Ora

How Do I Deploy an MSU File Through Intune?

Published in Intune Win32 App Deployment 7 mins read

Deploying an MSU (Microsoft Update Standalone Package) file through Intune involves converting it into a Win32 application and then configuring its deployment in the Microsoft Intune admin center. This method allows for silent, managed installation of critical updates, hotfixes, or feature packs across your organization's Windows devices.

What is an MSU File?

An MSU file is a self-contained package that installs Windows updates. These files are commonly downloaded from the Microsoft Update Catalog and contain updates that might not be available through standard Windows Update channels or are needed for offline installation.

Key Steps to Deploy an MSU File via Intune

To successfully deploy an MSU file using Intune, you'll follow a four-stage process:

  1. Obtain the MSU File: Download the necessary update package from a reliable source.
  2. Prepare for Intune: Convert the MSU file into the .intunewin format using the Microsoft Win32 Content Prep Tool.
  3. Upload and Configure in Intune: Add the .intunewin application to the Intune admin center and define its installation parameters, requirements, and detection rules.
  4. Assign the Application: Distribute the application to your target user or device groups.

Step 1: Obtain the MSU File

The first step is to download the specific Windows update package you intend to deploy.

  • Microsoft Update Catalog: Navigate to the Microsoft Update Catalog.
  • Search: Use the search bar to find the specific update you need by its KB number (e.g., "KB5005033") or a description (e.g., "Windows 10 21H2 cumulative update").
  • Download: Once you locate the correct update for your target architecture (x64, x86, ARM64) and Windows version, click the Download button. This will provide you with the .msu file.

Step 2: Prepare the MSU for Intune (Win32 App Packaging)

Intune requires applications to be packaged in the .intunewin format for Win32 app deployment. You'll use the Microsoft Win32 Content Prep Tool for this conversion.

Download the Win32 Content Prep Tool

Convert the .msu File to .intunewin

  1. Create a Source Folder: Place your downloaded .msu file into a dedicated source folder (e.g., C:\IntuneApp\Source). This folder should contain only the MSU file and any other necessary support files.

  2. Create an Output Folder: Create an empty folder where the .intunewin file will be generated (e.g., C:\IntuneApp\Output).

  3. Run the Tool: Open an elevated PowerShell or Command Prompt window, navigate to the directory where you saved the IntuneWinAppUtil.exe tool, and run it.

    .\IntuneWinAppUtil.exe

  4. Follow the Prompts: The tool will guide you through the process:

    • Source Folder: Enter the path to your source folder (e.g., C:\IntuneApp\Source).
    • Setup File: Enter the name of your MSU file (e.g., windows10.0-kb1234567-x64.msu).
    • Output Folder: Enter the path to your output folder (e.g., C:\IntuneApp\Output).
    • Catalog File: When prompted "Do you want to specify a catalog folder?", type N (for No) unless you have a specific reason to include one.

    The tool will then convert the .msu file into an .intunewin package in your specified output folder.

Step 3: Upload and Configure the Win32 App in Intune

Now that you have your .intunewin package, you can upload it to Intune and configure its deployment settings.

  1. Access Intune Admin Center: Go to the Microsoft Intune admin center.

  2. Navigate to Apps: Select Apps > All apps > + Add.

  3. Select App Type: Under "Other app types," choose Windows app (Win32) and click Select.

  4. App Package File:

    • Click Select app package file.
    • Click the folder icon and browse to your generated .intunewin file.
    • Click OK.

  5. App Information:

    • Name: Provide a descriptive name (e.g., "Windows 10 22H2 KB1234567 Cumulative Update").
    • Description: Briefly explain the update's purpose.
    • Publisher: Microsoft
    • Category: (Optional) Select an appropriate category.
    • Show this as a featured app in the Company Portal: (Optional) Set to No for updates.
    • Logo: (Optional) Upload a logo.
    • Click Next.

  6. Program: This is where you define how the MSU file will be installed.

    Setting Value Example Explanation
    Install command wusa.exe "windows10.0-kb1234567-x64.msu" /quiet /norestart wusa.exe is the Windows Update Standalone Installer. /quiet ensures silent installation. /norestart prevents an immediate reboot.
    Uninstall command wusa.exe /uninstall /kb:1234567 /quiet /norestart To uninstall, specify the KB number. Note that not all MSU files can be easily uninstalled, and some might require a restart.
    Install behavior System Most updates should install in the system context.
    Device restart behavior No specific action Recommended with /norestart. You can configure a separate Intune restart policy if a reboot is desired later.
    Specify post-installation restart behavior Determine behavior based on return codes This is generally the best option, allowing the update to dictate if a restart is needed.
    Return codes (Default values are usually sufficient) 0 (Success), 1707 (Success), 3010 (Success on restart), 1641 (Hard reboot needed)

    Click Next.

  7. Requirements: Define the operating system and architecture for the update.

    • Operating system architecture: Select 64-bit or 32-bit as appropriate for your MSU.
    • Minimum operating system: Select the minimum Windows version required (e.g., Windows 10 21H2).
    • Click Next.

  8. Detection Rules: This is critical for Intune to determine if the application has been successfully installed on the device.

    • Rules format: Select Manually configure detection rules.
    • + Add: Click to add a rule.
    • Rule type: Select MSI if the MSU update registers as an MSI package (less common), or File or Registry which are more robust for MSU files.

    Example Detection Rule (Registry Key)

    Most MSU updates will create or modify a registry key. A common place to check is the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages hive.

    • Rule type: Registry
    • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
    • Value name: Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.1234.1.5 (This is an example; the exact value will vary by KB. You can find this by installing the MSU on a test machine and then checking the registry.)
    • Detection method: Key exists or String comparison if you know a specific value it sets.
    • Click OK and then Next.

  9. Dependencies: (Optional) If your MSU has prerequisites, define them here. Click Next.

  10. Supersedence: (Optional) If this update supersedes an older one, configure it here. Click Next.

  11. Assignments: Assign the application to the appropriate user or device groups.

    • Required: The app will automatically install on devices in the selected groups.
    • Available for enrolled devices: Users can install the app from the Company Portal.
    • Uninstall: The app will be uninstalled from devices in the selected groups.

    For updates, Required is typically used.
    Click Next.

  12. Review + create: Review all your settings and click Create to add the application to Intune.

Step 4: Assign the Application

After creating the application, ensure it's assigned to the correct groups for deployment. If you already did this in Step 11, you're all set. Otherwise:

  1. From the Apps > All apps list, select your newly created MSU application.
  2. Go to Properties > Assignments > Edit.
  3. Add the desired groups under Required, Available for enrolled devices, or Uninstall, then Review + save.

Practical Insights and Troubleshooting

  • Test Locally: Before packaging, test your wusa.exe install command on a local test machine to ensure it runs silently and successfully.
  • Detection Rule Accuracy: The accuracy of your detection rule is paramount. If Intune cannot detect the app, it will continuously try to reinstall it. Spend time verifying the registry key or file path on a test machine after a successful manual installation.
  • Log Files: For troubleshooting Win32 app deployments, check the IntuneManagementExtension.log file located at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs on the client device. This log provides detailed information on the download, execution, and detection of your Win32 app.
  • Restart Behavior: Decide carefully how you want to handle reboots. While /norestart prevents immediate reboots, many updates require a reboot to fully apply. Consider using Intune's built-in device restart experience or a separate script to prompt users for a restart after a successful update installation.
  • Deployment Monitoring: Monitor the deployment status in the Intune admin center under Apps > All apps > [Your App Name] > Device install status or User install status to track progress and identify any failures.

By following these steps, you can effectively deploy MSU files to your Windows devices using Microsoft Intune, ensuring your systems are kept up-to-date and secure.

← Previous Article
What is Fishbowl Slang?
Next Article →
How to Install a Pen Tablet?