Deploying Custom .MSU Updates with SCCM (and SCUP)

  • Article

 

The Problem:

Local Publishing of .MSU files by using System Center Updates Publisher (SCUP Version 4.5 or 2011) is not possible. It is not supported by the WSUS product team. Is is not an SCCM issue. The WSUS services is designed to only import and trust .MSU files which are coming from the Microsoft Update Cloud service. And within there are only so-called GDR (General Distribution Release) updates which undergo a more expensive and thorough testing and certification process compared to LDR (Limited Distribution Release) and QFE (Quick Fix Engineering) updates.

However, there are Windows 6.x (Vista, 7, Server 2008, Server 2008 R2) Updates which are shipped in the .MSU format and customers would like to deploy them by using SCCM Software Update Management instead of SCCM Software Distribution.

image

The Solution:

I managed to setup a functioning workaround as follows:

Step 1: Download the Update you want from Microsoft.com

image

 

Step 2: Extract the Updates Contents and locate the .CAB File

To extract the update, use the “expand –F:*” command.

image

Locate the .cab file of the update:

image

This cabinet file is actually the update. All other stuff just serves the WUSA.exe and the WSUS detection logic. As we’re rebuilding that stuff in SCUP, we don’t need it anymore. The .CAB file contains the update and is digitally signed – enough for SCUP.

 

Step 3: Create an .EXE file containing the .CAB file and the DISM installation command:

Yes, we can use the DISM.exe tool to deploy the update by using “online servicing”. The update is in this case not “installed” to the operating system. It is rather “serviced” to the “servicing stack” (CBS, CSI, trusted installer) of the operating system which has been introduced with Windows 6.x. Normally DISM.exe is used to integrate updates into offline .WIM files. But with the /online parameter, it can also be used on a running OS:

dism.exe /online /add-package:<path>Windows6.1-KB917607-x64.cab /quiet /norestart /logpath:c:\917607msu.log /loglevel:2

You might want to test the installation prior to packaging the .EXE

image

Now bundle both, the .CAB file and the DISM install command into an executable file. Make sure that the file is digitally signed (code signing) and that this signature is trusted (trusted publisher) at the clients:

image

 

Step 4: Create a custom update within SCUP

Create a custom update within SCUP and use some simple rules to trigger the update. For Windows 7 update, from my experience, the WIN32_QuickFixEngineering query works fine for all OS updates, even GDR updates:

image

 

Step 5: Publish, Synchronize, Deploy, Enjoy

 

Please Note: Things posted on Blogs are never official Microsoft support statements.

Comments

  • Anonymous
    January 01, 2003
    Make sure that you populate the namespace field (above the wmi query) with rootcimv2.

  • Anonymous
    January 01, 2003
    Is there a file size limit on the Cab file? Trying to do this with a 715KB Cab file, having put the DISM install command into a BAT file and bundling that and the CAB into an EXE (using iExpress) and getting a "Program is too big for memory" error from Command.com.

  • Anonymous
    January 01, 2003
    I was interested that you used the WIN32_Quickfix_Engineering WMI info in your Installable Rule. I thought that clients no longer reported this information back to SCCM as it there is too much overhead in doing so?

  • Anonymous
    January 01, 2003
    Have noticed that when installing Updates using this method, no entry is place under "Installed Updates" under Control Panel> Programs and Features. I guess that's something to do with the work-around method of installing using DISM? Can make it a little tricky to prove that the install is completed once the EXE is run and not ideal for support people who use that GUI to confirm if updates are installed.

  • Anonymous
    January 01, 2003
    I would like to know the answer to my question, as well as that from SMAndy.

  • Anonymous
    January 01, 2003
    Further to the above, it seems that if you use iExpress to install your newly created EXE, it will remove the CAB file once run. The problem with this is that if you then need to uninstall the update, you need to run DISM remove-package against the Cab file, which no longer exists. Any workaround?

  • Anonymous
    January 01, 2003
    My Bad. Cab file, when run properly using DISM, will populate the Installed Updates Control Panel details.

  • Anonymous
    January 01, 2003
    also work with sccm, these tips will help me a lot

  • Anonymous
    January 01, 2003
    Thanks Dominik, I have create a Little script to automate the conversation of msu files to exe files. It's documented in my blog http://netecm.netree.ch/blog/Lists/Posts/Post.aspx?ID=18

  • Anonymous
    December 30, 2011
    Hi Dominik, I had been meaning to do something similar with SCUP.  Thank you for the guidance. Did you have a particular reason to avoid using WUSA.EXE to install the .MSU directly ? (as per support.microsoft.com/.../934307) Thanks, Toby

  • Anonymous
    April 26, 2012
    What's the best way to create an exe file for this?  I've tried creating one using iexpress.exe, but i can never get it to install - does the run command need to have the full path to where the file is extracted to?  If so, how do I find out where that's going to be on each computer? Thanks.

  • Anonymous
    August 13, 2012
    The comment has been removed

  • Anonymous
    February 18, 2013
    Was there ever an answer as to why DISM is used instead of WUSA?  

  • Anonymous
    April 13, 2014
    thanks for the post.This is a really a good post.http://tipsyards.blogspot.com/2014/04/how-to-create-installer-of-software.html">http://tipsyards.blogspot.com/2014/04/how-to-create-installer-of-software.html

  • Anonymous
    October 06, 2014
    Thats so nice tk - thanks a lot!