Microsoft Deployment Toolkit contains a script named ZTIWindowsUpdate.wsf that can be enabled to run during Lite Touch OS deployments.  By default, it will talk to the Microsoft Update site on the internet to get the latest updates needed for your Windows OS and Microsoft applications like Office.  But you might not want all of the machines you deploy doing that.  So with MDT 2008, we added the ability to install updates from a WSUS server.  The "Toolkit Reference" document describes the basic process:

MDT 2008 can also configure WUA to collect updates from computers on the corporate network that are running WSUS instead of connecting to Microsoft Updates over the Internet. MDT 2008 can optionally configure WUA to use a specific computer running WSUS using the WSUSServer property.

But the actual description of the WSUSServer property, and a sample of how to set it, was accidentally left out of the documentation.  This needs to be configured via CustomSettings.ini by adding an entry that looks like this:

WSUSServer=http://mywsusservername

With that set, the ZTIWindowsUpdate.wsf script will automatically configure the Windows Update Agent to talk to this WSUS server instead of using Microsoft Update.

One other note: the new OS being deployed to the machine must be running a supported version of the Windows Update Agent (WUA).  Windows XP and Windows Server 2003 don't contain that needed version, so they need to be upgraded.  This will be done automatically by the script, downloading the files from the internet if necessary.  But it would be more efficient for you to download them in advance and place them where the script can find them.  Again from the documentation:

For additional information and for WUA deployment instructions, go to http://technet.microsoft.com/en-us/library/bb932139.aspx.

You can obtain the latest version of the WUA stand-alone installer for:

Windows Vista and Windows Server 2008 include the most recent version of WUA, so no upgrade is necessary for these operating systems. In Windows XP and Windows Server 2003, one of the following will occur:

  • If the WUA 3.0 stand-alone installer files are in the TOOLS\architecture folder (where architecture is either x86 or x64) on the deployment point, MDT 2008 will automatically install WUA on the target computer.

    When downloading the WUA 3.0 stand-alone installer files, save them in the distribution\TOOLS\architecture folder (where distribution is the folder where the distribution point is created).
  • If the WUA 3.0 stand-alone installer files are not in the TOOLS\architecture folder on the deployment point and if the existing version of WUA is configured for a WSUS server, then WUA will attempt to update itself from a WSUS server. If the existing version of WUA is not configured for a WSUS server, then MDT 2008 will attempt to download and install WUA 3.0 from the Microsoft Update site. In this case, Internet access is required for the target computer.

So if you set WSUSServer and download the updated stand-alone installers, then the ZTIWindowsUpdate.wsf script will be able to update your computer without access the internet to do so.