none
Including WIndows Updates in Task Sequence RRS feed

  • Question

  • Is there a way without a WSUS service running to include Windows updates in a task sequence? Right now the only way I can see doing it is adding an install offline updates in the post install section of the TS. That is fine but this is what I want my end result to be. Not having to run Windows update after deployment. I want a completely patched image so we do not have to run Windows update after deploying. Right now I only have two updates in packages that install because they are required for other software installs we do. My question is what updates do I need for Windows 7 professional?
    Saturday, April 14, 2018 3:33 AM

All replies

  • Just enable the Windows update task, such as the post-application one. If you don't have WSUS it'll just get the updates directly from Microsoft.

    Daniel Vega

    Tuesday, April 17, 2018 7:50 PM
  • Tried that it didnt seem to pull anything down. I am assuming it does this after it installs the OS. Right now I am trying Offline WSUS.
    • Edited by Darknms Wednesday, April 18, 2018 1:16 AM
    Wednesday, April 18, 2018 1:15 AM
  • Well you do have to be connected to the internet to reach Microsoft's server. Check the log files and look for ZTIWindowsUpdate.log to see what's going on.

    Daniel Vega

    Wednesday, April 18, 2018 1:38 PM
  • Dan, I'd like to throw a question out here, while our AD is STILL making a WSUS for us...

    By enabling Updates in my TS, I'm guessing there is no way GPO applies, controlling which updates we get?
    I'd guess no, which is why most use a WSUS and edit the approvals on them that way.

    IF GPO does control which updates a pc gets during MDT (the same as from an active domain pc), please let me know. The reason I doubt it would is because of hte OU we must join our pc's into. It is a policy-free OU which allows the admin to sign on (it fails in every other OU), but I don't think Updates is allowed in that OU. It's a rat-race to say the least.

    Thanks!

    Wednesday, April 18, 2018 8:04 PM
  • When you enable updates in the task sequence, if you do not have a WSUS server specified it will pull down published updates directly from Microsoft. If you want to control what updates are applied, either run WSUS or you can specifically block updates using the KB number in CustomSettings.ini

    It would look like this:

    WUMU_ExcludeKB001=2267602
    WUMU_ExcludeKB002=4088785


    Daniel Vega

    Wednesday, April 18, 2018 8:24 PM
  • I just attempted to test Updates from MS. It finished with an error:

    2145123273 0x80240437, search for updates. ZITWindpwsUpdate, rc=1


    AD says they cannot control whether the admin account can or cannot access the MS site. Up until 1703 the admin always could. We would clone into that open OU and manually run updates as admin. I've argued back that if they can't control the admin access, then anything 'within' that OU - AD pc names - should be allowed. So I will wait for my WSUS to get going.....
    Wednesday, April 18, 2018 8:25 PM
  • Are you aware of a GPO setting that allows domain computers in an OU to get updates, vs the user?
    If this can be edited we won't really need that WSUS. I would imagine that since it is a domain pc, that GPO controls over what updates you get would still apply, but let me know if I am wrong.

    Ideally, if AD can allow "all" computers in one specific OU to get updates, regardless of user, that would solve our immediate issue.

    Thanks

    Wednesday, April 18, 2018 8:51 PM