Publishing A ConfigMgr Update List to WSUS for use with Microsoft Deployment Toolkit (MDT) Lite-Touch Builds
I’ve been meaning to blog about this for awhile now, but just haven’t had the time. I got a kick in the pants at MMS 2011 this year when Keith Garner mentioned this during one of his sessions (BE32), thanks Keith. I had a client send me the following link from an older post on The Deployment Guys blog.
Original blog post by Aly Shivji
It basically amounted to, hey this is pretty cool, can you figure out how it works and then blog about it so I can implement it in my environment.
Sure I can…..
First the end result of having this script added to your environment. A new right-click option!
Once it’s all configured and ready to go, you up with a nifty right-click in the ConfigMgr console that lets you take an Update List and publish those specific updates to your stand-alone WSUS server. This allows you then use that WSUS server for your Lite-Touch builds.
By default MDT LTI lets you either pull updates from Microsoft Update or from a local WSUS server. You can do exclusions (WUMU_ExcludeID and WUMU_ExcludeKB), but it’s never been super easy. A major gripe from clients has always been that I’m using ConfigMgr to deploy my images, so why can’t I use the updates I’ve already approved/arranged in ConfigMgr? Well, using this you pretty much can.
I implemented it as described in the original post, but had a few issues. It wasn’t publishing my updates as expected and I kept getting errors. Well it turns out the script was expecting WSUS to be on the standard port (80), however being a ConfigMgr guy, I just have a habit of always setting up WSUS on port 8530, which the script didn’t like since it was looking for it on port 80. I also might have targeted the wrong server a few times, not that I would ever do such a thing. It happens.
I’m not the GodFather, so my PowerShell force is not very strong. So I decided to phone a friend, Keith Garner. His PowerShell force is quite strong, he’s also one of the main developers on MDT. I figured he could help me
What we, err, I mean Keith added was the ability to specify the configured port, then we cleaned up the script a bit so it was easier to modify the values you needed. So there is a section in the script you just need to modify the following section in the script and then you should be good to go. So Keith worked his scripting magic and then I worked my testing magic.
#configure these values
$updateServer = "2008-CONFIGMGR2"
$updatePort = "8530"
#end value configuration
Can I use my ConfigMgr Software Update Point?
The original post says not to use a SUP WSUS server. I’m not sure on the reasoning behind it and I haven’t tested using one. I had another server I could easily configure for the stand-alone WSUS Server. So you are welcome to try it, but it’s recommend that you use a separate server for hosting the WSUS updates.
How do I install the necessary files?
Just download the attached updated script file. I’ve included the paths in the archive (for a 64-bit server) so you just need to extract them out and then reopen your ConfigMgr console and you should see the right-click available to you. If you have a 32-bit server, you will need to move the xml to the appropriate path.
OSD.LifeCycle.PublishToWSUS.xml goes in:
C:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\XmlStorage\Extensions\Actions\a7252c9e-3137-49a4-a8f2-13d17bb8abd0
ApproveUpdatesToWSUS.ps1 goes in:
What do I need to configure in MDT Lite-Touch?
First you need to add the variable WSUSServer=http://servername to your customsettings.ini You will also need to specify the port if not configured on port 80.
In your Task Sequence, you need to enable the Windows Update steps. You can just use one step or both, depending on your preference and what you are all doing in your reference build process.