Download Windows Security Updates for MDT (packages) offline deployment

  • Deploy your MDT image
  • Install Microsoft Baseline Security Analyzer (MBSA)
  • Scan
  • MBSA saves the result under the current user profile directory – %USERPROFILE%\SecurityScans
    Powershell Script to download the missing updates

    [xml] $MBSAResult = Get-Content '.\SecurityScans\WORKGROUP - I3-PC (10-11-2015 8-03 PM).mbsa'
    $MBSAResult.SelectNodes("//UpdateData") | ? { $_.IsInstalled -eq "false" } | % {
        $URL = $_.References.DownloadURL;
        Start-BitsTransfer -Source $URL -Destination C:\MDTPackages 
  • import these packages in to MDT and these get automatically installed by DISM during the deployment

Note: At the time of writing this post Microsoft Baseline Security Analyzer version 2.3 contains the DownloadURL in the xml blob & hence was able to pull the update cab file, not sure if this would be the case in the future releases of MBSA.
Some update cab files might get rejected by MDT (eg: office/.net/silverlight)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s