Managing Windows Updates

When creating a new operating system WIM image with MDT, one of the things that you should always examine is the new updates for Windows that you will include; my recommendation has always been to make sure that the image is as up-to-date as possible with all the released Windows updates for the operating system you are going to deploy.  During the testing phase of the image you create, you will be able to identify and catch any possible problems that an update may cause.  I believe that this is a better approach to patching rather than testing and then deploying each individual update as they are released because it requires less time and work from you, but still ensures that an update will not give problems.

With MDT you add the updates to the workbench (as you can see in the screenshot below) and MDT will install them at the correct point in the installation process, couldn't be simpler!

image Note: MDT expects the updates in the MSU format, whereas BDD wants the MSI format.

 

However, what is not a simple task is the actual job of identifying and downloading all the updates in the first place so that they can be included in MDT.  There are several ways to attack this job:

  • Install a base Windows XP machine and run Windows Update on it, then note down by hand all of the KB numbers that appear in the list.  You need to be aware that some updates have dependencies on others, so they will not appear in the list until you have installed it's required update beforehand.  This means that you will need to run Windows Update several times on the computer until no new updates are detected.
    Then, go to www.microsoft.com and search for each KB article, follow the link to the page and download the file(s).  This is a very slow and laborious task, especially if you have a lot of them to download.
  • Only install the service packs when they are released because they contain all previous updates.  This will leave your computer image missing many critical updates for long periods of time because the intervals between service packs is so great, I would not recommend this approach.  Also, what happens after the final service pack for Windows XP is released, will you not patch any further...?
  • Use the Windows Update task from the MDT task sequence.  This task will automatically run Windows Update during the execution of the task sequence to ensure that your build is up-to-date.  Unfortunately, it does not yet support proxy servers so sometimes is not a viable choice.
  • Update the operating system post-deployment via SMS or the Automatic Updates service.  This is the simplest option, although it exposes your systems to unnecessary risk until they are fully patched.

All of the methods above will allow you to complete an operating system deployment containing all the latest updates; however as I mentioned above, they all have their drawbacks.  The method I have always used is the first one, as it was the only sure way to have all the required updates, but the job is a slow and tedious one.  A slightly faster way is to use the site https://catalog.update.microsoft.com to download the updates as this lets you create a 'shopping basket' and then download them all at once; which is a marginally quicker way to do it but it is still slow.

 

I recently completed a project to create a set of Windows XP images, and the client wanted the images to contain Service Pack 2 plus all current critical updates (Service Pack 3 was still in beta at the time).  One of the first steps I took was to create the list of KB articles for the updates I would have to download (via the Windows Update method in the list above), and it came out at almost 200 KB articles!  At the thought of a day's work ahead of me clicking around the Microsoft website, I decided to find out if there was an easier way to do this as I did not relish the thought of sitting at my computer to download each and every file manually.

After searching around, both internally at Microsoft and externally via live.com, it became clear that there is not a Microsoft solution to this problem.  However, all was not lost because it seems that someone else had come across the same problem and created a solution for it.  Windows Updates Downloader will allow you to download all updates since the last service pack for the system that you choose.  As you can see from the image below, it currently lists Service Pack 3 and all the post-SP3 updates that have been released, which are not that many at the time of writing this post although the list is bound to grow somewhat in the future.

 image    image

 

This tool has saved me hours of work and is now a permanent fixture in my array of deployment tools!  Go find out more information about it here: https://wud.jcarle.com/.  By the way, I must mention that this is not a Microsoft product and that I am not endorsing it in any way.  All and any problems or issues related to it should be directed to the author, not Microsoft.

 

This post was contributed by Daniel Oxley a consultant with Microsoft Services Spain

Comments

  • Anonymous
    January 01, 2003
    A friend of mine sent me a link to an old post on the Deployment Guys, this post talked about a Windows

  • Anonymous
    January 01, 2003
    Integrating SP3 with XP (for Sparky) The only issue I have come across is when I have integrated SP3 using my Vista workstation - when it comes to build time I'm prompted for my produt key which is a VLK but this key is not accepted: http://support.microsoft.com/default.aspx?scid=kb;EN-US;950722 Integrating SP3 on an XP workstation works fine though. HTH

  • Anonymous
    January 01, 2003
    @MWEST Hi, All the program does is download the file(s) that appear on the KB support page.  So, if Microsoft have packaged them in format .exe then that is how they will download.  The vast majority will be in either MSI or MSU. Daniel

  • Anonymous
    January 01, 2003
    Would you recommend this over WSUS?

  • Anonymous
    January 01, 2003
    Nice find Daniel!  It only seems to bring down the EXE files.  Is there a way to get the MSU files or somehow I can package the EXE files as MSU files?  Would be nice to add them as OS Packages but if need be I can run them as Applications.

  • Anonymous
    January 01, 2003
    @Steve Collins, Scollins01 & Nathan You can't convert MSIs to MSUs, nor vice versa so I am afraid that a convertor does not exist. You'll need to either break open the MSI to get the internal files (if possible) with the /a option, or install the package(s) via a script using MSIEXEC.EXE /I Because MDT requires the updates in MSU format, you'll need to either install then using a script or use BDD2007 to install the MSI files. It is a useful tool for XP as well, it just depends on how you deploy the updates.  Although you might not be able to install them via OS Packages, you could still install them with a script. Finally, don't forget that you can extract the contents of an MSU in order to add the CAB files to BDD using the command: expand -F:* MSU_File.msu c:ExtractFolder HTH, Daniel

  • Anonymous
    January 01, 2003
    Thanks for this info Daniel, I would have continued with the same old manual process had it not been for this post!

  • Anonymous
    January 01, 2003
    @GreatBarrier86 WSUS is a tool for downloading and distributing patches.  The tool i refer to in my blog post simply allows you to automate the download of many patches, it will not do the distribution. HTH, Daniel

  • Anonymous
    January 01, 2003
    Hello, I'm want to add additional windows XP updates to the OS Packages section of MDT but i can't seem to find a tool or a guide to converter the standard downloaded updates to the required format ? I have tried extracting them and then pointing MDT to the extracted location with no success

  • Anonymous
    January 01, 2003
    Thanks for the advice Daniel. I will have a look at trying to script this. Thanks again Steve

  • Anonymous
    May 20, 2008
    I can't find the download link at that site. What am I doing wrong?

  • Anonymous
    May 20, 2008
    You mentioned Windows SP3 in your posting above.  Any guidance you can offer on a recommended installation procedure for the ~344mb executable?  Should this be applied in MDT via Applications, OS Packages, or elsewhere? Others feel free to chime in...

  • Anonymous
    May 20, 2008
    2 Razor: go to Program Files link at the left

  • Anonymous
    May 20, 2008
    Until the release I was doing it as an update. Friday I slipstreamed the update into mu volume license media and created the the task sequence with the slipstreamed media. Just don't try to slipstream it on a vista pc- Xp only. Working fine as far as I can tell. :)

  • Anonymous
    May 20, 2008
    Is it company policy not to endorse great tools not written in house? ;)

  • Anonymous
    May 22, 2008
    Hi, I'm trying to add windows xp updates to the OS packages section in MDT08. I noticed in your post that you have said you need to apply the updates in a .msu for MDT to properly detect them.My question is how do you converter the downloaded updates from microsoft to .msu format ? Thanks Steve

  • Anonymous
    May 22, 2008
    Given that MDT requires files in MSU format for OS  packages, I guess that means it's only useful for vista/2008 no? and that Andrea's method is still probably best for XP/2003

  • Anonymous
    May 23, 2008
    The comment has been removed

  • Anonymous
    June 06, 2008
    Hi Dan, your article states that WUD will download all post-SP3 patches. I am still deploying XP SP2 to my corporate machines, and we're not yet ready for SP3. Does an update list exist that will download all post-SP2 patches?

  • Anonymous
    March 11, 2009
    I put all the exe's in a directory and create a batch file with the following 3 lines dir *.exe /b >temp.txt FOR /F 55a IN (temp.txt) DO %%a /norestart /quiet del temp.txt I then add an app to MDT runing this batch file.  The files will install by order of the kb number. As far as future updates go.. just add the exe to the app dir on the mdt server and update the deployment point. Cheers-

  • Anonymous
    March 14, 2011
    Guys, My requirement is to deploy patches to windows 7,Currently I am using 2003 server( WSUS 3.0 - Service pack 2), Is there any step by step Document can provide? My remote team setup 10 no's Windows 7 computer , I am going push the patches using my WSUS 3.0 console,Could you please explain what are steps to deploy patches on Win 7 using WSUS console. Please help me on  this! Regards, Meykani