Injecting Windows Updates into install WIM files via MDT

For a while now we’ve been deploying Windows 7 on the network using the Microsoft Deployment Toolbox, and it generally works well. However, some of the images we deploy are now about a year old, and a year is a long time in the wonderful world of Microsoft Critical And Security Updates, and so having deployed a new PC there’s still a good hour’s worth of install-reboot-install-reboot-install “fun” with the updates. I decided it was time to start rolling the updates into the images.

One way is via the command line, as documented here, which is good for “live” WIMs and if you’ve only a few to do. However, this way uses the MDT and WSUS to inject the updates as Windows 7 is installed.

Firstly, you’re going to need to get the updates into MDT. Unfortunately, Microsoft doesn’t provide a big “download ALL the cab files” button, so you have to import them all manually. Thankfully, if you have WSUS on your network, you’ve already got them all (assuming you’ve approved them and synced WSUS, anyway).

In the packages folder in your deployment share, create a new folder to house them all. You don’t have to, but I wanted to be neat and show where they all came from. Now, right-click the folder and choose “Import OS Packages”.

Browse (or type in) the address of where your WSUSContent folder is. Probably \\wsusserver\wsuscontent, if you chose the defaults when you installed WSUS. Click next, and it’ll import all the cab files. This may take a long time – especially if you’ve multiple architectures and OSes to deal with! You may also get a few errors about some of the cab files not appearing to be updates or patches – that’s fine.

All being well, your created packages folder will now be bursting at the seams with updates.

(Note: if you don’t have WSUS, you can also point this importer at the C:\Windows\SoftwareDistribution\Download folder of a fully updated PC – it won’t get all the updates available, especially if you have other architecture PCs and/or MS software elsewhere, but it’s a start. And you could point it at the same folder on multiple different PCs too.).

Now you need to ensure that these updates get squeezed into the PC at install time. Go into the Task Sequence for each of your OS deployments, and check the Preinstall > Apply Patches setting.

Make sure this option is enabled, and that Selection Profile is set to All Packages. You can create different profiles if necessary in the Advanced Configuration > Selection Profiles part of your Deployment Share in MDT, but I didn’t.

That’s it! Next time you deploy an OS, it’ll take a bit longer as the updates are installed prior to the first reboot, but it’s much quicker (and automatic!) this way. Just remember to periodically re-import the WSUS updates as new updates are released, approved, and downloaded. You’ll probably find there are still a handful of updates that didn’t get installed this way, but it should be far, far fewer than normal.

27 thoughts on “Injecting Windows Updates into install WIM files via MDT”

  1. We in the techno scene have a saying: “Last night a DJ saved my life”.

    Well here in the IT scene, you are my DJ and you have just saved my life!

    1. It will import all the updates available on WSUS into the deployment share, but it will only install those suitable for the image when you actually deploy.

      That is, no – you won’t end up with W2K8 updates installed on your Win 7 machine.

  2. You cannot install updates in cab format (imported from WSUS) in Apply Patches phase during deployment. There is an error during performing task sequence. You can only apply patches in msu format

  3. I’m not sure that’s true, since it works. However, you could add the “Install Updates Offline” task directly after the Apply Patches” task if it isn’t working for you.

  4. After Placing the windows updates into the Packages container from my WSUS server/Content folder & following the steps above. I’m still unable to squeeze the Windows updates into my WIM files. The System only perform windows updates after the PC has finished imaging. Can you please Help?

  5. As I said in a previous post – try this too: “add the “Install Updates Offline” task directly after the Apply Patches” task if it isn’t working for you.”

  6. Thanks for your replied, but I already tried; no joy.

    But I get the error when loading MDT: Failure (5627): -2146498514 0x800F082E: Run MISM.exe
    Litetoch deployment failed return Code = -2147467259 0x8004005

    Can you please help?

  7. Hello, I tried to use your method of including updates to my MDT share but when I use my \\Wsus\WsusContent folder, I I am seeing 71 errors about skiping invalid, what is the problem?

    1. It could be a number of things – the update isn’t compatible, or can’t be installed from a CAB file. Unless every single update gives you that error, I shouldn’t be too concerned.

  8. @Alexandr

    To make sure, check every single update marked as “Skipping invalid CAB file …path” it tells you where to look at.

    You check inside your cab opening it if it’s for example a language that you don’t take in account. Verify a dozen like that and if nothing is wrong, assume everything is fine

    1. I don’t think so. WDS arranges them differently so can’t just use the same store. You can script it so that after Windows is deployed it pulls the updates from WSUS though, assuming you’ve got an Active Directory domain that the deployed machine joins and you can create a group policy for Windows Updates for it.

  9. From what I see on Microsoft’s site, when you manually download specific updates you want, for Windows 7, they are in the .msu format. Do I just download those and import those files into my Packages folder? My company does not want free-range updates, we have to pick and choose which will work for us and weed out the rest. So, how do you get CAB files vs msu files?

  10. Is there a way to limit the contents from the wsuscontents folder? I tried to create the package of updates, but ended up with thousands of items. I want to restrict to Win7 x64 security patches. I asked my Wsus contact and they weren’t sure. Oddly, if one adds the wsus in the task sequence process, MDT can figure out what is needed. Just the packaging import process wants to pull everything in.

    1. Unless you know what each update is for, I don’t think so, sadly. You could set up a separate WSUS server that ONLY downloads Win7 x64 patches, and import from there, perhaps?

  11. Here is what I do, and in the long run it saves more time. Create a VM deploy Windows 7×64 to that VM. In the deployment have it run windows updates before and after app install. This will run WU twice. You could of course copy and paste the Update Task and have it run as many times as you want, because some updates only show up after some others are installed. Then I have MDT capture that image. I now use that image as my base image, and I update it every month or two. From now on every computer you image will already be fully updated, it is quicker than updating the images as you push them out. You will also no longer need to add updates to MDT every month.

    If you still want to include the updates in MDT, then I suggest that you use the tools I listed above to download the updates because you can limit which updates are downloading.

    http://www.windowsupdatesdownloader.com/ http://download.wsusoffline.net/

    1. Jeff,

      You cannot capture an image with MDT without syspreping the computer(to the best of my knowledge) When I create one of these base images to will all my windows updates I never install any software.

      Steve

Leave a Reply