Windows Updates during SCCM OSD from Replica WSUS Servers


I have been asked to provide a solution to a situation where during SCCM OSD, they want to run Windows Updates across multiple sites worldwide using the local WSUS replica servers.

So as an example, the main Headquarters office is in New York with the main WSUS server and then in Rome there is another site with a replica WSUS server syncronising from the New York server. A new PC is shipped to Rome and takes the SCCM OSD deployment and they want Windows Updates to run from the Rome WSUS server to fully patch the machine to corporate WSUS standards.

Note that SCCM SUP is not used in this environment.


Please note that this guide assumes that you have an advanced knowledge of SCCM, WSUS and MDT.

You must also have MDT integrated in your environment for this to work.


So, where do we start? Firstly, you need to identify all the WSUS servers available for each site. For demo purposes, we are going to be using the following sites and WSUS server URL’s:

  • New York City – – this will be our main HQ WSUS server
  • Rome – – local replica server
  • Tokyo – – local replica server

Once you have all the information you require you then need to export the certificate for WSUS from the primary HQ server and put it into a source share as we will be creating a package using this later. Lets create a share called:


Once you have your WSUS certificate in this share, you also need to add a registry file, this will be used to allow local updates to be published to the client machine. I have already prepared this registry file for you and this can be downloaded from the link below:

Download WSUS Registry Edit

So you should now have a registry file and a WSUS certificate in your source share. You now need to create a package within SCCM using this source share as your source location for the package. We’ll call the package WSUS Certificate Import:

You then need to create three different programs using this package. One to import the certificate into the Trusted Publisher, one to import the certificate intot he Trusted Root and one to run the registry edit file to enable local updates to run.

You should use the following commands for each program:

  • Import AcceptTrustedPublishedCerts – Regedit.exe -s wsuspolicy.reg
  • Install Trusted Publisher – certutil.exe -addstore -f TrustedPublisher WSUS.cer
  • Install Trusted Root – certutil.exe -addstore Root WSUS.cer

So you should end up with a package with these three programs available from it:

Please note that you must ensure that you have selected “Allow this program to be installed from the Install Package task sequence without being deployed” on the Advanced tab of the program for this to work:

You should then distribute this package to your required distribution points so it is ready to use.

When you have completed the package and programs part, you can then move onto the task sequence steps. In this demo I’ll just be showing you the steps for the updating part, however, in a live environment, I strongly suggest that you make these steps the very last part of your task sequence.


In your task sequence there are five stages to getting the updates to install from the local WSUS:

  • MDT Toolkit Package
  • Import of certificates
  • Registry edit to enable local updates
  • Pointing to correct local WSUS server
  • Running of updates

So, the first part of your task sequence steps needs to be to load the MDT Toolkit:

You should then add the Trusted Root Certificate from the package and program we created earlier:

Then add the Trusted Publisher Certificate:

Then add the registry edit file:

The next set of steps are to add the variables for which local WSUS server to use. So, add a Set Task Sequence Variable step, give it a name for your local WSUS server (in our case it’ll be NYC, Rome & Tokyo), then for each step the Task Sequence Variable should be:


Then each steps value should be the local WSUS servers URL (as stated at the beginning of this guide):

Now, this is the critical part, before we move away from these steps, you need to add an option condition to each of the Task Sequence Variable steps to identify when the variable is to be used. Although there are other ways, I am going to use the AD Site Name to identify where the client machine is at. So, click on the step for Rome, then click Options:

Click the Add Condition button and select query WMI. You should then type in the following query to identify that if the client machine matches this query, this step will be activated:

SELECT ClientSiteName FROM Win32_NTDomain WHERE ClientSiteName = “Rome”

You should do this for each Task Sequence Variable step.

Then, the final part is to actually run the Windows Updates, this is the final step that should be run as a command line.

The command line that should be run is the following:

cscript.exe “%SCRIPTROOT%\ZTIWindowsUpdate.wsf”

Now when you run these steps in your OSD task sequence, the client machine will identify which site it is on and then install any required updates from the local WSUS server.

You might also like...

Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.