Approving Windows Updates in an MDT 2010 Standalone Environment from a ConfigMgr Software Update Point

You’ve no doubt read some of the benefits around using the Software Update Point features of ConfigMgr. However, if you are already using MDT standalone as an Image Engineering environment – there is sometimes a duplication in having to manage software updates in both environments. The most common solution is to set up an external standalone WSUS server for your reference machine to pull down updates. However, it would be ideal to have a single place to manage the approval and download of updates for both the deployed machines in ConfigMgr environment and the reference machine during an image capture in the MDT standalone environment.

To create a right click action to approve Update Lists in a standalone WSUS Server:

1. Create your Software Update Lists in ConfigMgr and assign them to a Deployment Package. Download and approve the updates as you would normally in ConfigMgr by creating a Deployment Template.

2. Synchronize your external standalone WSUS server with Microsoft to pull down updates. Note this server should not be a Software Update Point.

3. Download the attached scripts to create a right click action:

a) Copy the a7252c9e-3137-49a4-a8f2-13d17bb8abd0 folder to your ConfigMgr site server  e.g. %ProgramFiles%\Microsoft Configuration Manager\AdminUI\XMLStorage\Extensions\Actions. Substitute the first part of the path with your ConfigMgr path.

b) Copy the ApproveUpdatesToWSUS.ps1 script to a new folder at %ProgramFiles%\OSDLifeCycle\Scripts . Ensure that powershell is installed on your server and that the execution policy is set appropriately.

c) Edit the ApproveUpdatesToWSUS.ps1 file and replace MYUPDATESERVER with the name of you standalone WSUS server.


4. Reload your ConfigMgr Console using an account that is the WSUS Administrators local group on the WSUS Server.

5. Right Click on your update list and you should see “Publish these updates in a WSUS Server”. NOTE: This will accept the EULA of any of the updates in the Update List. Ensure you review any EULAs in ConfigMgr before choosing this option.

Publish Right Click action

6. Ensure the updates were approved successfully and close the powershell window.

7. In the customsettings.ini file of your MDT Image Engineering environment set the WSUSServer variable to equal the location of your server (e.g.WSUSServer=https://MyUpdateServer)

8. Update your Deployment Share

This post was contributed by Aly Shivji a consultant with Microsoft Services - U.S. East Region.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .


    I’ve been meaning to blog about this for awhile now, but just haven’t had the time. I got a kick in the

    Here is a great post over The Deployment Guys Blog.  A client actually sent this to me today and

    Excellent - thank you!

    None that I know of. We use this scenario all the time.

  • Aly
    Excellent post.  It just saved my customer an amazing amount of time and hassle standing up multiple new standalone WSUS servers.  There was a lot of politcal tension about how to approve the updates.  This gave them low admin overheaded management of the update approvals using SCCM as their authoritative source. There is one small issue right now though.  Any update that requires the Eula acceptance is not functioning as intended.  Easy fix though! The AcceptLicenseAgreement() method has the word License mispelled, you can see it in the comment above as well. Great post as always guys!

    I made a quick edit to the PS script to take a list of updates as a CSV.  This is for folks who can't install right click tools (or powershell) directly on a site server, but would still like the functionality.  Simply export the Update List to CSV and put the path to CSV on the powershell commandline: powershell ApproveUpdatesCSV.ps1 updatelist.csv param($csvlist)

    any issues with installing WSUS on the same server as MDT 2010

    We are using MDT 2010 to deploy Windows 7 Ent x64.  When trying to use the 'Windows Update' step with the parameter configured in our customsettings.ini of WSUSServer=http://SERVER01:8530, the ZTIWindowsUpdate.log reports "[Scan complete, ready to install updates. Count = 0]."  The WSUS server that we are using is an SCCM 2007 SP2 R2 Software Updates point.  Are there configuration changes that we can make to the WSUS to allow SCCM to still utilize it as an update point AND allow MDT to detect and install relevant patches or do we need a seperate WSUS server for use with our MDT process?

    Is there an update of this for SCCM 2012?