The Deployment Guys

Helping to deploy your world automagically...

Managing Windows Updates

Managing Windows Updates

  • Comments 21
  • Likes

When creating a new operating system WIM image with MDT, one of the things that you should always examine is the new updates for Windows that you will include; my recommendation has always been to make sure that the image is as up-to-date as possible with all the released Windows updates for the operating system you are going to deploy.  During the testing phase of the image you create, you will be able to identify and catch any possible problems that an update may cause.  I believe that this is a better approach to patching rather than testing and then deploying each individual update as they are released because it requires less time and work from you, but still ensures that an update will not give problems.

With MDT you add the updates to the workbench (as you can see in the screenshot below) and MDT will install them at the correct point in the installation process, couldn't be simpler!

image Note: MDT expects the updates in the MSU format, whereas BDD wants the MSI format.


However, what is not a simple task is the actual job of identifying and downloading all the updates in the first place so that they can be included in MDT.  There are several ways to attack this job:

  • Install a base Windows XP machine and run Windows Update on it, then note down by hand all of the KB numbers that appear in the list.  You need to be aware that some updates have dependencies on others, so they will not appear in the list until you have installed it's required update beforehand.  This means that you will need to run Windows Update several times on the computer until no new updates are detected.
    Then, go to and search for each KB article, follow the link to the page and download the file(s).  This is a very slow and laborious task, especially if you have a lot of them to download.
  • Only install the service packs when they are released because they contain all previous updates.  This will leave your computer image missing many critical updates for long periods of time because the intervals between service packs is so great, I would not recommend this approach.  Also, what happens after the final service pack for Windows XP is released, will you not patch any further...?
  • Use the Windows Update task from the MDT task sequence.  This task will automatically run Windows Update during the execution of the task sequence to ensure that your build is up-to-date.  Unfortunately, it does not yet support proxy servers so sometimes is not a viable choice.
  • Update the operating system post-deployment via SMS or the Automatic Updates service.  This is the simplest option, although it exposes your systems to unnecessary risk until they are fully patched.

All of the methods above will allow you to complete an operating system deployment containing all the latest updates; however as I mentioned above, they all have their drawbacks.  The method I have always used is the first one, as it was the only sure way to have all the required updates, but the job is a slow and tedious one.  A slightly faster way is to use the site to download the updates as this lets you create a 'shopping basket' and then download them all at once; which is a marginally quicker way to do it but it is still slow.


I recently completed a project to create a set of Windows XP images, and the client wanted the images to contain Service Pack 2 plus all current critical updates (Service Pack 3 was still in beta at the time).  One of the first steps I took was to create the list of KB articles for the updates I would have to download (via the Windows Update method in the list above), and it came out at almost 200 KB articles!  At the thought of a day's work ahead of me clicking around the Microsoft website, I decided to find out if there was an easier way to do this as I did not relish the thought of sitting at my computer to download each and every file manually.

After searching around, both internally at Microsoft and externally via, it became clear that there is not a Microsoft solution to this problem.  However, all was not lost because it seems that someone else had come across the same problem and created a solution for it.  Windows Updates Downloader will allow you to download all updates since the last service pack for the system that you choose.  As you can see from the image below, it currently lists Service Pack 3 and all the post-SP3 updates that have been released, which are not that many at the time of writing this post although the list is bound to grow somewhat in the future.

 image    image


This tool has saved me hours of work and is now a permanent fixture in my array of deployment tools!  Go find out more information about it here:  By the way, I must mention that this is not a Microsoft product and that I am not endorsing it in any way.  All and any problems or issues related to it should be directed to the author, not Microsoft.


This post was contributed by Daniel Oxley a consultant with Microsoft Services Spain

  • Thanks for this info Daniel, I would have continued with the same old manual process had it not been for this post!

  • I can't find the download link at that site. What am I doing wrong?

  • You mentioned Windows SP3 in your posting above.  Any guidance you can offer on a recommended installation procedure for the ~344mb executable?  Should this be applied in MDT via Applications, OS Packages, or elsewhere?

    Others feel free to chime in...

  • 2 Razor: go to Program Files link at the left

  • Until the release I was doing it as an update. Friday I slipstreamed the update into mu volume license media and created the the task sequence with the slipstreamed media. Just don't try to slipstream it on a vista pc- Xp only.

    Working fine as far as I can tell. :)

  • Is it company policy not to endorse great tools not written in house? ;)

  • Would you recommend this over WSUS?

  • Nice find Daniel!  It only seems to bring down the EXE files.  Is there a way to get the MSU files or somehow I can package the EXE files as MSU files?  Would be nice to add them as OS Packages but if need be I can run them as Applications.

  • Hi,

    I'm trying to add windows xp updates to the OS packages section in MDT08. I noticed in your post that you have said you need to apply the updates in a .msu for MDT to properly detect them.My question is how do you converter the downloaded updates from microsoft to .msu format ?



  • Hello,

    I'm want to add additional windows XP updates to the OS Packages section of MDT but i can't seem to find a tool or a guide to converter the standard downloaded updates to the required format ?

    I have tried extracting them and then pointing MDT to the extracted location with no success

  • Given that MDT requires files in MSU format for OS  packages, I guess that means it's only useful for vista/2008 no? and that Andrea's method is still probably best for XP/2003

  • @GreatBarrier86

    WSUS is a tool for downloading and distributing patches.  The tool i refer to in my blog post simply allows you to automate the download of many patches, it will not do the distribution.



  • @MWEST


    All the program does is download the file(s) that appear on the KB support page.  So, if Microsoft have packaged them in format .exe then that is how they will download.  The vast majority will be in either MSI or MSU.


  • @Steve Collins, Scollins01 & Nathan

    You can't convert MSIs to MSUs, nor vice versa so I am afraid that a convertor does not exist.

    You'll need to either break open the MSI to get the internal files (if possible) with the /a option, or install the package(s) via a script using MSIEXEC.EXE /I

    Because MDT requires the updates in MSU format, you'll need to either install then using a script or use BDD2007 to install the MSI files.

    It is a useful tool for XP as well, it just depends on how you deploy the updates.  Although you might not be able to install them via OS Packages, you could still install them with a script.

    Finally, don't forget that you can extract the contents of an MSU in order to add the CAB files to BDD using the command: expand -F:* MSU_File.msu c:\ExtractFolder



  • When I was downloading updates from Windows update catalog,(vista) I just pointed to the download folder from the MDT workbench and it brought in the packages and extracted what it needed in the right format in os packages components. It was awhile ago,I'm now working with xp sp3 and there are too many updates I need wo worry about, and I have wsus to handle anything I don't get.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment