- Deploy your MDT image
- Install Microsoft Baseline Security Analyzer (MBSA)
- Scan
- MBSA saves the result under the current user profile directory – %USERPROFILE%\SecurityScans
Powershell Script to download the missing updates
[code language=”powershell”]
[xml] $MBSAResult = Get-Content ‘.\SecurityScans\WORKGROUP – I3-PC (10-11-2015 8-03 PM).mbsa’
$MBSAResult.SelectNodes("//UpdateData") | ? { $_.IsInstalled -eq "false" } | % {
$URL = $_.References.DownloadURL;
Start-BitsTransfer -Source $URL -Destination C:\MDTPackages
}
[/code] - import these packages in to MDT and these get automatically installed by DISM during the deployment
Note: At the time of writing this post Microsoft Baseline Security Analyzer version 2.3 contains the DownloadURL in the xml blob & hence was able to pull the update cab file, not sure if this would be the case in the future releases of MBSA.
Some update cab files might get rejected by MDT (eg: office/.net/silverlight)