How to Deploy Windows Update Packages With Intune

Aug 9, 2023 · 3 min read · intune ·

Lets deploy Windows Update Packages with Intune

In this article, I'll cover the deployment of Microsoft Update Packages via Intune Win32 Apps. I'll use the 2023-08 Cumulative Update for Windows Version 22H2 for x64-based Systems (KB5029244) in this article. You can download these update packages from the Microsoft Update Catalog. Anything done in this article should be applicable to any update package.

The filename of the update package I'll be using in this article is windows10.0-kb5029244-x64_fb8cdde229cf17755c2c890a12e0e8f252dd38c0.msu. If you use a different update, just replace the filename I use with your own.

Step 1 - Download your update package

Head over to the Microsoft Update Catalog and download the update you are looking to deploy.

Step 2 - Package the file to a *.intunewin format

Using the Microsoft Content Prep Tool (MCPT), we can package the file into a format intune can use. I'm going to use the GUI for this, but the commands are self-explanatory.

Put your update package into a source folder somewhere. I stored mine in the C:\w\updates\kb5029244 directory.

Use the MCPT to package the contents of the folder (C:\w\updates\kb5029244). Here are the commands I used:

1Source folder =  C:\w\updates\kb5029244
2
3Setup file = C:\w\updates\kb5029244\windows10.0-kb5029244-x64_fb8cdde229cf17755c2c890a12e0e8f252dd38c0.msu
4
5Output folder = C:\w\updates\kb5029244
6
7Catalog folder = n

Running the commands above stores the windows10.0-kb5029244-x64_fb8cdde229cf17755c2c890a12e0e8f252dd38c0.intunewin file in the C:\w\updates\kb5029244 directory.

Step 3 - Writing a detection script

This is required to detect whether or not the update is already installed. Open up a notepad.exe instance or PowerShell ISE and copy and paste the following code:

1$Result = systeminfo.exe | findstr KB5029244
2if ($result) {  # update already installed
3  exit 0
4} else {  # update not installed, install update
5  exit 1
6}

Change the findstr KB5029244 to whatever the KB number of your update package is.

Now lets head over to the Intune portal (endpoint.microsoft.com, or intune.microsoft.com).

Step 4 - Configuring the Win32 App

Navigate to Apps -> All apps -> click Add -> select Windows app (Win32)

Under App information
- Set Name to something according to your environment, For this example, I set it to 2023-08 Cumulative Update for Windows Version 22H2 for x64-based Systems
- Set Description to something according to your environment.
- Set Publisher to Microsoft when deploying update packages.
- Other settings are optional. Set them according to your environment.
Under Program
- Set Install command to: wusa.exe .\<package_name>.msu /quiet /norestart -Wait
  - In my case, the install command was:
```
1wusa.exe .\windows10.0-kb5029244-x64_fb8cdde229cf17755c2c890a12e0e8f252dd38c0.msu /quiet /norestart -Wait
```
- Set Uninstall command to: wusa.exe /uninstall /kb:<kb_number> /quiet
  - In my case, the uninstall command was:
```
1wusa.exe /uninstall /kb:5029244 /quiet
```
- Set Install behavior to System
- Set the rest of the settings according to your environment.
Under Requirements
- Set the Operating system architecture, Minimum operating system, and any other settings here according to your environment.
Under Detection rules
- Set Rules format to Use a custom detection script
- Under Script file upload the detection script we made earlier.
- Set the other options as needed by your environment.
Under Dependencies
- Set dependencies as needed by your environment.
Under Supersedence
- Same as dependencies, set as needed.
Under Assignments
- Assign the groups you want to install the update to, and configure the various settings associated with them, like the Delivery optimization priority, Availability, etc.
Review + Create
- Self explanatory, make sure everything is right and then hit the Create button.

Now your update should deploy to the groups you assigned. It will be installed silently in the background.