Microsoft Deployment New Feature: Windows Update

One of the new tasks and scripts in the Microsoft Deployment Lite Touch Task sequence is called Windows Update.  This task is disabled in the default task sequence for the Client Template.  The task runs a script called ztiwindowsupdate.wsf.  One item to note is that the current version of this script requires client access to the Internet and also does not support proxy authentication.  However if you meet those requirements, there are some really nice advantages of using this action.  Here is a brief description of what actions this script performs. 

This script will install and download updates from Windows Update  and Microsoft Update over the Internet using the Windows Update Agent API By default this feature is disabled in each Task Sequence, it must be manually enabled to run, and each computer must have a connection via proxy to the Internet.  This script was designed to run on Windows XP, 2003, Vista, and should be compatible with Windows Server 2008 when released.


Most companies will already have established teams and infrastructures in place to patch newly deployed machines on the corporate network. This involves tracking the latest set of patches, drivers and updates available for each desktop configuration and determining which updates should be downloaded and installed for each configuration. If your company already has an established process, this script should not be necessary. For those teams who do not have established processes, yet wish to ensure that their images are updated when deployed, this script was designed to fill that need.


Microsoft Windows Update will automatically scan your machine and download a wide range of updates:

·         Windows Service Packs (for Windows XP, Windows 2003)

·         Many 3rd party Drivers have been placed on Windows Update, and will be automatically installed

·         Enhanced features for Windows Vista Ultimate

·         And the latest QFE (Quick Fix Engineering) patches for your System.

·         And more!


Tip Many hardware manufacturers have placed their drivers up on Windows Update. This means for those drivers you will no longer need to maintain these drivers in your “Out of Box Drivers” directory. You can experiment by removing drivers from your distribution share to see which ones are available on Windows Update. Note that if the drivers are not included with Windows by default you should not remove “Networking” or “Storage” drivers, as the OS will require these drivers to boot and connect to windows update over the internet.


Microsoft Update will automatically scan your machine and download a wide range of updates:

·         Updates for Microsoft Office

·         Updates for Exchange Server and SQL Server

·         Updates for Visual Studio

·         Some 3rd party (non-Microsoft) applications

·         And more!


ZTIWindowsUpdate.wsf is run multiple times during the deployment of an OS during the state restore phase. First it is run after the OS has started for the first time. This ensures that the latest updates and service packs are installed prior to installation of any applications that might require dependencies. This can include the latest version of the .NET Framework, for example. ZTIWindowsUpdate.wsf is also run after the installation of applications allowing Microsoft Update to ensure that the latest application service packs and updates have been applied. For example Microsoft Update can ensure that the latest updates are applied to Microsoft Office 2003 or 2007.


It is possible that during installation of one or more components, Windows Update might need to reboot. This script is designed to automatically reboot and resume again if the Windows Update API requires it. If this script is run and determines that the machine is fully up to date, it will exit and continue, however if after 7 unsuccessful attempts to update the machine, the script still requires a reboot, ZTIWindowsUpdate.wsf will log an error.


Installation Processing

During runtime, ZTIWindowsUpdate.wsf will perform the following:

·         Will ensure that the latest version of the Windows Update API is installed on the machine.

·         Will ensure that the latest version of the Microsoft Update binaries are installed on the machine.

·         Will search the local machine using the default query: "IsInstalled = 0 and IsHidden = 0". Meaning that it will search for all updates that apply to the local machine that are not already installed, and may or may not be normally hidden.

·         For each update found, there will be an associated ID and a KBArticle

o   The ID will be in the GUID format, example: “67da2176-5c57-4614-a514-33abbdd51f67”

o   The KBArticle will be a numerical value: “987654”

·         The script will compare the ID and the associated KBArticle against a list of known exclusions:

o   WUMU_ExcludeKB – A list of KBArticles to exclude. Any Update with a KBArticle found in this list will not be installed.

o   WUMU_ExcludeID – A list of ID’s to exclude. Any Update with an ID found in this list will not be installed.

o   In addition, any update that requires user input will be excluded, and not installed.

·         All updates that require a EULA to be approved are approved. Be sure to manually read and check each EULA before running this script in a production enviornment.

·         Each update is written to the log with the string “INSTALL” or “SKIP” if the update has been approved for installation, along with the Update ID, a short description of the update, and the KB article.

·         Then each update is downloaded and installed in batches.

·         A number of reboots may be required to continue installation.


Note  Internet Explorer 7.0 requires User Interaction, so it is not installed by ZTIWindowsUpdate.wsf

Note By default you should include 925471 in your KB exclude list to prevent Windows Vista Ultimate from installing extra language packs.




During the typical lifecycle of the ZTIWindowsUpdate.wsf tool, you will want to periodically review the list of updates being installed by the ZTIWindowsUpdate.wsf tool to verify that each update meets your teams needs and expectations. All updates are logged and recorded in the ZTIWindowsUpdate.log file generated during deployment. Each update should indicate if it was “INSTALLED”, or if the script “SKIP”’ed installation of the update, the Update ID, the name, and the KB article associated with each update. If you come across an update that you wish to exclude, you can add that entry to your CustomSettings.ini file (for Lite Touch Installations).


For example, if you wish to exclude the installation of Windows Vista Langauge Packs, you would look up the line in the ZTIWindowsUpdate.log showing where the update was identified and installed, and select either the ID, or if present, the KB article number. In this case the KBArticle number for the Language Pack is 925471. Your Custom Settings would then contain the lines:




Comments (5)
  1. Anonymous says:

    Source: Microsoft Deployment Team Blog e of the new tasks and scripts in the Microsoft Deployment Lite

  2. Anonymous says:

    WSUS support would have been nice.

  3. Anonymous says:

    We are looking into WSUS support now and will be including that support in the next release of Microsoft Deployment if not sooner.

  4. Anonymous says:

    Where can I found this script? I tried to find it, but it was impossible. I have vbscript which is using Windows Update Agent Api, but it can only check "Windows Update" web site and could not check "Microsoft Update". I was using "Microsoft.Update.Session" COM. By default system check updates in "Microsoft Update", but script doesn’t.

Comments are closed.

Skip to main content