For a while now we’ve been deploying Windows 7 on the network using the Microsoft Deployment Toolbox, and it generally works well. However, some of the images we deploy are now about a year old, and a year is a long time in the wonderful world of Microsoft Critical And Security Updates, and so having deployed a new PC there’s still a good hour’s worth of install-reboot-install-reboot-install “fun” with the updates. I decided it was time to start rolling the updates into the images.
One way is via the command line, as documented here, which is good for “live” WIMs and if you’ve only a few to do. However, this way uses the MDT and WSUS to inject the updates as Windows 7 is installed.
Firstly, you’re going to need to get the updates into MDT. Unfortunately, Microsoft doesn’t provide a big “download ALL the cab files” button, so you have to import them all manually. Thankfully, if you have WSUS on your network, you’ve already got them all (assuming you’ve approved them and synced WSUS, anyway).
In the packages folder in your deployment share, create a new folder to house them all. You don’t have to, but I wanted to be neat and show where they all came from. Now, right-click the folder and choose “Import OS Packages”.
Browse (or type in) the address of where your WSUSContent folder is. Probably \\wsusserver\wsuscontent, if you chose the defaults when you installed WSUS. Click next, and it’ll import all the cab files. This may take a long time – especially if you’ve multiple architectures and OSes to deal with! You may also get a few errors about some of the cab files not appearing to be updates or patches – that’s fine.
All being well, your created packages folder will now be bursting at the seams with updates.
(Note: if you don’t have WSUS, you can also point this importer at the C:\Windows\SoftwareDistribution\Download folder of a fully updated PC – it won’t get all the updates available, especially if you have other architecture PCs and/or MS software elsewhere, but it’s a start. And you could point it at the same folder on multiple different PCs too.).
Now you need to ensure that these updates get squeezed into the PC at install time. Go into the Task Sequence for each of your OS deployments, and check the Preinstall > Apply Patches setting.
Make sure this option is enabled, and that Selection Profile is set to All Packages. You can create different profiles if necessary in the Advanced Configuration > Selection Profiles part of your Deployment Share in MDT, but I didn’t.
That’s it! Next time you deploy an OS, it’ll take a bit longer as the updates are installed prior to the first reboot, but it’s much quicker (and automatic!) this way. Just remember to periodically re-import the WSUS updates as new updates are released, approved, and downloaded. You’ll probably find there are still a handful of updates that didn’t get installed this way, but it should be far, far fewer than normal.