Install Third Party Software Updates during TS Install Software Updates step
Currently (v1806 or later) Third Party Software Updates are not being installed during the Install Software Updates step in a Task Sequence.
Ideally third party software updates should be installed just like regular updates during the Task Sequence. A machine should be fully patched (secure and end-user ready) when it leaves the deployment bench.
You can deploy third party updates to the collection that you deployed a task sequence. what they don't tell you is you need to export the WSUS certificate that you see in the console and import it during the task sequence. Also, add another step to add the registry that controls the allow signed updates from an intranet Microsoft update service location. Do those steps before the install updates steps and see the magic happens.
Jay Gingras commented
Yes! Please add :)
Jeremiah Abbott commented
I would like to see a version of this as well. I imagine having additional options added onto the Install Software Updates Task Sequence Step's settings pane:
- A Check-Box to enable/disable 3rd Party Updates on the step; (sets the Local Publisher local policy/registry values)
- A box to browse to, and select your code signing certificate, or an option to use/generate a Self-Signed certificate as ConfigMgr is currently doing in version 1806+ on fully-provisioned systems.
Markus B commented
We don't need those updates during OSD, but' I've seen certificate trust errors within the "Install Updates" step lately.
It might be required to deploy the WSUS signing certificate during OSD befor Installing updates, as the PKI GPO will not be applied.