9 Replies Latest reply on Nov 5, 2012 7:38 AM by mjmitchell

    Windows Hotfix .msu

    farmer

      I know .msu files are not directly supported by Patch Manager but they can be used with a little modification.  I've referenced this article - http://thwack.solarwinds.com/thread/49904 but I can't seem to have any success.  I have a particular Windows hotfix I need to deploy and it comes as a .msu file.

       

      Supposedly, the new way to install a hotfix via a command is to take advanced of the wusa.exe program - http://support.microsoft.com/kb/934307/en-US

       

      I need to create a new package to install this hotfix.  I followed the article but I'm getting the error -

       

      Download failed. The signature of the certificate cannot be verified Error Code: 0x80096004

       

      My WSUS certificates are installed on all my clients so it's not related to that.  I can push other updates just fine to all of my clients but I cannot install this hotfix to any of my clients.  I also tried choosing the wusa.exe program and adding the .msu file as an option but I still get the same error.  Has anyone successfully set up a hotfix?  If so, would you please describe how you did it.  Thanks!

        • Re: Windows Hotfix .msu
          Lawrence Garvin

          When did you create the WSUS signing certificate?

          Have you installed KB2720211, and if so, before or after creating the WSUS signing certificate?

          Have you deployed KB2661254 to your client systems?

            • Re: Windows Hotfix .msu
              farmer

              Thank you for replying, Lawrence.

               

              I figured out the certificate problem.  Apparently the WSUS signing certificate became corrupt somehow and the clients, including my patch manager server, couldn't verify it.  I created a new WSUS signing certificate, deployed it to all my clients, and I'm not getting that error again.

               

              Do you have any notes on how to install a hotfix?  This is probably the only time I'll ever have to push a hotfix.  Thanks!

                • Re: Windows Hotfix .msu
                  Lawrence Garvin

                  The hotfix question has come up on several occasions, and there are actually several methodologies that can be used. The thread you cited is probably the most comprehensive overview of the options available.

                   

                  PackageBoot is really your friend in this endeavor, and one way to approach this problem is by packaging the MSU in a self-extracting EXE and making that the core component of your package. When the self-extracting EXE completes and returns a success code, you can then use a post-installation Run Program event to execute WUSA and install the MSU. The default PackageBoot template has an example of how to invoke WUSA in a post-execution event.

                    • Re: Windows Hotfix .msu
                      farmer

                      Thank you, Lawrence.

                       

                      I used WinRAR to create an SFX archive of the .msu file.  I configured the SFX archive to run wusa.exe to apply the .msu after extraction.  If anyone is looking to do this, I have verified creating an SFX archive DOES work for hotfixes.  Thanks!

                        • Re: Windows Hotfix .msu
                          mjmitchell

                          Thanks for the information.  I've downloaded WinRAR, created the SFX archive and configured my SFX archive for silent extraction.  I've setup my Package Boot with the built-in template for WUSA; however when I deploy in my test environment what happens is the SFX file (actually the .exe inside of it) keeps spawning itself and I end up with hundreds of .exe files in Task Manager which eventually crashes my computer or causes me to reboot.  Can you tell me if you do anything special in WinRAR when creating the archive (silent install; extract location options, etc.)?  How about in Package Boot.  Are you making any changes to their default template for WUSA (other than the .msu name?)?  I'm confused about the %MODULEPATH% variable also.  I've never seen that before and I don't know what it means.  Thanks!

                            • Re: Windows Hotfix .msu
                              mjmitchell

                              I think I misread your post.  I believe you are bypassing Package Boot by iniating the WUSA.exe right from the SFX archive?  That makes it a lot cleaner.  I haven't found a hotfix that is actually applicable to my system to test, but it looks promising.

                                • Re: Windows Hotfix .msu
                                  mjmitchell

                                  This seems to work for deploying Microsoft Hotfixes:

                                   

                                  1. Download the hotfix from Microsoft (they will email you link).
                                  2. Extract the download to a folder.  It will create a .msu file.
                                  3. If you don't have WinRAR, download and install it.  Rght click the .msu file and select the option to open it in WinRAR ("Add to archive..").
                                  4. On the General tab, select the checkbox "Create SFX archive".
                                  5. On the Advanced tab, select the SFX options... button:

                                   

                                                  General tab: Path to extract: %SYSTEMROOT% (or directory of your choice)

                                                  Setup tab: Run after extraction: %SYSTEMROOT%\System32\WUSA.exe %SYSTEMROOT%\<msuname.msu> /quiet

                                                  Modes tab: Hide all

                                                  Update tab: Extract and replace files; Overwrite all files

                                   

                                  You now have an EXE that can be deployed with Eminentware/PackageManager as a single EXE without any parameters and without Package Boot.

                            • Re: Windows Hotfix .msu
                              Lawrence Garvin

                              Since this thread still thrives.... on Tuesday Microsoft published KB2773898 which discusses how to extract the CAB file from an MSU package and install it using DISM. The purpose of the KB article was to talk about how to handle remote installation of MSUs using WUSA, which cannot be executed directly through WinRS because of authorization issues.

                               

                              From the KB article:

                               

                              Extract the .msu file through Windows Remote Shell with WUSA using the following command:

                               

                              winrs.exe -r:<computername> wusa.exe <update> /extract:<destination>

                               

                              When complete, install the .cab package with dism.exe or Package Manager. To use dism.exe, use the command below:

                               

                              winrs.exe -r:<computername> dism.exe /online /add-package /PackagePath:<Path_To_Package>\KBnnnnnnn.cab


                              What's key here is the local portion of the second command:


                              dism.exe /online /add-package /PackagePath:<Path_To_Package>\KBnnnnnnn.cab


                              So, in addition to self-extracting archives, and auto-executing WUSA, another option may be to run DISM.EXE against the CAB file directly.