Add WSUS Target Group option to MDT deployments

Note: This blogpost is also posted on the peppercrew website.

The Story

One of the great features you get when deploying a Windows operating system using my favorite deployment tool, the Microsoft Deployment Toolkit (MDT), is the ability to update the OS using either Windows Update or a local WSUS server. The latter is obviously preferred because it’s a lot quicker and you have better control over what updates you want to install. WSUS has a feature called Target groups, which you can utilize for managing update approvals for a group of computers. This way you’ll be able to approve or decline specific updates for  Remote Desktop Session hosts or Exchange servers etc. While MDT let’s you specify a WSUS server to get updates from there’s no way to specify the target group you want to receive updates from. Let’s fix that, shall we?

How to create a variable

First you’ll have to create a new task sequence variable called TargetGroup. This can be done by altering the customsettings.ini. You can either open the file directly from your deployment share in the Control folder or right-click the deployment share in the DeploymentWorkbench console, choose properties and go to the Rules tab. All the way at the top you’ll find the Settings section. There you’ll find a property called properties. By adding TargetGroup as a value the variable will be created. You can create more by seperating them with a comma. The result should look like this:


Now that you have made the variable available you can give it the appropriate value. We’ll cover two methods of accomplishing this:

  • Using CustomSettings.ini. Use this technique if you’re deployment share only requires one target group or if you have multiple section defined for machine deployments.
  • Editing the Task Sequence. Use this technique if you need to have a different target group per task sequence.

Using customsetting.ini

You can set the value of the in the section of your choice. In this example we only have the Default section available so we’ll put it in there.


TargetGroup=Terminal Servers

If you have multiple sections set up in your ini file, for instance Mac Address sections, you can set different values per section.

Editing Task Sequence

Open the properties of the task sequence and go to the Task Sequence tab. Click on Add – General – Set Task Sequence Variable.


Enter TargetGroup in the Task Sequence Variable textbox and the name of your Target group in the Value textbox. You can also edit the name if you like. Click Apply when your done and voilá, you’re done:


Editing the MDT update script

Now that we have our brand new variable set up it’s time to let MDT know what to do with it. Open Windows Explorer and go to your deployment share’s Script folder. Open the ZTIWindowsUpdate.wsf file in your favorite editor (I like Notepad++) and look for the Configure Windows Update settings section. It’s usually around line 555. Add the following lines in the first IF statement:

If oEnvironment.Item("TargetGroup") <> "" then
	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("TargetGroup"), "REG_SZ"
	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 00000001, "REG_DWORD"
End if

The end result should look like this:

'// Configure Windows Update settings

If oEnvironment.Item("WsusServer") <> "" then

	' Configure the WSUS server in the registry.  This needs to be a URL (e.g. http://myserver).

	oLogging.CreateEntry "Configuring client to use WSUS server " & oEnvironment.Item("WsusServer"), LogTypeInfo

	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer", oEnvironment.Item("WsusServer"), "REG_SZ"
	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer", oEnvironment.Item("WsusServer"), "REG_SZ"

	If oEnvironment.Item("TargetGroup") <> "" then
		oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("TargetGroup"), "REG_SZ"
		oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 00000001, "REG_DWORD"
	End if
End if

Save the file and you’re done! In my next post I’ll get into creating a Windows Update custom wizard page so you can be more flexible with updates during deployments.


About MicaH

I'm a Senior Technical Specialist at PepperByte BV (the Netherlands).
This entry was posted in Microsoft Deployment Toolkit (MDT) and tagged , , , , , , , . Bookmark the permalink.

53 Responses to Add WSUS Target Group option to MDT deployments

  1. Stephan says:

    Hi Micah!

    Thanks for this great post!
    I worked for me.
    But after reinstalling the WSUS server (remove roles en reinstall) The Target group is not working.
    Do you have any suggestions?

    Thanks! Regards

  2. Stephan says:

    Have found the solution (facepalm).

    Options –> Computers –> and select “use group policy or registry settings on computers”


  3. PaulR says:

    Is there a way of seeing what patches have been applied and approved to a Target group.

    • MicaH says:

      It’s possible to script this but isn’t that what the WSUS console is for? I’m not sure what the added value is for having this information in your Deployment Wizard. I guess you could create a View Updates button and query the updates using vbscript or powershell (if you have powershell in your PE).

  4. cuber351 says:

    Thanks for the post. I had to tweak the additions to the script a bit to get it working. This is what I ended up with:

    If oEnvironment.Item("WsusServer") <> "" then
    	' Configure the WSUS server in the registry.  This needs to be a URL (e.g. http://myserver).
    	oLogging.CreateEntry "Configuring client to use WSUS server " & oEnvironment.Item("WsusServer"), LogTypeInfo
    	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer", oEnvironment.Item("WsusServer"), "REG_SZ"
    	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer", oEnvironment.Item("WsusServer"), "REG_SZ"
    End if
    If oEnvironment.Item("TargetGroup") <> "" then
    	oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup", oEnvironment.Item("TargetGroup"), "REG_SZ"
    		oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled", 1, "REG_DWORD"
    End if
    • MicaH says:

      Changing the DWORD to just 1 instead of 00000001 makes sense. I’ve had no issues with my original value but if it works for you then thank you for sharing your solution.

      PS. I edited your comment to improve readability and because the <> symbols were being left out by the html code.

  5. mos6502 says:

    Great information, thank you from a newcomer to the MDT world.

  6. Marc says:

    Thanks for telling us how to get the TargetGroup to the deployment. But I have the problem, the my WSUS server uses SSL port 8531. So I tried to import my own RootCA to the local computer store by a task sequence: cmd /c certutil -addstore ROOT “\\server\ShareName\Certfile.cer”

    But this ends allways with an error:
    Litetouch deployment failed, Return Code = -2147467259 0x80004005

    I did not find the certificate in the local store.

    When I remove the task from task seqeuence, it works well; without certificate…. 😦

    Can you help?

    • MicaH says:

      There’s not much to go on with only that error code. Is there anything specific in the deployment log files? Here’s what I think happens:

      MDT installs everything using the local administrator account so if you use a UNC path to a certificate file that is probably going to fail (local administrator account has no rights on remote shares). You can solve that by doing either of two things:

      * Importing the certificate as a MDT application with source files and use “cmd /c certutil -addstore ROOT CertFile.cer” as install command.
      * Edit your current task in the TS by specifying an account the command line should run under. Make sure the account has rights on the share where the certificate is located.

      Good luck!

  7. Gary Leung says:

    I’m a newbie in terms of scripting and using notepad++, but once you open the script with it do you simply paste the lines you referenced in your post?

  8. Brian Klish says:

    “MDT installs everything using the system account”

    I don’t think it does. SCCM does, but MDT always uses the local admin account. Also, your code seems to be missing quotes and parenthesis probably due to the conversion to HTML on WordPress. Not sure if it’s something you can address.

    • MicaH says:

      You’re right. I meant local administrator. I’ve corrected the comment. As for the missing quotes and parenthesis: I’ve gone through great lengths to make sure the html doesn’t mess up the code and everything looks normal on my end. Maybe it’s a question of locale settings?! Is there a way you can show me a screenshot? Here’s what it looks like over here:

      • Brian Klish says:

        The part that is missing quotes and parenthesis is getting chopped off (possibly by WordPress?) in the screenshot you provided. I don’t see a way to post a screenshot of my own without logging in so I guess I’ll try to paste the raw text, but who knows how that will show up considering the issue. Here are the line endings that appear to be wrong:

        URL (e.g. http://myserver).


        Windows\WindowsUpdate\WUServer”, oEnvironment.Item(“WsusServerREG_SZ”
        Windows\WindowsUpdate\WUStatusServer”, oEnvironment.Item(“WsusServerREG_SZ”

        ft\Windows\WindowsUpdate\TargetGroup”, oEnvironment.Item(“TargetGroupREG_SZ”
        ft\Windows\WindowsUpdate\TargetGroupEnabled”, 1, “REG_DWORD”

  9. Brian Klish says:

    Word wrap is not my friend =/

  10. Lars says:

    I have done like above and the task is working, it install patches and reboot nd so on.
    But he problem is that it install EVERYTHING. I just want to get security patches but i just dont understand how and where i shall config this.

    Shall i create som Group on the wsus server? Where on the wsus server can i say that my server that i want to patch will only get security patches?

    I still want to be able to patch for example clients with both updates and security so i dont want to change anything on the wsus server so it will be broken.

    • MicaH says:

      What you need to do is create a new Target group in WSUS and approve only security updates for that group. Then, when you deploy the server using the Targetgroup variable, only the security patches will be installed.

  11. Lars says:

    maybe i do it under the computer node, under this node i have today for example unassigned computer. My test server is inside this folder unassigned computer.

    Is it just to right click and create Group and then i will be asked for what patches i want to be applied?

    And this Group MUST have the TargetGroup, or?

  12. Lars says:

    and i dont want to add my computers manually into this Group, i want them to pop in to this Group automatically

  13. Brian Klish says:

    “and i dont want to add my computers manually into this Group, i want them to pop in to this Group automatically”…

    That’s exactly right. You can’t manually move the computers to the group. In WSUS there are two ways to assign computers to groups. Either via the console or via the client. This method is via the client. You need to create the group in the console and approve the updates for that specific WSUS group. Unassigned is where computers go if they have not been assigned a group. If you are using groups like explained above I would recommend you do NOT approve updates for unassigned computers. It will only cause you grief.

  14. Brian Klish says:

    Also, in order for this to work you must change the setting on your WSUS server so it allows clients to assign their own group. Not sure which version of WSUS you use, but that hasn’t changed:

  15. Lars says:

    we use this version: 6.3.9600.18228

    Somehow my server has now been added into the Group in WSUS console, so that means that all things in MDT seems to work fine now. It create the correct variable and so on.

    The last thing now i dont understand, how do i only add security patches to my newly Group inside wsus console? I can to anything with it. Just add more computers, search and refresh, sort of.

    Please give me a guide how i now can say that servers in this Group will only have security patches installed.

  16. Lars says:

    I might find something now.

    1. Rightclick security updates under Updates node
    2. New update view
    3. Click updates are approved for a specific Group…….
    and then in the lower windows, precis specific Group and Point to your Group
    4. Specify a new name.

    Is that all? 🙂

  17. Brian Klish says:

    A view can filter and display updates any way you want. What you are explaining would only show you updates that are already approved for a specific group. You wouldn’t want to filter by group if you haven’t yet approved them. Obviously they wouldn’t show up until you approve them. If you want to approve them you have two options. One option is create an update view that shows you whatever updates you want to see. For example, I could create a view that only shows me Windows Server 2012 R2 Security updates. Once you create the view then click the filter at the top of the window that says “Approval:” and pick the Unapproved option. That would show you all updates that have not been approved. You could then individually or multi-select updates and right-click–>Approve. That will open a window so you can pick which WSUS group you want to approve them for.

    Personally I don’t manually approve most updates. I setup automatic approval rules for Critical, Definition, Security Updates, and Updates. I don’t auto approve things like update rollups, feature packs, and service packs. So for security updates you could go to Options–>”Automatic Approvals” and setup a New Automatic Approval Rule that approves all security updates specifically for a specified WSUS target group called Servers for example. As updates are released by Microsoft WSUS will automatically approve the ones you setup a rule for. That will cause the WSUS server to download them and release them to the clients. In your case it will make them available to MDT when the specified target group looks for updates for the “Servers” group.

    • kotten33 says:

      Thanks. I will keep on trying this tomorrow at work.

      I think we alrady have a approval rule that approve all security updates. If i have this automatic rule and i have right click on the node security update and point that to my newly created group, will that group then always have all security updates that i have approved in the security folder?

      It is hard to explain in words what i am want this to do. Hope you understand what i am trying to achieve.

  18. Lars says:

    I created a new filter today and ticked my target Group and also only security updates and then start the scrip again. Unfortanly it still install everyting and not only security patches. The server is visable in the target Group i have been created, so this part seems to work fine.

    • MicaH says:

      When you say: “I started the script again” do you mean you’re using this script as a standalone solution? This script was made for use in MDT to install WSUS updates during deployment. If you’re using it as a standalone script you don’t have Task Sequence variables to work with and that will give you unexpected results. Please check in the registry if the correct Target group is set on the client, otherwise you’ll never have control over the update installation.

      • kotten33 says:

        what i meant was that i started the script manually on my server i want to patch. This script is on the MDT server so i start it from a network share on the MDT server. Everything is working correct,my server will be patched but i get all patches and not only security patches that i have config in new update view, so i dont use it standalone. I have checked in registry and corerct values is set during script and my server is also being added inside my target Group. I have a task that is setting this variable up like the above instruction. So i Think i have come a lot further, but now i really dont understand why i still got all patches.

  19. Brian Klish says:

    Lars, you have either implemented MichaH’s solution incorrectly or you have more updates approved for that target group than what you think you have. When you say “I created a new filter today” what do you mean by that? Is that a new update view?

  20. Lars says:

    yes, i meant a new update view. When you do that there is some options to make, for example target Group, what patches and so on

  21. Brian Klish says:

    We to to identify where your problem is. Open up the Windows Update log under c:\Windows\WindowsUpdate.log. Search the log for “target group” (without the quotes). That will tell us what the Windows Update agent is actually doing. Does the agent show that it’s in the target group or is it null?

  22. Peter S says:

    Great idea and it’s obvious that this works for most people, however I only seem to get “Dirty Environment Found” messages. I do not require the use of different TargetGroups per Task Sequence so the simple addition to Custom.ini and the WindowsUpdate script should suffice.
    However I get the above error during the application installation task sequence and the report at the end reveals that the WindowsUpdate task has failed. Any idea what could be the cause?

    Thank you

    My Custom .ini contains:

    TargetGroup=Win 7

    My script appears as follows:

    ‘// Configure Windows Update settings

    If oEnvironment.Item(“WsusServer”) “” then

    ‘ Configure the WSUS server in the registry. This needs to be a URL (e.g. http://myserver).

    oLogging.CreateEntry “Configuring client to use WSUS server ” & oEnvironment.Item(“WsusServer”), LogTypeInfo

    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer”, oEnvironment.Item(“WsusServer”), “REG_SZ”
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer”, oEnvironment.Item(“WsusServer”), “REG_SZ”

    If oEnvironment.Item(“TargetGroup “” then
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup”, oEnvironment.Item(“TargetGroupREG_SZ”
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled”, 1, “REG_DWORD”
    End if

    End if

    oLogging.CreateEntry “Configuring Windows Update settings (manual update, use server)”, LogTypeInfo

    If oEnvironment.Item(“NoAutoUpdate_Previous”) = “” then
    On Error Resume Next
    iNoAutoUpdate = oShell.RegRead(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate”)
    If iNoAutoUpdate = “” then
    iNoAutoUpdate = “”
    End if
    oLogging.CreateEntry “Archive NoAUtoUpdate State: Was [” & iNoAutoUpdate & “].”, LogTypeInfo
    oEnvironment.Item(“NoAutoUpdate_Previous”) = iNoAutoUpdate
    On Error Goto 0
    End if

    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer”, 1, “REG_DWORD”
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate”, 1, “REG_DWORD”

    ‘ Restart the service to get the latest settings

    oShell.Run “net stop wuauserv”, 0, true
    oShell.Run “net start wuauserv”, 0, true

    • MicaH says:

      There’s a lot of characters missing in your code, but that’s probably because of html. Can you repost the script in a code block? That should take care of the missing chars. Are there any errors in the ZTIWindowsUpdate.log?

  23. Brian Klish says:

    That sounds like the result of an unexpected reboot. I don’t see how it could be related off the top of my head. Seems like you may have a problem with something else. What is the last step that completes when you get the unexpected reboot? Is it actually working on Windows updates when it happens?

  24. Hello! Thanks for your post.

    I want to create two custom sections in MDT and pass the values to custom settings.ini

    The lines that i’ve been created are:

    Priority=Country, CProfile, ByLaptopType, ByDesktopType, ByVMType, Default
    Properties=MyCustomProperty, NameByType, NameByLocation


    ‘ // Países y su respectiva configuración

    TimeZoneName=Pacific Standard Time

    TimeZoneName=Pacific Standard Time

    TimeZoneName=Pacific Standard Time

    TimeZoneName=Pacific Standard Time

    ‘ // Establece la configuración se aplicará por perfil




    Doing something similar will work with my MDT or the process with custom sections and subsections are different?

    Thanks in advance.

    Jason Corchuelo.

    • MicaH says:

      Hi Jason. The process seems fine. You have a lot of properties in your Priority setting that are not native to MDT. How are these being created and set? Are you using custom panes for that?

  25. Adrian Wong says:

    Please check this article. It works but only after you pay attention to the errors in the script formatting. I’m assuming the website is removing things.

  26. Brian Klish says:

    I was just about to re-implement these changes after updating MDT and when I went to copy the code it doesn’t look right to me. The comparison operators are missing in the “If” statements. I tried Chrome, Firefox, and IE. They’re missing in every browser. Are you using a WordPress plugin for code snippets? You might want to try this one Haven’t used it myself, but it seems to be a pretty popular one. Guessing it would help with some of the inconsistencies we’re seeing.

  27. Brian Klish says:

    Also, MicaH it appears that MDT does not clean up these registry settings and I don’t think sysprep is cleaning it either. Probably not a huge deal in most cases, but I just discovered this and thought I’d pass it along. You may already be aware.

    • MicaH says:

      I’m aware of it. If you want you could add it to the ZTICleanup script. In most cases the WSUS client will be set by GPO so the registry keys will be overwritten.

      • Brian Klish says:

        Actually it would have to be LTICleanup.wsf. There is no ZTICleanup script. Thoughts on my other comment regarding code snippets?

      • MicaH says:

        You’re right. Sorry, I’m at home watching TV so I couldn’t check the actual name of the script. Regarding the code snippets: I thought I had fixed that about a week ago. I’ll check again tomorrow at work.

      • MicaH says:

        It’s fixed now. Thanks for pointing it out to me.

  28. S. Hausmann says:

    I’ve added SSL support for WSUS.
    You will need another deployment variable names “WsusSecure” which stores the URL to you secured WSUS like “https://yourWSUS:8531”

    ZTIWindowsUpdate.wsf need to contain:
    ‘// Configure Windows Update settings

    If oEnvironment.Item(“WsusServer”) “” then
    ‘ Configure the WSUS server in the registry. This needs to be an URL (e.g. http://myserver).

    If oEnvironment.Item(“WsusSecure”) = “” then
    oLogging.CreateEntry “Configuring client to use non-secure WSUS server ” & oEnvironment.Item(“WsusServer”), LogTypeInfo
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer”, oEnvironment.Item(“WsusServer”), “REG_SZ”
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer”, oEnvironment.Item(“WsusServer”), “REG_SZ”


    oLogging.CreateEntry “Configuring client to use secure WSUS server ” & oEnvironment.Item(“WsusSecure”), LogTypeInfo
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer”, oEnvironment.Item(“WsusSecure”), “REG_SZ”
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer”, oEnvironment.Item(“WsusSecure”), “REG_SZ”

    oLogging.CreateEntry “Configuring client to use WSUS alternate download server ” & oEnvironment.Item(“WsusServer”), LogTypeInfo
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateServiceUrlAlternate”, oEnvironment.Item(“WsusServer”), “REG_SZ”

    End if

    If oEnvironment.Item(“TargetGroup”) “” then
    oLogging.CreateEntry “Configuring client to use WSUS target group ” & oEnvironment.Item(“TargetGroup”), LogTypeInfo
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup”, oEnvironment.Item(“TargetGroup”), “REG_SZ”
    oShell.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled”, 1, “REG_DWORD”
    End if

    End if

    @MicaH If you like you can use this to update your article.

  29. Adrian Wong says:

    Still works for MDT 8456

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s