Getting Microsoft Deployment Toolkit 2008 to install updates from WSUS

Microsoft Deployment Toolkit contains a script named ZTIWindowsUpdate.wsf that can be enabled to run during Lite Touch OS deployments.  By default, it will talk to the Microsoft Update site on the internet to get the latest updates needed for your Windows OS and Microsoft applications like Office.  But you might not want all of the machines you deploy doing that.  So with MDT 2008, we added the ability to install updates from a WSUS server.  The "Toolkit Reference" document describes the basic process:

MDT 2008 can also configure WUA to collect updates from computers on the corporate network that are running WSUS instead of connecting to Microsoft Updates over the Internet. MDT 2008 can optionally configure WUA to use a specific computer running WSUS using the WSUSServer property.

But the actual description of the WSUSServer property, and a sample of how to set it, was accidentally left out of the documentation.  This needs to be configured via CustomSettings.ini by adding an entry that looks like this:


With that set, the ZTIWindowsUpdate.wsf script will automatically configure the Windows Update Agent to talk to this WSUS server instead of using Microsoft Update.

One other note: the new OS being deployed to the machine must be running a supported version of the Windows Update Agent (WUA).  Windows XP and Windows Server 2003 don't contain that needed version, so they need to be upgraded.  This will be done automatically by the script, downloading the files from the internet if necessary.  But it would be more efficient for you to download them in advance and place them where the script can find them.  Again from the documentation:

For additional information and for WUA deployment instructions, go to

You can obtain the latest version of the WUA stand-alone installer for:

Windows Vista and Windows Server 2008 include the most recent version of WUA, so no upgrade is necessary for these operating systems. In Windows XP and Windows Server 2003, one of the following will occur:

  • If the WUA 3.0 stand-alone installer files are in the TOOLS\architecture folder (where architecture is either x86 or x64) on the deployment point, MDT 2008 will automatically install WUA on the target computer.

    When downloading the WUA 3.0 stand-alone installer files, save them in the distribution\TOOLS\architecture folder (where distribution is the folder where the distribution point is created).
  • If the WUA 3.0 stand-alone installer files are not in the TOOLS\architecture folder on the deployment point and if the existing version of WUA is configured for a WSUS server, then WUA will attempt to update itself from a WSUS server. If the existing version of WUA is not configured for a WSUS server, then MDT 2008 will attempt to download and install WUA 3.0 from the Microsoft Update site. In this case, Internet access is required for the target computer.

So if you set WSUSServer and download the updated stand-alone installers, then the ZTIWindowsUpdate.wsf script will be able to update your computer without access the internet to do so.

Comments (10)
  1. I suppose it could, but the built-in ConfigMgr install updates pretty much does the same thing already (with ConfigMgr managing and controlling the WSUS server).


  2. That should do it.  Can you e-mail me the BDD.LOG from a deployment to see what it did?  (Make sure you really are running MDT 2008 Update 1 or later.)


  3. Anonymous says:


    When it connects to WSUS, does it only install the required updates, or does it try to install everything, including updates already installed?

  4. Anonymous says:

    But in case of the configmgr isntall updates, you need to enable and configure Software Updates in SCCM and create software update packages etc?

  5. Anonymous says:

    I am having a heck of a time figuring out why the WUA will not automatically install from my deployment point. The BDD log state the agent is about to install, gives the correct share name and platform exe. Then just sits tight there, not actually installing. As a test, I connected to the share name and manually installed the agent, restarted and it picked right up. Any ideas?

  6. Anonymous says:

    Ok…question, i’m trying to enable WSUS updates to be installed via MDT deployment.  I enable it in the task sequence, and make sure i’ve updated my customsettings.ini file with the following




    but when it runs, it pulls from the interent.  Upon investigating, i notice its because its not adding the registry entries to make it pull from my WSUS Server

    so, is there anything else i have to do, after I edit my customsettings.ini file and then update the WinPE boot image?  Anything else i need to do?  Any help would be great!  thanks

  7. Anonymous says:


    As we discussed yesterday, you mentioned there were some bugs with the WindowsUpdate script. I thought i might bring up something i found, and the solution i found as well.

    After running WSUS, i tried going to but it failed when trying to install the Genuine validation stuff, i looked at the error log and came up with 0x80240fff. So i searched on the internet and came up with the following solution.

    regsvr32 %windir%system32wups2.dll

    That worked for me. Perhaps this is a bug?

  8. Yes, that would be needed.

  9. Anonymous says:

    Could this MDT feature to install all approved updates directly via WSUS (which is a very nice feature!!) also be used in SCCM OSD task sequences(so without Software Updates configured on the SCCM server)?

Comments are closed.

Skip to main content