Managing Windows Updates

  • Article

When creating a new operating system WIM image with MDT, one of the things that you should always examine is the new updates for Windows that you will include; my recommendation has always been to make sure that the image is as up-to-date as possible with all the released Windows updates for the operating system you are going to deploy.  During the testing phase of the image you create, you will be able to identify and catch any possible problems that an update may cause.  I believe that this is a better approach to patching rather than testing and then deploying each individual update as they are released because it requires less time and work from you, but still ensures that an update will not give problems.

With MDT you add the updates to the workbench (as you can see in the screenshot below) and MDT will install them at the correct point in the installation process, couldn't be simpler!

image Note: MDT expects the updates in the MSU format, whereas BDD wants the MSI format.

 

However, what is not a simple task is the actual job of identifying and downloading all the updates in the first place so that they can be included in MDT.  There are several ways to attack this job:

  • Install a base Windows XP machine and run Windows Update on it, then note down by hand all of the KB numbers that appear in the list.  You need to be aware that some updates have dependencies on others, so they will not appear in the list until you have installed it's required update beforehand.  This means that you will need to run Windows Update several times on the computer until no new updates are detected.
    Then, go to www.microsoft.com and search for each KB article, follow the link to the page and download the file(s).  This is a very slow and laborious task, especially if you have a lot of them to download.
  • Only install the service packs when they are released because they contain all previous updates.  This will leave your computer image missing many critical updates for long periods of time because the intervals between service packs is so great, I would not recommend this approach.  Also, what happens after the final service pack for Windows XP is released, will you not patch any further...?
  • Use the Windows Update task from the MDT task sequence.  This task will automatically run Windows Update during the execution of the task sequence to ensure that your build is up-to-date.  Unfortunately, it does not yet support proxy servers so sometimes is not a viable choice.
  • Update the operating system post-deployment via SMS or the Automatic Updates service.  This is the simplest option, although it exposes your systems to unnecessary risk until they are fully patched.

All of the methods above will allow you to complete an operating system deployment containing all the latest updates; however as I mentioned above, they all have their drawbacks.  The method I have always used is the first one, as it was the only sure way to have all the required updates, but the job is a slow and tedious one.  A slightly faster way is to use the site https://catalog.update.microsoft.com to download the updates as this lets you create a 'shopping basket' and then download them all at once; which is a marginally quicker way to do it but it is still slow.

 

I recently completed a project to create a set of Windows XP images, and the client wanted the images to contain Service Pack 2 plus all current critical updates (Service Pack 3 was still in beta at the time).  One of the first steps I took was to create the list of KB articles for the updates I would have to download (via the Windows Update method in the list above), and it came out at almost 200 KB articles!  At the thought of a day's work ahead of me clicking around the Microsoft website, I decided to find out if there was an easier way to do this as I did not relish the thought of sitting at my computer to download each and every file manually.

After searching around, both internally at Microsoft and externally via live.com, it became clear that there is not a Microsoft solution to this problem.  However, all was not lost because it seems that someone else had come across the same problem and created a solution for it.  Windows Updates Downloader will allow you to download all updates since the last service pack for the system that you choose.  As you can see from the image below, it currently lists Service Pack 3 and all the post-SP3 updates that have been released, which are not that many at the time of writing this post although the list is bound to grow somewhat in the future.

 image    image

 

This tool has saved me hours of work and is now a permanent fixture in my array of deployment tools!  Go find out more information about it here: https://wud.jcarle.com/.  By the way, I must mention that this is not a Microsoft product and that I am not endorsing it in any way.  All and any problems or issues related to it should be directed to the author, not Microsoft.

 

This post was contributed by Daniel Oxley a consultant with Microsoft Services Spain