This script downloads and installs updates from computers on a corporate network that are running WSUS, Windows Update, or Microsoft Update using the Windows Update Agent (WUA) application programming interface (API). By default, this feature is disabled in each task sequence and must be manually activated to run.

Most enterprises will already have teams and infrastructures in place to update newly deployed computers over the corporate network. This process involves tracking the latest set of patches, drivers, and updates available for each desktop configuration and determining which updates should be downloaded and installed for each configuration. If the organization already has an established process, this script might not be necessary. This script was designed to fill a need for deployment teams that might not have established processes, yet want to ensure that target computers are updated when deployed.

This script automatically scans the target computer and downloads a wide range of updates that are found to be applicable. Among these are:

·     Windows service packs

·     Non-Microsoft drivers that were placed on Windows Update

·     Enhanced features for Windows Vista Ultimate

·     The latest Quick Fix Engineering updates

·     Microsoft Office updates

·     Microsoft Exchange Server and SQL Server updates

·     Microsoft Visual Studio® updates

·     Some non-Microsoft application updates

Tip   Many hardware manufacturers have placed their drivers on Windows Update. These drivers no longer need to be maintained in the Out-of-Box Drivers directory. Experiment by removing drivers from the distribution share to see which ones are available on Windows Update. Note that if the drivers are not included with Windows by default, do not remove networking or storage drivers, because the operating system will require user input.

MDT supports the ability to deploy an updated version of WUA as part of the operating system deployment. This helps ensure that target computers are running the correct version of WUA when they are deployed. It also helps eliminate the need to connect to the Internet and download the latest version of WUA after deployment.

MDT can also configure WUA to collect updates from computers on the corporate network that are running WSUS instead of connecting to Microsoft Updates over the Internet. MDT can optionally configure WUA to use a specific computer running WSUS using the WSUSServer property.

For additional information and for WUA deployment instructions, see How to Install the Windows Update Agent on Client Computers.

Obtain the latest version of the WUA stand-alone installer for:

·     x86 versions (WindowsUpdateAgent30-x86.exe) at

·     x64 version (WindowsUpdateAgent30-x64.exe) at

Windows Vista and Windows Server 2008 include the most recent version of WUA, so no upgrade is necessary for these operating systems. In Windows XP and Windows Server 2003, one of the following will occur:

·     If the WUA 3.0 stand-alone installer files are in the TOOLS\architecture folder (where architecture is either x86 or x64) on the deployment share, MDT automatically installs WUA on the target computer.

·     When downloading the WUA 3.0 stand-alone installer files, save them in the distribution\TOOLS\architecture folder (where distribution is the folder in which the distribution point is created and architecture is either x86 or x64).

·     If the WUA 3.0 stand-alone installer files are not in the TOOLS\architecture folder in the deployment share and if the existing version of WUA is configured for a WSUS server, then WUA attempts to update itself from a WSUS server. If the existing version of WUA is not configured for a WSUS server, MDT attempts to download and install WUA 3.0 from the Microsoft Update site. In this case, Internet access is required for the target computer.

Note   MDT does not support authentication with proxy servers.

For more information, see Updating Windows Update Agent.

When enabled in the Task Sequencer, this script runs multiple times while in the State Restore Phase of operating system deployment. It is first run after the operating system has started for the first time. Ensure that the latest updates and service packs are installed before the installation of any applications that might depend on specific updates or service packs being installed on the target computer. For example, an application might be dependent on the latest version of the Microsoft .NET Framework being installed.

This script also runs after the installation of applications, which ensures that the latest application service packs and updates have been applied. For example, use this script to ensure that the latest updates are applied to Microsoft Office 2010 or the 2007 Office system.

It is possible, during the installation of one or more updates, the target computer will need to be restarted to allow an update installation to finish fully. To ensure that updates are properly installed, if the script detects that the installation of an update requires the target computer to be restarted, the script automatically restarts the target computer and resumes if additional updates have been detected and are pending installation. The script exits if it determines that the target computer is fully up to date. An error will be logged if, while updating the target computer, the script has seven unsuccessful attempts to install the updates and the target computer still requires a restart.

During run time, the script performs the following tasks:

·     Configure the target computer to use a WSUS server, if the WSUSServer property was specified.

·     Verify that the latest version of the WUA is installed on the target computer.

·     Search the target computer for applicable updates that are not already installed and that might be typically hidden.

·     Each update has an associated UpdateID and QNumber property:

·     The UpdateID property is in GUID form, such as 67da2176-5c57-4614-a514-33abbdd51f67.

·     The QNumber property is a numerical value, such as 987654.

·     The script compares the UpdateID and KBArticle property values against the list of exclusions specified in the following MDT properties:

·     WUMU_ExcludeID. A list of UpdateIDs to exclude; any update with an UpdateID found in this list will not be installed.

·     WUMU_ExcludeKB. A list of QNumbers to exclude; any update with a QNumber found in this list will not be installed.

·     In addition, any update that requires user input will be excluded and not installed.

·     All updates that require approval of an End User License Agreement (EULA) will automatically be approved by the script. Be sure to manually read and check each EULA before running this script in a production environment.

·     The activity for each update is written to the ZTIWindowsUpdate.log file, with the string INSTALL or SKIP if the update has been approved for installation, along with the UpdateID, a short description of the update, and the QNumber.

·     Each update to be installed is downloaded and installed in batches.

·     The target computer might require more than one restart during the update installation.

Note   Windows Internet Explorer 7 requires user interaction, so it is not installed using this script.

Note   By default, include QNumber 925471 in the WUMU_ExcludeKB list to prevent Windows Vista Ultimate from installing extra language packs.

Note   If intranet sources are not available, this script downloads files from two Microsoft sites: and





Environment variables. Contains the property values, custom property values, database connections, deployment rules, and other information that the scripts require to complete the deployment process


·     ZTIWindowsUpdate.log. Log file that contains events that this script generates

·     BDD.log. Log file that contains events that all MDT scripts generate


·     Expand.exe. Expands compressed files

·     Net.exe. Performs network management tasks

·     WindowsUpdateAgent30-x86.exe. Installs WUA

·     WindowsUpdateAgent30-x64.exe. Installs WUA

·     ZTIUtility.vbs. Includes support functions and subroutines that the script uses




cscript ZTIWindowsUpdate.wsf </debug:value> </UpdateCommand:"<IsInstalled=0|1> <IsHidden=0|1>"> </Query:true|false>






Outputs the event messages to the console and to the .log files. If the value specified in value is:

·     TRUE, event messages are sent to the console and the .log files

·     FALSE, event messages are sent only to the .log files (This is the behavior when the argument is not provided.)


·     IsInstalled. Set to 0 to query for updates that are not installed.

·     IsHidden. Set to 0 to query for updates that are hidden.


·     True. Query only for required updates. Do not download and install any binaries.

·     False. Query for and install required updates. Download and install binaries.


Note   When specified, UpdateCommand requires at least one option.

Note   If specifying both options for UpdateCommand, they must be separated by and.

Note   The default value for UpdateCommand is IsInstalled=0 and IsHidden=0.

Note   For more information about UpdateCommand, see IUpdateSearcher::Search Method.




































Related Topics