I am trying to update our image with all the Windows Updates during a build and capture. However every time I capture and deploy the image informs me there are updates right away.I am new to SCCM so not 100% sure how the process works. I have looked at the server as it has WSUS and SCCM configured as a downstream server. I found KB2509007 on MS and applied the patch yesterday but still can not see the patches installed. Can someone please tell me what I have to check to get this working? Thanks in advance. g.

I may have found my own answer.. I found this site and it looks like it does what I want, I am just trying to see if I can configure it now. I'm not sure what WSUS server to point it to though..

Although using ZTIWindowsUpdate can work, it's not the out of the box solution. First, it is not supported to configure a ConfigMgr integrated WSUS system (aka a SUP) as a downstream server of another WSUS system (even though the interface allows you to do this). The top-level SUP in a heirarchy must synchronize with Microsoft. Next, have you properly configured your SUP? Finally, have you configured your update deployments and update packages? This is not automatic and is not comparable to manaing updates with WSUS.Jason | http://blog.configmgrftw.com

We have WSUS managed by a security team and this is why it is not part of our SCCM deployment (used for helpdesk). I have just started at this company and been thrown in the deep end with SCCM. I have not configured the SUP (SCCM Update service?) assuming that it would have been done before I started. I also have not configured update deployments and update packages assuming that SCCM just looked at what was approved on the server and applied them.. So from this I think I still have to use ZTIWindowsUpdate due to my config, and I will look at update deployments and update packages to see what they do. Did I miss anything? Let me know if you need more info, I am just floundering in the dark here.

My site had not had the SUP role installed so am looking at that now but I must make sure that it is only downloading updated that have been approved by the Sec team on another WSUS server. I am looking at the Active Settings during install of the SUP, and wondering if I am meant to set "use this server as the active software update point"

You really should go through this in a lab environment. Doing it in productio nwill get you into trouble. SUPs not marked as Active are only useful if you are going to use an NLB of SUPs. The TechNet documentation is fairly comprehensive: http://technet.microsoft.com/en-us/library/bb633264 There are also a couple of good books available (you can get them instantly via Amazon, like this one: http://www.amazon.com/System-Center-Configuration-Manager-Unleashed/dp/0672330237 [yes, shameless plug]).Jason | http://blog.configmgrftw.com

I agree, but this place does not give me access to a lab enviroment.. That's why I have to keep coming to here\web to check before I change to much.. Ideally I just need to get the updates part working (I can ignore all other issues if i must).. but understand that it could hit the fan even with just this.. In the end it is there problem for not providing labs\training\equipment etc..

Back to using ZTIWindowsUpdate is there a log file somewhere that tells me if it ran or why it didn't run? I have found the execmgr.log and everything looks OK in there, but it is only showing the software that I have installed as part of the process. I did find one that was causing issues that I have disabled for now. I am really interested in finding a log for ZTIWindowsUpdate.. I found the developers website and he says the following but I can not locate any of the logs. "First step is to find the bdd.log or ZTIWindowsUpdate.log file generated by your test machine. We need the log files to know which Update ID numbers to exclude. While Microsoft Deployment is running, the log will be located at c:\minint\smsosd\osdlogs, however after the installation has finished, the logs could be uploaded to your SLShare Log Share, or to c:\windows\temp\deploymentlogs."