SCCM 2012 – How to deploy a msu update package

** Update – use PowerShell as a detection clause.. ***

Today I had to deploy a Microsoft hotfix that would fix an issue we were experiencing.  The hotfix was a msu file and although I had deployed many msu’s in the past, I realised that I hadn’t blogged the process.  So here we are!

To deploy the msu I will be using the wusa.exe (Windows update standalone installer) that is built into most versions of Windows operating systems.  You can find out more about wusa here:

The first thing I did was download the hotfix and store the resulting .msu file on my SCCM server where I normally keep all of my application source files.

Next up, I chose to create a new Application:

  1. Select to ‘Manually specify the application information’
    1 - Manually specify app info
  2. Complete the ‘General Information’ screen to your tastes…
    2 - General Info
  3. I chose to leave the ‘Application Catalog’ screen at the defaults as I will not be making this available to the catalog; rather it will be a required device deployment.
    3 - App Catalog
  4. Click the ‘Add’ button so that we can add a new deployment type.
    4 - Deployment Type - Add
  5. Select ‘Script Installer’ and to ‘Manually specifiy the deployment type information’
    5 - Script Installer
  6. For the General Information screen, complete any fields with the appropriate information.  I chose to add ‘x64’ in the name as I downloaded the x64 msu so this deployment type will be for x64 computers only.  Later, you could add a x86 deployment type if you needed to.
    6 - General Info
  7. Browse to where you have stored your msu file and then add the following for the:
    Installation Program:

    wusa.exe "nameOfTheMsu.msu" /quiet /norestart

    Uninstall Program:

    wusa.exe /uninstall "nameOfTheMsu.msu" /quiet /norestart

    * Note that I chose to suppress reboots.
    * Note that the screenshot below will look slightly different to yours as you go through the new application wizard as I made a typo in my original screenshot and fixed it after the application was complete – this gives you a slightly different view but essentially it’s the same.

  8. Click the ‘Add Clause’ button
    8 - Add Clause
  9. This is where we will add our detection rule.  In this instance, I looked at the KB article from Microsoft for this particular msu and it showed me the name of the file that would be changed along with the new version number of the changed file.  You will find this information on most hotfix KB’s:
    9 - Detection Rule - Finding out version numbers
  10. Here’s the current version on one of our affected computers…as you can see, the version number is older than the one listed in the hotfix (Step 9 above):
    10 - Current Location and version
  11. Now we know what to look for, the detection rule is easy.  Here’s what my resulting rule looked like which is based on the Microsoft KB:
    11 - Detection Rule
  12. Click next!
    12 - Detection Method Complete
  13. Change the user experience to ‘Install for system’ and ‘Whether or not a user is logged on’ (As I will be making this a required device deployment.)
    13 - User Experience
  14. Click the Add button for our system requirement
    14 - Add Requirements
  15. I simply chose all Windows 7 x64 computers as that is what this particular msu applies to:
    15 - Create Req
  16. The completed requirement:
    16 - Completed req
  17. I did not have any dependencies to add so I clicked next.
    17 - Dependencies
  18. Take a look at the Summary screen:
    18 - Deployment Summary
  19. We have success!
    19 - Deployment Type Success
  20. At this point, we could add a secondary deployment type if we were going to deploy the x86 version of this MSU by clicking the add button.  I am not so I clicked next.
    20 - Next
  21. Another Summary:
    21 - Summary
  22. And we’re done.
    22 - Completion

All that’s left is to upload this to your distribution point and deploy it to your computer collection.

That’s it!


  1. The detection method on the file version is a good idea in theory, however when Microsoft releases an update to this file in a future update ConfigMgr will try and remediate the machine by re-running the installation command which will fail as the update is already installed.

    Using powershell to detect the hotfix code like this as a script may be better
    Get-WmiObject -Class Win32_QuickFixEngineering -Property HotFixId -filter “HotFixID = ‘KBXXXXXXX'”

    • That is one method, although Win32_QuickFixEngineering only detects certain updates. I personally have never been caught out by this in the last 5 years – you could simply use supersedence on the updated hotfix which would also have an incremented version number to detect or use greater than or equal to in your detection method if you think it might be updated via Windows Updates, however if you want to be specific using powershell you could further simplify the wmi call you suggested to this: Get-Hotfix -Id “KBXXXXXXX” (Get-Hotfix is a wrapper for Win32_QuickFixEngineering) (Although as mentioned above you would need to test as not all updates are detected with this method)

  2. I followed this a best I could. The package showed up on my 2 test servers but DID NOT install. It stated that it was. Auditing the files that should have been updated verified that the Hotfix did not run. Where is the problem? I used wusa.exe to exploit the Hotfix as described.

  3. what does your appdiscovery log show? what does appenforce show? Do you have any maintenance windows that could have interfered? both of those logs should give you some direction as to what happened, either an error or maybe it thinks its installed already?

  4. I just wanted to let you know that this worked flawlessly for me! Thank you so much for all the work you put in to this and sharing it! 🙂

  5. Can you create this same package with multiple hotfixes, or do you have to create a package for each of the hotfixes? How do you create a package (or is it possible) to include several hotfixes at one time?

    • In step 20 – you could choose to create another deployment type at this stage. You don’t have to do it at this point though, you could choose to do it after you have finished the application. As for multiple msu’s you could use a powershell script or batch file I guess. Personally, I would separate them into their own apps.

      • I did end up creating separate apps for each of them. Time consuming, but I guess it makes more sense, if something “breaks” to narrow down the cause…

        Thanks for the input!

  6. Having some problems with this method. I can see the windows update stand alone installer running in the process details, but it doesn’t seem to actually be doing anything. This is ver 1607.
    Also, I could not find the name of the file that would be changed, or any identifying information on kb3189866. I did try using a powershell script that looked for that kb, it looked like this:
    get-hotfix -id KB974332

    However, I don’t think there is enough there. Any help would be appreciated.

    • Hi, I will use your example as a new post on deploying and detecting via Powershell in order to keep the whingers happy. I’ll try to post it this week depending on work commitments. As a side note, is your powershell detection looking for the correct KB as your post details two different ones: kb3189866 and KB974332

  7. The installation syntax is good but I would definitely use the “get-hotfix” command in a Powershell script for the presence of the KB. Then make that a “script-based” detection clause. Like This:

    get-hotfix | Where-Object {$_.HotFixID -match “KBNUMBER”}

    • Hi, You don’t need the where-object part of your powershell statement as detailed in a previous comment of mine. You can simply write: get-hotfix kbxxxxxxx Yes, you can use powershell as well. There are many ways to skin a cat as they say. If I have time I will update the post to include the alternative method as I get many posts banging on about it.

  8. Hi, Install works like a dream but removal fails almost immediately. It uninstalls if I run the uninstall command via CMD.

    error in SC – The software change returned error code 0x8000FFFF(-2147418113).

    Error in Appenforce.log Unmatched exit code (2147549183) is considered an execution failure.

Leave a Reply