Altering an MDT Task Sequence to Update from Windows Update

I’ve been revisiting my MDT process as I wanted to try and use Windows Update to get drivers during deployment – by itself this is not a problem, I can just remove the WSUSServer=http://wsus:8530 configuration from the CustomSettings.ini. However as the device is added to the domain, Group Policy will configure the device to use the local WSUS for updates, this is desired as I still want to use WSUS for future updates, but I want to use Windows Update during deployment.

I’ve a few options here:

Move Domain Join to later in the Task Sequence, after Windows Update

I could have done this, however some of the custom scripts might need the domain and it seems like a huge change in the process which could possibly cause more problems.

 

Always ensure that the computer account is created in an OU without the WSUS GPO enabled on it, or for existing accounts ensure the account is moved or deleted.

This is a small task but it has time consuming repercussions if not done or forgotten about. The move could be scripted or something similar, but again it’s a time consuming task for a quick configuration change.

 

This is what I settled on, at least for now:

In the Task Sequence, just before the Windows Update items, delete the registry keys that configure the device to use  the local WSUS. Without these it will check Windows Update for updates and drivers. I wrote a short .bat script to delete the registry keys.

REM Remove MDT WSUS Reg Entries
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v "WUServer" /f
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v "WUStatusServer" /f

 

In the Task Sequence I created two items:

You should set “Continue on error” on the items, at least the second one as otherwise the Task Sequence will fail due to the script failing to remove the registry entries that may no longer exist.

I’ve only tested this on a couple of newer devices, they both had a lot of drivers missing and required a few reboots during the update/driver installation process, but it appeared to work.

I apologise for the hastily thrown together post, but hopefully this might help someone else.

-Mike

Twitter – @Digressive

One Comment Add yours

  1. jesper says:

    I’m in the same boat, but not really. I want to use a local WSUS server for deployment instead of using windows update like you. i have the same difficulties with GPO’s pushing wsus on my pc, will this work for me also, or is there another way to better force a local wsus server during deployment?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.