In this tutorial, we will see how to deploy applications (Firefox, Chrome, Fusion Agent, Java …) using the WSUS role and WPP.
As a reminder, WSUS is a Windows role that allows you to administer updates to Microsoft products within a computer pool.
WPP (Wsus Package Publisher) will allow us to add custom packages to deploy through WSUS.
- Configuring WPP
- Deploy an application with WPP
- The update in WSUS and Windows Update
- Have a functioning WSUS server.
- Know how the WSUS server works.
- Know the software deployment (silent installation).
WPP does not install itself, download the latest release at this address : https://github.com/DCourtel/Wsus_Package_Publisher/releases then uncompress the archive on the WSUS server.
In this part, we will see how to configure WPP during its first launch. Run the Wsus Package Publisher.exe file.
Certificate for WPP
WPP needs a certificate to sign the packages that will be deployed by WSUS. This certificate will then need to be deployed on computers that use WSUS. If the certificate is not installed, the software installations deployed by WPP will fail.
Restart the WSUS server to take the certificate into account.
Configuration des clients
Now that we have the certificate, we need to deploy it using a GPO. The tutorial: GPO: Deploy a certificate tells you how to do it, except that it puts the certificate in the Approved Publisher Store 1 .
It is also necessary to modify a Group Policy setting that distributes the configuration to allow the installation of updates from WSUS and not from Microsoft. Change the policy by going to Computer Configuration / Policies / Administrative Template / Windows Component / Windows Update. Double-click Allow signed updates from an intranet location of the Microsoft Update service. Activate 1 the parameter.
Once customers have group policies updated, they will be able to install deploy applications using WPP.
Make WPP applications visible in the WSUS console
This part is optional and allows you to configure WPP to make programs visible in the WSUS Administration Console.
Deploy an application with WPP
Now that WPP is configured, we will see how to deploy an application. To illustrate the tutorial, we will see how to deploy the Fusion Inventory agent if it is already present on the computer.
Add an update
Enter the update information, Publisher 1 , Product Name 2 , Title 3 (this will be visible in the WSUS console and on the clients, enter the parameters of the installation if necessary 4 and click Next 5 .
Now you have to configure two rules:
- Find out if the update is already present
- Whether the update needs to be installed
For that we will do two tests:
- Is the Uninstall.exe file for the agent present?
- We will compare the version of this file to know which version is installed.
Rule to find out if the update is already installed
In order to know if the update is already installed, one chooses the operator Superior or equal to, in this way if a newer version of the agent is installed in another way, the version deployed by WSUS will be considered as already installed on the post.
Rule to know if the update is installable
This part works in the same way as for creating rules to check if the update is installed. We will add the same controls as the rule previously seen by changing the comparison operator for the version of the file, we must use the operator less than. Once conditions are added, click on Next 1 .
Manage an update
Since the details of an update, it is possible to:
- Approve: This allows the computer in WSUS to install it.
- Decline: stop installing it.
- Expire: the update is no longer relevant
- Revise: allows to modify the conditions of application of the update.
Approve the update
Click the Approve button on the update details to open a new window.
The update in WSUS and Windows Update
Client Windows Update
In an environment where all computers and servers are connected to a WSUS server, WPP allows a software deployment and software update solution for free without the need to install additional agents on computers.
Depending on the WSUS server configuration, it is even possible to deploy WPP updates to computers outside the corporate network.
In this tutorial, only a part of WPP was discussed, the rules of application of the updates are complete and should be able to answer all the situations.