Note: This blogpost is also posted on my personal blog – https://itmicah.wordpress.com
One of the great features you get when deploying a Windows operating system using my favorite deployment tool, the Microsoft Deployment Toolkit (MDT), is the ability to update the OS using either Windows Update or a local WSUS server. The latter is obviously preferred because it’s a lot quicker and you have better control over what updates you want to install. WSUS has a feature called Target groups, which you can utilize for managing update approvals for a group of computers. This way you’ll be able to approve or decline specific updates for Remote Desktop Session hosts or Exchange servers etc. While MDT let’s you specify a WSUS server to get updates from there’s no way to specify the target group you want to receive updates from. Let’s fix that, shall we?
How to create a variable
First you’ll have to create a new task sequence variable called TargetGroup. This can be done by altering the customsettings.ini. You can either open the file directly from your deployment share in the Control folder or right-click the deployment share in the DeploymentWorkbench console, choose properties and go to the Rules tab. All the way at the top you’ll find the Settings section. There you’ll find a property called properties. By adding TargetGroup as a value the variable will be created. You can create more by seperating them with a comma. The result should look like this:
[Settings] Priority=Default Properties=TargetGroup
Now that you have made the variable available you can give it the appropriate value. We’ll cover two methods of accomplishing this:
- Using CustomSettings.ini. Use this technique if you’re deployment share only requires one target group or if you have multiple section defined for machine deployments.
- Editing the Task Sequence. Use this technique if you need to have a different target group per task sequence.
1. Using customsetting.ini
You can set the value of the in the section of your choice. In this example we only have the Default section available so we’ll put it in there.
[Settings] Priority=Default Properties=TargetGroup [Default] TargetGroup=Terminal Servers
If you have multiple sections set up in your ini file, for instance Mac Address sections, you can set different values per section.
2. Editing Task Sequence
Open the properties of the task sequence and go to the Task Sequence tab. Click on Add – General – Set Task Sequence Variable.
Enter TargetGroup in the Task Sequence Variable textbox and the name of your Target group in the Value textbox. You can also edit the name if you like. Click Apply when your done and voilá, you’re done:
Editing the MDT update script
Now that we have our brand new variable set up it’s time to let MDT know what to do with it. Open Windows Explorer and go to your deployment share’s Scripts folder. Open theZTIWindowsUpdate.wsf file in your favorite editor (I like Notepad++) and look for the Configure Windows Update settings section. It’s usually around line 555. Add the following lines in the first IF statement:
If oEnvironment.Item("TargetGroup") <> "" then oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("TargetGroup"), "REG_SZ" oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 00000001, "REG_DWORD" End if
The end result should look like this:
'//---------------------------------------------------------------------------- '// Configure Windows Update settings '//---------------------------------------------------------------------------- If oEnvironment.Item("WsusServer") <> "" then ' Configure the WSUS server in the registry. This needs to be a URL (e.g. http://myserver). oLogging.CreateEntry "Configuring client to use WSUS server " & oEnvironment.Item("WsusServer"), LogTypeInfo oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer", oEnvironment.Item("WsusServer"), "REG_SZ" oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer", oEnvironment.Item("WsusServer"), "REG_SZ" If oEnvironment.Item("TargetGroup") <> "" then oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("TargetGroup"), "REG_SZ" oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 00000001, "REG_DWORD" End if End if
Save the file and you’re done! In my next post I’ll get into creating a Windows Update custom wizard page so you can be more flexible with updates during deployments.
Is an all-round IT engineer with special skills in Microsoft, Citrix, RES and VMware products. Loves a challenge in his work and has taught himself scripts. Initially batch scripts, and later PowerShell. This helps him to automate processes and procedures, and to develop his own management tools which can be used every day.
Team player, enthusiastic, eager to learn, sociable, positive
Football, playing music, watching movies and series