Deploying Custom .MSU Updates with SCCM (and SCUP)


The Problem:

Local Publishing of .MSU files by using System Center Updates Publisher (SCUP Version 4.5 or 2011) is not possible. It is not supported by the WSUS product team. Is is not an SCCM issue. The WSUS services is designed to only import and trust .MSU files which are coming from the Microsoft Update Cloud service. And within there are only so-called GDR (General Distribution Release) updates which undergo a more expensive and thorough testing and certification process compared to LDR (Limited Distribution Release) and QFE (Quick Fix Engineering) updates.

However, there are Windows 6.x (Vista, 7, Server 2008, Server 2008 R2) Updates which are shipped in the .MSU format and customers would like to deploy them by using SCCM Software Update Management instead of SCCM Software Distribution.


The Solution:

I managed to setup a functioning workaround as follows:

Step 1: Download the Update you want from



Step 2: Extract the Updates Contents and locate the .CAB File

To extract the update, use the “expand –F:*” command.


Locate the .cab file of the update:


This cabinet file is actually the update. All other stuff just serves the WUSA.exe and the WSUS detection logic. As we’re rebuilding that stuff in SCUP, we don’t need it anymore. The .CAB file contains the update and is digitally signed – enough for SCUP.


Step 3: Create an .EXE file containing the .CAB file and the DISM installation command:

Yes, we can use the DISM.exe tool to deploy the update by using “online servicing”. The update is in this case not “installed” to the operating system. It is rather “serviced” to the “servicing stack” (CBS, CSI, trusted installer) of the operating system which has been introduced with Windows 6.x. Normally DISM.exe is used to integrate updates into offline .WIM files. But with the /online parameter, it can also be used on a running OS:

dism.exe /online /add-package:<path> /quiet /norestart /logpath:c:\917607msu.log /loglevel:2

You might want to test the installation prior to packaging the .EXE


Now bundle both, the .CAB file and the DISM install command into an executable file. Make sure that the file is digitally signed (code signing) and that this signature is trusted (trusted publisher) at the clients:



Step 4: Create a custom update within SCUP

Create a custom update within SCUP and use some simple rules to trigger the update. For Windows 7 update, from my experience, the WIN32_QuickFixEngineering query works fine for all OS updates, even GDR updates:



Step 5: Publish, Synchronize, Deploy, Enjoy


Please Note: Things posted on Blogs are never official Microsoft support statements.

Comments (15)

  1. OdgeUK says:

    Make sure that you populate the namespace field (above the wmi query) with rootcimv2.

  2. OdgeUK says:

    Is there a file size limit on the Cab file? Trying to do this with a 715KB Cab file, having put the DISM install command into a BAT file and bundling that and the CAB into an EXE (using iExpress) and getting a "Program is too big for memory" error from

  3. OdgeUK says:

    I was interested that you used the WIN32_Quickfix_Engineering WMI info in your Installable Rule. I thought that clients no longer reported this information back to SCCM as it there is too much overhead in doing so?

  4. OdgeUK says:

    Have noticed that when installing Updates using this method, no entry is place under "Installed Updates" under Control Panel> Programs and Features. I guess that's something to do with the work-around method of installing using DISM? Can make it a little tricky to prove that the install is completed once the EXE is run and not ideal for support people who use that GUI to confirm if updates are installed.

  5. OdgeUK says:

    I would like to know the answer to my question, as well as that from SMAndy.

  6. OdgeUK says:

    Further to the above, it seems that if you use iExpress to install your newly created EXE, it will remove the CAB file once run. The problem with this is that if you then need to uninstall the update, you need to run DISM remove-package against the Cab file, which no longer exists. Any workaround?

  7. OdgeUK says:

    My Bad. Cab file, when run properly using DISM, will populate the Installed Updates Control Panel details.

  8. also work with sccm, these tips will help me a lot

  9. Anonymous says:

    Thanks Dominik, I have create a Little script to automate the conversation of msu files to exe files. It’s documented in my blog

  10. Toby S says:

    Hi Dominik,

    I had been meaning to do something similar with SCUP.  Thank you for the guidance.

    Did you have a particular reason to avoid using WUSA.EXE to install the .MSU directly ?

    (as per…/934307)

    Thanks, Toby

  11. SMAndy says:

    What's the best way to create an exe file for this?  I've tried creating one using iexpress.exe, but i can never get it to install – does the run command need to have the full path to where the file is extracted to?  If so, how do I find out where that's going to be on each computer?


  12. OdgeUK says:

    I don't understand the installable rules in this example? Why the stacked 'AND's and then all the rules under an OR statement?

  13. CoreyC says:

    Was there ever an answer as to why DISM is used instead of WUSA?  

  14. Dominik says:

    Thats so nice tk – thanks a lot!

Skip to main content