You should absolutely have patches installed in your reference image, no question about the. The default setting in Microsoft Deployment Toolkit is to run Windows Update “when needed” and the default behavior is the same, so basically Windows will run Windows Update when it “feels” for it. When the machine is managed it is controlled, but a reference image is created when the operating system is unmanaged. This could result in all kinds of issues, it could result in a pending reboot “sometimes” or failure to install software “sometimes”. I don’t like “sometimes” or random…
Turn of random Windows Updates during reference image creation
It is actually very easy, you need to change “Protect Your PC” from 1 to 3
If you open the unattend.xml file in Windows System Image Manager it looks like this:
This way Windows Update will performed manually or since you are using MDT and LiteTouch as your tool to create the reference image, the two Windows Update steps will do the updates and no more “random” updates.