MDT Packages: Adding Security Updates

So instead of using Microsoft Catalog, or anything else, there is an easy way to add packages.

For starters you will need to grab a copy of WUA_SecurityOffline.vbs that I have customized using the information from Using the Windows Update Agent API.

Second you will need an updated copy of  You can get this from Microsoft at  Keep in mind that this file changes frequently and it is recommended that you always grab a new copy.

Make sure you have both of these files in the same directory and copy them down to one of your Images.  In my screenshot, I have a step in my Task Sequence to open Notepad as soon as the system has left WinPE and before anything else in the Task Sequence is run.  I placed both files in the root of the C Drive.  From there I will open an Admin Command Prompt and run cscript WUA_SecurityOffline.vbs

6-22-2015 11-13-01 AM

The next step is to let it run its course.  It should find some updates and ask if you want to download them.  Just press Y and Enter.

6-22-2015 11-13-42 AM

You will be prompted again after the Downloads have finished, asking if you want to install the updates.  No need if we are going to just add them to MDT Packages.

6-22-2015 11-14-50 AM

Additionally in C:\Windows\SoftwareDistribution\Download you will have several new directories and files.  If you do a search for *.cab it will locate the updates that were downloaded.

6-22-2015 11-15-17 AM

Now copy all of these files off your image . . . and import these CAB files in MDT Packages.  Be aware that CAB files that have the word Express should NOT be added to MDT.  While they will import properly, DISM in WinPE will fail when trying to apply the Express Updates.

6-22-2015 11-16-07 AM

Don’t forget to update your Selection Profile to include these packages.

6-22-2015 11-16-59 AM

Now your deployments should have the proper Security Updates installed automatically at OS Deployment.  Using this method is much easier than using the Microsoft Catalog, with less possibility for making mistakes.

Be aware that some updates will not work as these are not CAB based updates, but EXE based.  This is notable with Silverlight and Windows Malicious Software Removal Tool.  Not to worry, you can just add these as Applications.

6-22-2015 12-05-02 PM