This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Windows Hotfix .msu

I know .msu files are not directly supported by Patch Manager but they can be used with a little modification.  I've referenced this article - http://thwack.solarwinds.com/thread/49904 but I can't seem to have any success.  I have a particular Windows hotfix I need to deploy and it comes as a .msu file.

Supposedly, the new way to install a hotfix via a command is to take advanced of the wusa.exe program - http://support.microsoft.com/kb/934307/en-US

I need to create a new package to install this hotfix.  I followed the article but I'm getting the error -

Download failed. The signature of the certificate cannot be verified Error Code: 0x80096004

My WSUS certificates are installed on all my clients so it's not related to that.  I can push other updates just fine to all of my clients but I cannot install this hotfix to any of my clients.  I also tried choosing the wusa.exe program and adding the .msu file as an option but I still get the same error.  Has anyone successfully set up a hotfix?  If so, would you please describe how you did it.  Thanks!

  • When did you create the WSUS signing certificate?

    Have you installed KB2720211, and if so, before or after creating the WSUS signing certificate?

    Have you deployed KB2661254 to your client systems?

  • Thank you for replying, Lawrence.

    I figured out the certificate problem.  Apparently the WSUS signing certificate became corrupt somehow and the clients, including my patch manager server, couldn't verify it.  I created a new WSUS signing certificate, deployed it to all my clients, and I'm not getting that error again.

    Do you have any notes on how to install a hotfix?  This is probably the only time I'll ever have to push a hotfix.  Thanks!

  • The hotfix question has come up on several occasions, and there are actually several methodologies that can be used. The thread you cited is probably the most comprehensive overview of the options available.

    PackageBoot is really your friend in this endeavor, and one way to approach this problem is by packaging the MSU in a self-extracting EXE and making that the core component of your package. When the self-extracting EXE completes and returns a success code, you can then use a post-installation Run Program event to execute WUSA and install the MSU. The default PackageBoot template has an example of how to invoke WUSA in a post-execution event.

  • Thank you, Lawrence.

    I used WinRAR to create an SFX archive of the .msu file.  I configured the SFX archive to run wusa.exe to apply the .msu after extraction.  If anyone is looking to do this, I have verified creating an SFX archive DOES work for hotfixes.  Thanks!

  • Thanks for the information.  I've downloaded WinRAR, created the SFX archive and configured my SFX archive for silent extraction.  I've setup my Package Boot with the built-in template for WUSA; however when I deploy in my test environment what happens is the SFX file (actually the .exe inside of it) keeps spawning itself and I end up with hundreds of .exe files in Task Manager which eventually crashes my computer or causes me to reboot.  Can you tell me if you do anything special in WinRAR when creating the archive (silent install; extract location options, etc.)?  How about in Package Boot.  Are you making any changes to their default template for WUSA (other than the .msu name?)?  I'm confused about the %MODULEPATH% variable also.  I've never seen that before and I don't know what it means.  Thanks!

  • I think I misread your post.  I believe you are bypassing Package Boot by iniating the WUSA.exe right from the SFX archive?  That makes it a lot cleaner.  I haven't found a hotfix that is actually applicable to my system to test, but it looks promising.

  • This seems to work for deploying Microsoft Hotfixes:

    1. Download the hotfix from Microsoft (they will email you link).
    2. Extract the download to a folder.  It will create a .msu file.
    3. If you don't have WinRAR, download and install it.  Rght click the .msu file and select the option to open it in WinRAR ("Add to archive..").
    4. On the General tab, select the checkbox "Create SFX archive".
    5. On the Advanced tab, select the SFX options... button:

                    General tab: Path to extract: %SYSTEMROOT% (or directory of your choice)

                    Setup tab: Run after extraction: %SYSTEMROOT%\System32\WUSA.exe %SYSTEMROOT%\<msuname.msu> /quiet

                    Modes tab: Hide all

                    Update tab: Extract and replace files; Overwrite all files

    You now have an EXE that can be deployed with Eminentware/PackageManager as a single EXE without any parameters and without Package Boot.

  • Since this thread still thrives.... on Tuesday Microsoft published KB2773898 which discusses how to extract the CAB file from an MSU package and install it using DISM. The purpose of the KB article was to talk about how to handle remote installation of MSUs using WUSA, which cannot be executed directly through WinRS because of authorization issues.

    From the KB article:

    Extract the .msu file through Windows Remote Shell with WUSA using the following command:

    winrs.exe -r:<computername> wusa.exe <update> /extract:<destination>

    When complete, install the .cab package with dism.exe or Package Manager. To use dism.exe, use the command below:

    winrs.exe -r:<computername> dism.exe /online /add-package /PackagePath:<Path_To_Package>\KBnnnnnnn.cab


    What's key here is the local portion of the second command:


    dism.exe /online /add-package /PackagePath:<Path_To_Package>\KBnnnnnnn.cab


    So, in addition to self-extracting archives, and auto-executing WUSA, another option may be to run DISM.EXE against the CAB file directly.



  • Thanks for the information about Microsoft's article.  There's more than one way to skin a cat, and it's nice to have options!  Thanks again!!