Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2019 / Deploying Third Party Software Updates with WSUS

February 20, 2024

Deploying Third Party Software Updates with WSUS

The on-premises WSUS (Windows Server Update Services) server can be used not only to deploy updates for Microsoft products (Windows, Office) but also to centrally install and update any third-party software.

The following options are typically used to install third-party software in Windows networks: MSI-packaged apps can be installed using the GPO, logon scripts, or separate products such as ConfigMgr (SCCM). However, you can install, update, or uninstall updates for any third-party software on users’ computers using your WSUS update server (for example, 7-Zip, Adobe Reader, Java, browsers, update driver or BIOS/UEFI firmware, etc).

WSUS doesn’t support third-party software by default, but any update package/script can be published and distributed through WSUS using the open WSUS API. In this article, we’ll look at how to use the open-source WSUS Package Publisher to create an installation (update) package for any application, publish it to WSUS, approve it for installation on domain computers, and track its deployment status.

Contents:
  • How to Install and Configure WSUS Package Publisher
  • Create a Custom Third-Party Update Package to Deploy via WSUS

How to Install and Configure WSUS Package Publisher

Advantages of WSUS Package Publisher:

  • WSUS integration: allows you to use the WSUS infrastructure and existing update distribution groups;
  • You can create WSUS update packages from MSI/MSP files, EXE files, or your custom scripts;
  • Allows you to track the results of the software update installation on computers.

We assume that you have already installed and configured the WSUS Update Server role on Windows Server, installed the .NET Framework 3.5 (or newer), and created GPO to point Windows clients to the WSUS server.

  1. Download the WSUS Package Publisher binary archive from GitHub (https://github.com/DCourtel/Wsus_Package_Publisher/releases) and extract it to a local directory on the WSUS server;
  2. Run Wsus Package Publisher.exe;
  3. Connect to the local WSUS server;
  4. The first time you run the tool, you will be prompted to create a certificate that will be used to sign updates. Select Tools -> Certificates; Install WSUS Package Publisher
  5. If you don’t have your own PKI infrastructure, the utility will generate a self-signed Code Signing certificate (PowerShell can be used to create a self-signed certificate); generate WSUS Package Publisher certificate
  6. Export the certificate to a .CER file and install it on computers that will receive software updates from WSUS;
  7. The easiest way is to deploy a certificate to client computers using GPO. Open the Domain Group Policy management console (gpmc.msc), select your GPO containing the WSUS client settings. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Public Key Policies –> Trusted Root Certification Authorities and import the certificate into the Trusted Root Certification Authorities and Trusted Publishers stores; Deploy WSUS certificate on clients
  8. Then go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update — > Manage updates offered from Windows Server Updates Service and enable the option Allow signed content from intranet Microsoft update service location. If you want to install updates and programs on non-domain computers (in a workgroup), enable the following registry option on clients:
    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f /v AcceptTrustedPublisherCerts /t REG_DWORD /d 1 GPO: Allow signed content from intranet Microsoft update service location

Create a Custom Third-Party Update Package to Deploy via WSUS

Now you can create a program update (installation) package that WSUS will distribute. In this example, we are going to update old versions of the 7-Zip archiver on domain-joined computers.

  1. Select Updates -> Create new update;
  2. Download the latest version of the 7 Zip MSI installer from the official website and specify the path to it; create custom update package on wsus
    WSUS Package Publisher can also be used to deploy EXE files. MSI Wrapper can be used to convert some EXE installers into MSI packages.
  3. Specify the package name and description that will be displayed in the Windows Update dialog on client computers;
  4. The next step is to specify the criteria by which WSUS will determine that this update (program) is already installed on the computer. In the 7 Zip example, we will check that the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip registry key has a DisplayVersion parameter with a value of 23.01 (this is the latest version of 7Zip). software registry keyThis WSUS package rule will look like this (Add Rule -> Registry Version in SZ):

    <bar:RegSz Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip" Value="DisplayVersion" Comparison="EqualTo" Data="23.01"/>

    Then create a rule to ensure you have the x64 Windows version installed:

    <bar:Processor Architecture="9"/>

    wsus package rule: chick if update istalled

  5. Click Next and create another rule to decide whether to install the update on this computer. In this example, it will be the opposite rule (when there is no registry value with the specified value). You can simply enable the Reverse Rule option in the settings; WSUS Reverse rule
    In this post, we have made the WSUS rule a little simpler than in real life. Our rule will install 7ZIP on any computer, even if it is not already In a real-world environment, the first thing you should do is check to see if you have another version of 7-ZIP installed on your computer.
  6. Click Next. WSUS Package Publisher will create and publish the package to the WSUS server. Publish custom update package on WSUS

You can now deploy the software update package to WSUS clients. Note that you must use the WSUS Package Publisher console to manage third-party updates, as these packages do not appear in the standard WSUS Administration console.

  1. Select your update package under Updates and click Approve; Deploy third-party update using WSUS
  2. Select the group of WSUS clients you want to approve the program installation (Approve For Installation);
    Learn more about how to approve updates on WSUS.
    Approve software update fir install via WSUS
  3. After some time, scan for updates on client computers. Client computers download and install the update according to the WSUS policy settings;
  4. On the client, check that the 7-ZIP update package has been successfully downloaded and installed. Run the Get-WindowsUpdate command from the PSWindowsUpdate PowerShell module. Get-WindowsUpdate: check that software update installed on client computer

In the console, you can monitor the update deployment process on client computers. Select your package and go to the Report tab. Here you can see the number of computers on which the program has been installed or updated. WSUS package deployment status on clients

So, you can use WSUS to easily update any third-party software on computers on your network.

0 comment
5
Facebook Twitter Google + Pinterest
Windows 10Windows Server 2019Windows Server 2022
previous post
Unlocking Active Directory User Accounts
next post
Steps to Mount an ISO Image File on Linux

Related Reading

How to Run Program without Admin Privileges and...

June 8, 2023

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

How to Install Remote Server Administration Tools (RSAT)...

March 17, 2024

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

March 17, 2024

Managing Windows Firewall Rules with PowerShell

March 11, 2024

How to Fix ‘An Operating System Wasn’t Found’...

August 24, 2023

How to Enable and Configure Hyper-V Remote Management

June 8, 2023

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Encrypt Any Client-Server App Traffic on Windows with Stunnel

    June 12, 2025
  • Failed to Open the Group Policy Object on a Computer

    June 2, 2025
  • Remote Desktop Printing with RD Easy Print Redirection

    June 2, 2025
  • Disable the Lock Screen Widgets in Windows 11

    May 26, 2025
  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • How to Allow Multiple RDP Sessions on Windows 10 and 11
  • How to Run Program without Admin Privileges and Bypass UAC Prompt
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows
  • Fixing ‘The Network Path Was Not Found’ 0x80070035 Error Code on Windows
  • How to Delete Old User Profiles in Windows
  • How to Install Remote Server Administration Tools (RSAT) on Windows
  • How to Backup and Copy Local Group Policy Settings to Another Computer
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top