Edit

Deploy Windows update packages in Intune

  • Article

If you want to deploy a specific Windows update package (.msu file) to Windows 10/11 devices managed by Intune, you can use the Intune Win32 app management capabilities to deploy an .msu file as a Win32 app.

The following steps help you deploy a Windows update package to Intune.

Step 1: Prepare the update package as Win32 app content

  1. Download the Windows update package by searching on Microsoft Update Catalog.
  2. Use the Microsoft Win32 Content Prep Tool to convert the .msu file into the .intunewin format. This tool will guide you to input the required parameters in a step-by-step process if you don't specify the parameters in the command-line. For more information about the Microsoft Win32 Content Prep Tool, see Convert the Win32 app content.

Step 2: Create the Win32 app

  1. Sign in to the Microsoft Intune admin center.

  2. Select Apps > All apps > Add.

  3. In the Select app type pane, under Other app types, select Windows app (Win32).

  4. Click Select, locate the Add app pane, and then select Select app package file.

  5. In the App package file pane, select the .intunewin file, and then select OK.

  6. On the App information page, add the details for your app.

  7. On the Program page, specify the following installation and removal commands for the app:

    Install command:

    wusa.exe <full path of the .msu file> /quiet /norestart -Wait

    For example, if the windows10.0-kb5031356-x64_65d5bbc39ccb461472d9854f1a370fe018b79fcc.msu file is in the current folder, type the following command in Install command:

    wusa.exe .\windows10.0-kb5031356-x64_65d5bbc39ccb461472d9854f1a370fe018b79fcc.msu /quiet /norestart -Wait

    Uninstall command:

    dism /online /remove-package /PackageName:<package name> /Quiet /NoRestart

    For example, if the Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3570.1.0 is the package name for the Windows update package, type the following command in Uninstall command. About how to check the package name to be used in Uninstall command, see Uninstalling Windows updates on managed devices using Intune.

    dism /online /remove-package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3570.1.0 /Quiet /NoRestart

    The following image provides an example of the Program page:

    Example of editing commands.

    Use the /quiet switch to run Wusa.exe in quiet mode without user interaction. Use the /norestart switch to prevent Wusa.exe from restarting the computer. For more information about Wusa.exe, see Description of the Windows Update Standalone Installer in Windows.

    The -Wait option is used to make sure that the app installation returns after Wusa.exe exits.

  8. On the Requirements page, specify the requirements that devices must meet before the app is installed.

    Minimum operating system: Select the minimum operating system that is required to apply the update.

    To specify additional requirements, such as build number and Update Build Revision (UBR), select Add to display the Add a Requirement rule pane.

    For example, to install the app on only devices that are running Windows 10, version 1903, build 18362, UBR less than 329, select Registry as the Requirement type, and then specify the following rules:

    • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • Value name: CurrentBuildNumber
    • Registry key requirement: String comparison
    • Operator: Equals
    • Value: 18362
    • Associated with a 32-bit app on 64-bit clients: No

    Screenshot of build 18362 example.

    • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • Value name: UBR
    • Registry key requirement: Integer comparison
    • Operator: Less than
    • Value: 329
    • Associated with a 32-bit app on 64-bit clients: No

    Screenshot of UBR less than 329 example.

  9. On the Detection rules page, select Use a custom detection script as the Rules format.

    Example:

    Screenshot of Detection rules example.

    Sample script file (DetectKB.ps1):

    $sysinfo = systeminfo.exe
$result = $sysinfo -match KB<KB number>

if ($result)
 {
    Write-Output "Found KB<KB number>"
    exit 0
 }
 else
 {
    exit 1
 }

  10. Specify assignments for the app.

  11. Review your settings, and then select Create to add the app to Intune.

Step 3: Deploy the app

Assign the app to groups.

Next steps