Welcome back to the “Upgrade your Windows 10 deployment practices” series, if you had much fun getting ride of your enterprise ISO, I have an even bigger news for you today: you can also get ride of your WSUS server !!! yeah…!?!!..
Now, before you shut everything down, let’s draw some clear line: I’m strictly speaking of WSUS in the context of building your reference image. WSUS is still required for your daily production patching! That’s being said, let’s see how we can create some reference images without any infrastructure.
Why
First, a few words to explain why WSUS is no more a requirement for patching Windows 10: Patches on Windows 10 are cumulative and this means a couple of things;
- there is only four patches to download every month.
- no need to download patches from previous month
- no more ability to pick this but not that.
- if you download the latest patch you are sure to be up to date.
Knowing that, why would you want to maintain a even growing server simply to download four patches every time you generate a new reference image ?!…
Replacement
Removing WSUS does not means delivering a non updated Windows. It just means that updates should be downloaded from a different place.
For Windows patches, you’ll need to go to Windows Catalog Update. Great news, the site now works with other browser than IE ! (God, that was fast…)
Finding updates for Windows 10 is easy: just search for the branch you want to update. For Anniversary Build, type 1607 in the search engine, and sort results by date.
As you can see, for every month, there are one security cumulative updates, one non security cumulative update, one cumulative update for flash player and one cumulative update for ease of upgrade. If you are interested to know what those packages fixes, some info are published here.
Download those four patches for the current month (That’s eight if you support x86 and x64 architecture), inject them in MDT using right click, Import OS Packages in the package section of the deployment workbench:
To make thing easy to maintain, create a folder for the current month and put them all in. Next coming month, you will only have to delete the folder and restart with fresh new packages.
To use those packages in you Task Sequence you need to pack them into a selection profile. Browse deployment workbench tree to Advanced Configuration>Selection Profiles and right click to pick New selection Profile
Choose a name for you profile and add your monthly update package:
As you can see in the picture, I also included .Net 3.5. in my profile.If you wish to do so (and because we are talking reference image, you should !), you can read this post for further details.
Finally, in your task sequence, Configure the Apply patches step located in the Preinstall section and select the profile you’ve just created
Alternately, you can use Microsoft update (yes that one form the interweb !) directly within you task sequence. This option was here for age and only require to activate steps called Windows Updates in the State Restore section, and of course to have an active internet connection on the machine used to generate the reference image.
While working, this method looks scary in the first place but should be used safely as Windows ship with an antivirus. Also not forgetting that Windows has a tendency to surf the web on is own more than one could expect… and thinking forward, next generation deployment (aka Zero Master, WICD,Intune, Azure AD…) will entirely be done with an internet connection so you’d better change your mind about that!
Going further
With the suppression of WSUS server, come a fair amount of benefits:
- No Server Needed which also means no more server’s license !
- No more boring WSUS maintenance routine.
- No more disk space consumption
But that’s only one half, Now that no more server is required to build a reference image, it sound counterproductive to still host MDT on dedicated machine ?! So to reach the Zero infrastructure goal, why not hosting MDT’s Deployment share on simple file share. Installing the console on a “Technician PC” to maintain that share and using Hyper-V on the same PC to generate the reference image !! Sound cool ? believe me, it even more than that !!!….
And yet again old stuff is the new black, see you in next episode