Deploy Windows Update Offline Using Intune

Let’s learn how to deploy Windows Update Offline Using Intune. If you want to deploy a specific Windows update package to Windows 10/11 devices managed by Intune, you can use the Intune Win32 app management capabilities to deploy Windows update (.msu file).

The feature update deployment policy is the option to upgrade Windows 10 PCs to Windows 11 using WUfB and Intune.

This post helps you to deploy a Windows update package to Intune. To Prepare the update package as Win32 app content, You need to download the Windows update package to use the Microsoft Win32 Content Prep Tool to convert the .msu file into the .intunewin format.

Patch My PC

The best way to service a Windows image is offline with DISM. You can use DISM for Offline Servicing is the process to keep your Windows Image (WIM) file updated by injecting the latest SSU/LCU and other Security Updates. Learn the steps to add Windows Update to Offline Image Using DISM.

Identify the Windows Update

The first important phase is identifying the update you will add to Windows Image.

Check Windows 10 or Windows 11 release history from the Microsoft Offical site to ensure the available update for devices running Windows 10 or Windows 11.

Download Windows Update

To get the standalone package for the update, Browse to Microsoft Update Catalog https://www.catalog.update.microsoft.com/Home.aspx.

Search for updates from the Windows Update Catalog – To download the latest cumulative update (LCU) for your operating system that you want to apply manually. Put the KB article number and click the Search icon.

Note – While using search, make sure no space between KB<Article Number>. For example KB5012643

Download Windows Update - Microsoft Update Catalog | Deploy Windows Update Offline Using Intune 1
Download Windows Update – Microsoft Update Catalog | Deploy Windows Update Offline Using Intune 1

Identify the required patch as per the environment. For example, you can download the latest cumulative update (LCU) KB5012643. To search for additional updates to download, repeat the steps.

Here you can see Search results for “KB5012643. Browse the displayed list to check and Select the products (Windows Version), Architecture.

Click on Download to download the updates. If the update has any prerequisite updates, get those too.

Select KBs - Download Windows Updates | Deploy Windows Update Offline Using Intune 2
Select KBs – Download Windows Updates | Deploy Windows Update Offline Using Intune 2

Prepare Win32 App Content

Before adding a Win32 app to Microsoft Intune, you must prepare the app using the Microsoft Win32 Content Prep Tool. You use the Microsoft Win32 Content Prep Tool to pre-process Windows classic (Win32) apps.

Let’s first identify the command line to perform the installation or uninstallation of the Windows Update package (.msu file). Created a small script as below to execute the batch file, For Example – Here I’m going to create two separate batch files (.cmd)

  1. Installation Command (Install.cmd)
  2. Uninstallation Command (Uninstall.cmd)

Note – I would recommend performing manual testing to ensure scripts are properly executed before converting and uploading files in Intune.

Install command:

wusa.exe <full path of the .msu file> /quiet /norestart -Wait

For example, if the windows10.0-kb5012643-x64_a29610770b67091e324340e3e9eb236b1974cbee.msu file is in the current folder, type the following command in Install command:

wusa.exe .\windows10.0-kb5012643-x64_a29610770b67091e324340e3e9eb236b1974cbee.msu /quiet /norestart -Wait

Uninstall command:

wusa.exe /uninstall /kb:<KB number> /quiet

wusa.exe /uninstall /kb:5012643 /quiet

Prepare Folder Structure – Once you have done! Your folder structure should appear like this –

Prepare Win32 App Content - Deploy Windows Updated Offline Using Intune 3
Prepare Win32 App Content – Deploy Windows Updated Offline Using Intune 3

Download the updated IntuneWinAppUtil.exe from GitHub. Run IntuneWinAppUtil.exe file Run as administrator

  • Please specify the source folder – Enter the folder that contains your application setup files. (For Example, C:\Users\JiteshKumar\Downloads\Windows Update)
  • Please specify the setup file – Enter the setup file name (such as setup.exe or setup.msi), For Example – windows10.0-kb5012643-x64_a29610770b67091e324340e3e9eb236b1974cbee.msu
  • Specify the output folder – Add the output folder for the generated .intunewin file.
  • Do you want to specify catalog folder – Type N.

Note – Please wait for a few minutes while running the Win32 Content Prep Tool. Once it successfully generates the .intunewin file, the status indicates 100% at the bottom of the command prompt.

Once the process completes, Browse to the output folder (For Example, C:\Users\JiteshKumar\Downloads\Output) to collect the file for Intune Win32 app deployment.

Microsoft Win32 Content Prep Tool - Converting files to .intunewin format 4
Microsoft Win32 Content Prep Tool – Converting files to .intunewin format 4

Deploy Windows Update Offline Using Intune

Let’s follow the steps below to upload the .intunewin file for deploying the windows update to managed devices.

Sign in to the Microsoft Endpoint Manager admin center https://endpoint.microsoft.com/ with appropriate access rights.

Select Apps > All apps > Add, or you can navigate to Apps > Windows > Windows Apps.

On the Select app type pane, under the Other app types, select Windows app (Win32) and click Select.

Select Windows app (Win32) - Deploy Windows Update Offline Using Intune 5
Select Windows app (Win32) – Deploy Windows Update Offline Using Intune 5

On the Add app pane, click Select app package file. Select the browse button. Then, select the prepared file with the extension .intunewin. The app details appear.

When you’re finished, select OK on the App package file pane.

Select App Package File - Deploy Windows Update Offline Using Intune 6
Select App Package File – Deploy Windows Update Offline Using Intune 6

Enter the Name of the Windows App Win32 (For Example – Windows 11 – KB5012643), and Enter the Description of the Windows App.

Enter the Publisher name – Microsoft and You may specify the additional app information here and click Next.

Add App Information - Deploy Windows Update Offline Using Intune 7
Add App Information – Deploy Windows Update Offline Using Intune 7

On the Program page, configure the app installation and removal commands for the app:

  • Install command: Add the complete installation command line to install the windows update. For Example, Install.cmd (Contains the installation command for .msu file)
  • Uninstall command: Add the complete command line to uninstall the windows update KBs. For Example, Uninstall.cmd (Contains the uninstallation command for .msu file)
  • Install behavior: Set the install behavior to System.

You can also specify the Device restart behavior and Post-installation behavior. Click Next to continue.

Add Command-line - Deploy Windows Update Offline Using Intune 8
Add Command-line – Deploy Windows Update Offline Using Intune 8

On the Requirements page, specify the mandatory requirements that devices must meet before installing the update and click Next.

  • Operating system architecture: Choose the architectures needed to install the windows update.
  • Minimum operating system: Select the minimum operating system needed to install the windows update.

There are some built-in and custom requirements rules you can choose from when creating your Win32 application. Explore Intune Win32 App Requirement Rules.

Specify the requirements - Deploy Windows Update Offline Using Intune 9
Specify the requirements – Deploy Windows Update Offline Using Intune 9

On the Detection rules pane, configure the rules to detect the presence of the app. You can choose to add multiple rules, Here selecting the Rule format as Use a custom detection script to specify the PowerShell script that will be used to detect the Windows update (KB).

Here you can copy the script to your notepad and replace it with your KB number (For Example, KB5012643), and save it as a .ps1 extension

$result = systeminfo.exe | findstr KB<KB number>

if ($result)
 {
    Write-Output "Found KB<KB number>"
    exit 0
 }
 else
 {
    exit 1
 }

Once you have successfully configured the detection rules, click Next.

Add Detection Rules - Deploy Windows Update Offline Using Intune 10
Add Detection Rules – Deploy Windows Update Offline Using Intune 10

You can also specify app dependencies where the applications must be installed before your Win32 app can be installed.

On the next screen Supersedence page, I will not configure anything here. Simple Click Next and jump to assignments.

In the scope tag section, you shall get an option to Configure scope tags for this Windows App Win32 application.

Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups to which you want to deploy the Windows Update. Click Next to continue.

Review your settings and select Create to add the app to Intune.

Review Summary - Deploy Windows Update Offline Using Intune 11
Review Summary – Deploy Windows Update Offline Using Intune 11

Here you can see the status Uploading is in progress – How much time will it take to complete the upload? It depends on the size of the application and the speed of internet connectivity.

Please wait for some time to complete the upload process, and you can check the progress by clicking on the Notification icon.

Uploading IntunePackage.intunewin - Deploy Windows Update Offline Using Intune 12
Uploading IntunePackage.intunewin – Deploy Windows Update Offline Using Intune 12

Once the intune package is uploaded and finished, you will get the status “Upload finished.”

Windows KB upload finished - Deploy Windows Update Offline Using Intune 13
Windows KB upload finished – Deploy Windows Update Offline Using Intune 13

You can check Windows 10 or Windows 11 update history with Settings –

Open Settings, Click on Windows Update. Under the “More options” section, click the Update history setting. Check the recent history of installed updates, and here you will find the updates are installed successfully.

Let’s understand Windows major, minor, build, and rev in more detail, Windows 10 or Windows 11 Version Numbers Build Numbers Major Minor Build Rev.

Validate Windows Update - Deploy Windows Update Offline Using Intune 14
Validate Windows Update – Deploy Windows Update Offline Using Intune 14

You can track the details logged at IntuneManagementExtension.log located C:\ProgramData\Microsoft\IntuneManagementExtension\Log.

Here are the highlight parts from the logs that help you track the application activity in client devices. You can get through an excellent article on Intune Win32 App Issues Troubleshooting for more details.

[Win32App] ===Step=== Detection rules

[Win32App] Checked Powershell script result: Found KB5012643


[Win32App] Checked Powershell script exitCode: 0 EnforceSignatureCheck: 0 RunAs32Bit: 0 InstallExRunAs: 1, result of applicationDetected: True	IntuneManagementExtension	5/5/2022 9:50:57 PM	22 (0x0016)
[Win32App] Detection script file C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts\b63166b0-146b-4a6a-a692-63b70d38bcb9_1.ps1 is deleted.	
[Win32App] detectionManager SideCarScriptDetectionManager got applicationDetectedByCurrentRule: True as system	
[Win32App] Completed detectionManager SideCarScriptDetectionManager, applicationDetectedByCurrentRule: True

[Win32App] ===Step=== Check applicability

[Win32App] Content cache miss for app (id = b63166b0-146b-4a6a-a692-63b70d38bcb9, name = Windows 11 - KB5012643), start downloading...	

[Win32App] ===Step=== InstallBehavior RegularWin32App, Intent 3, UninstallCommandLine Uninstall.cmd	
Install.cmd	
[Win32App] SetCurrentDirectory: C:\Windows\IMECache\b63166b0-146b-4a6a-a692-63b70d38bcb9_1	
[Win32App] Launch Win32AppInstaller in machine session	IntuneManagementExtension	5/5/2022 6:52:41 PM	33 (0x0021)
[Win32App] lastWin32Error 0 after CreateProcess	
[Win32App] lastHResult -2147024896 after CreateProcess	
[Win32App] Create installer process successfully.

[Win32App] Toast message with: "C:\Program Files (x86)\Microsoft Intune Management Extension\agentexecutor.exe"  -toast "ToastSoftRebootMessage" 	

Troubleshooting Win32 App References – Deploy Windows Update

For troubleshooting Intune client-side events, you can refer to three logs –

  • IntuneManagementExtension.log : Tracks the Intune Management extension component events.
  • AgentExecuter : Track any PowerShell execution events.
  • ClientHealth.log :  Track client-health related events.

Let’s learn Intune Win32 App Troubleshooting Client-Side Process Flow. You can look at the Level 3 deep dive troubleshooting Intune Management Extension (IME) Level 3 Troubleshooting Guide.

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.