT completes, I get only GPO approved ones. Is this expected? I was hoping to only get the same Updates with MDT running from the desktop as I would manually.
    Monday, November 13, 2017 2:42 PM

Answers

  • Unlike ConfigMgr OSD, during MDT installations GPOs are being applied. Check which policies are linked to your staging OU. Running rsop might be beneficial for troubleshooting as well.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Monday, November 13, 2017 5:13 PM
    Monday, November 13, 2017 4:59 PM

All replies

  • Hi

    What do you mean by "GPO approved ones"? As far as I'm aware there is no method via GPO to approve updates?


    Regards Mark

    Always learning.
    If replies help, please either vote up or mark as answers.

    Monday, November 13, 2017 3:09 PM
  • Our AD group applies GPO policies to prevent certain updates. They prevent OS updates (features) and turn off driver updates from MS. They use GPO to dictate which updates are blocked...when you kick off MS Updates from the desktop.

    When I start Updates from my TS, I get driver updates, and even Office 2013 updates which I don't even have installed on my image. I was wondering why GPO policies don't apply during MDT as they would outside of the TS, in the same OU.

    Monday, November 13, 2017 3:13 PM
  • Unlike ConfigMgr OSD, during MDT installations GPOs are being applied. Check which policies are linked to your staging OU. Running rsop might be beneficial for troubleshooting as well.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Monday, November 13, 2017 5:13 PM
    Monday, November 13, 2017 4:59 PM
  • Thanks. I was just testing MDT/WSUS and without WSUS to ensure MDT will communicate with WSUS. Since it's not fully configured, I thought I'd just get MS Updates directly from MS via my TS. I still got lots of unwanted updates.

    Good news I guess is that our server group is making a WSUS for their servers and will create a GPO for our computers as well, so I can just piggyback off of their WSUS to get local updates. (In 1703 we can no longer get updates as admin as we did in 1607. It'll be nice to rest this on their shoulders).

    Per your comment, we only have one OU which will allow us to get updates. GPO is all set up to control those updates. So, I remain unsure as to why I get all those extras in the same OU. I have Office 365 on my image (and only 2013 Access), yet I pulled down a few dozen Office 2013 updates. I know so little about controlling this so I'm relieved that our server group will control the update traffic.


    Monday, November 13, 2017 5:10 PM