Welcome back to the “Upgrade your Windows 10 deployment practices” series, if you had much fun getting ride of your enterprise ISO, I have an even bigger news for you today: you can also get ride of your WSUS server !!
Now, before you shut everything down, let’s draw some clear line : I’m strictly speakinf of WSUS in the context of building your reference image. WSUS is still required for your daily production patching! That’s being said, let’s see how we can create some reference images without any infrastructure.
First, a few words to explain why WSUS is no more a requirement for patching Windows 10: Patches on Windows 10 are cumulative and this means a couple of things:
- There is only four patches to download every month;
- No need to download patches from previous month;
- No more ability to pick this but not that;
- If you download the latest patch you are sure to be up to date.
Knowing that, why would you want to maintain an even growing server simply to download four patches every time you generate a new reference image ?
Removing WSUS does not means delivering a non updated Windows. It just means that updates should be downloaded from a different place.
For Windows parches, you will need to go to Windows Catalog Update. Finding updates for Windows 10 is easy: just search for the branch you want to update. For Anniversary Build, type 1607 in the search engine, and sort results by date.
As you can see, for every month, there are one security cumulative updates, and one cumulative update for flash player and IE. If you stop here, you are already good to go!
But if you want to go further, you will also find from time to time some non security cumulative update that you integrate if you wish. One that you should install is called Servicing stack (Latest version).
Finally, there are dynamic updates, they are used to ease the upgrade, but there is no place or process to integrate them to your reference image. Setup.exe is the only app able to download them during the upgrade process. So leaving them away is just fine.
Download those 2 or 3 patches for the current month (that is twice if you support x86 and x64 architecture), inject them in MDT using right click, Import OS packages n the package section of the deployment workbench:
To make thing easy to maintain, create a folder for the current month and put them all in. Next coming month, you will only have to delete the folder and restart with fresh new packages. To use those packages in you Task Sequence you need to pack them into a selection profile. Browse deployment workbench tree to Advanced Configuration>Selection Profiles and right click to pick New Selection Profile.
Choose a name for your profile and add your monthly update package:
Finally, in your task sequence, Configure the Apply Patches step located in the Preinstall section and select the profile you’ve juste created
Alternately, you can use Microsoft update directly within your task sequence. This option was here for age and only require to activate steps called Windows Updates in the State Restore section, and of course to have an active internet connection on the machine used to generate the reference image.
While working, this method looks scary in the first place but should be used safely as Windows ship with an antivirus. Also not forgetting that Windows has a tendancy to surf the web on its own more than one could expect… and thinking forward, next generation deployment (aka Zero Master, WICD, Intune, Azure AD…) will entirely be done with an Internet connection so you’d better change your mind about that !
With the suppression of WSUS server, come a fair amount of benefits:
- No Server needed wich also means no more server’s license !
- No more boring WSUS maintenance routine;
- No more disk space consumption.
But that’s only one hald, now that no more server is required to build a reference image, it sounds counterproductive to still host MDT on dedicated machine ?? So to reach the Zero infrastructure goal, why not hosting MDT’s Deployment share on simple file share. Installing the console on a “Technician PC” to maintain that share and using Hyper-V on the same PC to generate the reference image !! Sounds cool ? Believe me, it’s even more than that !
And yet again old stuff is the new black, see you in next episode.