Add WSUS Target Group option to MDT deployments

/by

Note: This blogpost is also posted on my personal blog – https://itmicah.wordpress.com

One of the great features you get when deploying a Windows operating system using my favorite deployment tool, the Microsoft Deployment Toolkit (MDT), is the ability to update the OS using either Windows Update or a local WSUS server. The latter is obviously preferred because it’s a lot quicker and you have better control over what updates you want to install. WSUS has a feature called Target groups, which you can utilize for managing update approvals for a group of computers. This way you’ll be able to approve or decline specific updates for  Remote Desktop Session hosts or Exchange servers etc. While MDT let’s you specify a WSUS server to get updates from there’s no way to specify the target group you want to receive updates from. Let’s fix that, shall we?

How to create a variable

First you’ll have to create a new task sequence variable called TargetGroup. This can be done by altering the customsettings.ini. You can either open the file directly from your deployment share in the Control folder or right-click the deployment share in the DeploymentWorkbench console, choose properties and go to the Rules tab. All the way at the top you’ll find the Settings section. There you’ll find a property called properties. By adding TargetGroup as a value the variable will be created. You can create more by seperating them with a comma. The result should look like this:

[Settings]
Priority=Default
Properties=TargetGroup

Now that you have made the variable available you can give it the appropriate value. We’ll cover two methods of accomplishing this:

  1. Using CustomSettings.ini. Use this technique if you’re deployment share only requires one target group or if you have multiple section defined for machine deployments.
  2. Editing the Task Sequence. Use this technique if you need to have a different target group per task sequence.

1. Using customsetting.ini

You can set the value of the in the section of your choice. In this example we only have the Default section available so we’ll put it in there.

[Settings]
Priority=Default
Properties=TargetGroup

[Default]
TargetGroup=Terminal Servers

If you have multiple sections set up in your ini file, for instance Mac Address sections, you can set different values per section.

2. Editing Task Sequence

Open the properties of the task sequence and go to the Task Sequence tab. Click on Add – General – Set Task Sequence Variable.

TaskSequenceVariable

Enter TargetGroup in the Task Sequence Variable textbox and the name of your Target group in the Value textbox. You can also edit the name if you like. Click Apply when your done and voilá, you’re done:

TS-TargetGroup

Editing the MDT update script

Now that we have our brand new variable set up it’s time to let MDT know what to do with it. Open Windows Explorer and go to your deployment share’s Scripts folder. Open theZTIWindowsUpdate.wsf  file in your favorite editor (I like Notepad++) and look for the Configure Windows Update settings section. It’s usually around line 555. Add the following lines in the first IF statement:

If oEnvironment.Item("TargetGroup") <> "" then
 oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("TargetGroup"), "REG_SZ"
 oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 00000001, "REG_DWORD"
End if

The end result should look like this:

'//----------------------------------------------------------------------------
'// Configure Windows Update settings
'//----------------------------------------------------------------------------

If oEnvironment.Item("WsusServer") <> "" then

   ' Configure the WSUS server in the registry. This needs to be a URL (e.g. http://myserver).

   oLogging.CreateEntry "Configuring client to use WSUS server " & oEnvironment.Item("WsusServer"), LogTypeInfo

   oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer", oEnvironment.Item("WsusServer"), "REG_SZ"
   oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer", oEnvironment.Item("WsusServer"), "REG_SZ"

   If oEnvironment.Item("TargetGroup") <> "" then
      oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("TargetGroup"), "REG_SZ"
      oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 00000001, "REG_DWORD"
   End if

End if

Save the file and you’re done! In my next post I’ll get into creating a Windows Update custom wizard page so you can be more flexible with updates during deployments.

You might also like
Create a custom Deployment Wizard pane for Updates (MDT)
MDT: Select operating system based on computer name
Capture multiple images using one MDT task sequence
MDT: Force users to supply an OSD computer name (MININT)
MDT: Filter task sequences on Active Directory group membership
Using special characters in Microsoft Deployment Tool (model name)