In this tutorial, we will see how to deploy applications (Firefox, Chrome, Fusion Agent, Java …) using the WSUS role and WPP.
As a reminder, WSUS is a Windows role that allows you to administer updates to Microsoft products within a computer pool.
WPP (Wsus Package Publisher) will allow us to add custom packages to deploy through WSUS.
Prerequisites
- Have a functioning WSUS server.
- Know how the WSUS server works.
- Know the software deployment (silent installation).
Installation
WPP does not install itself, download the latest release at this address : https://github.com/DCourtel/Wsus_Package_Publisher/releases then uncompress the archive on the WSUS server.
Once the archive is uncompressed, go to the folder and run the Wsus Package Publisher.exe 1 file to start the program.
Configuring WPP
In this part, we will see how to configure WPP during its first launch. Run the Wsus Package Publisher.exe file.
At the first opening, it will detect that we are on a WSUS server and put the connection directly to your favorites. Click OK 1 to close the message.
In the connection area, we can see that the server has been added 1 , click on the connection button 2 .
Certificate for WPP
At the first connection, a message is displayed indicating that a certificate is required. Click OK 1 to close it.
WPP needs a certificate to sign the packages that will be deployed by WSUS. This certificate will then need to be deployed on computers that use WSUS. If the certificate is not installed, the software installations deployed by WPP will fail.
On the WPP console, go to Tools 1 then click on Certificate 2 .
Click on the button Generate the certificate 1 .
A window appears, confirm the creation of the certificate by clicking OK 1 .
A new one appears to confirm that the certificate has been generated. Click OK 1 to close the message.
Restart the WSUS server to take the certificate into account.
Configuration des clients
Now that we have the certificate, we need to deploy it using a GPO. The tutorial: GPO: Deploy a certificate tells you how to do it, except that it puts the certificate in the Approved Publisher Store 1 .
It is also necessary to modify a Group Policy setting that distributes the configuration to allow the installation of updates from WSUS and not from Microsoft. Change the policy by going to Computer Configuration / Policies / Administrative Template / Windows Component / Windows Update. Double-click Allow signed updates from an intranet location of the Microsoft Update service. Activate 1 the parameter.
Once customers have group policies updated, they will be able to install deploy applications using WPP.
Make WPP applications visible in the WSUS console
This part is optional and allows you to configure WPP to make programs visible in the WSUS Administration Console.
From the WPP console, go to Tools 1 and click Settings.
On the Server 1 tab, choose the Always make update visible option in the Wsus console. (The database will be modified) 2 then validate by clicking on OK 3 .
Then go to the tab Updates 1 and tick both caches 2 and click OK 3 . To take into account the parameters, it is necessary to close and open WPP.
Deploy an application with WPP
Now that WPP is configured, we will see how to deploy an application. To illustrate the tutorial, we will see how to deploy the Fusion Inventory agent if it is already present on the computer.
Add an update
From the WPP console, go to Update 1 and click Create Update 2 .
In the first window of the wizard, you must indicate the necessary files, indicate the location of the file 1 and click on Next 2 .
Enter the update information, Publisher 1 , Product Name 2 , Title 3 (this will be visible in the WSUS console and on the clients, enter the parameters of the installation if necessary 4 and click Next 5 .
Now you have to configure two rules:
- Find out if the update is already present
- Whether the update needs to be installed
For that we will do two tests:
- Is the Uninstall.exe file for the agent present?
- We will compare the version of this file to know which version is installed.
To recover the version of the Uninstall.exe file, on a computer where it is already installed, look in the properties of the file to get version 1 .
Rule to find out if the update is already installed
Choose the type of rule File exists 1 then click on the button Add 2 .
Indicate the location of the file Uninstall.exe 1 and click OK 2 to add the condition.
The condition is added 1 . We will now add a second condition that will check the version of the Uninstall.exe file. In rule type, choose File Version 2 and click the Add 3 button.
Indicate the location of the file to be tested 1 , the comparison operator 2 , enter the version 3 and validate by clicking on Ok 4 .
In order to know if the update is already installed, one chooses the operator Superior or equal to, in this way if a newer version of the agent is installed in another way, the version deployed by WSUS will be considered as already installed on the post.
The two conditions for determining if the update is installed are configured 1 , click Next 2 to move to the rule to see if the update should be installed.
Rule to know if the update is installable
This part works in the same way as for creating rules to check if the update is installed. We will add the same controls as the rule previously seen by changing the comparison operator for the version of the file, we must use the operator less than. Once conditions are added, click on Next 1 .
Wait while generating the file and publishing …
The update is published, click Ok 1 to close the wizard.
Update 1 available in the console.
Manage an update
Since the details of an update, it is possible to:
- Approve: This allows the computer in WSUS to install it.
- Decline: stop installing it.
- Expire: the update is no longer relevant
- Revise: allows to modify the conditions of application of the update.
Approve the update
Click the Approve button on the update details to open a new window.
The approval window is similar to WSUS, use the lists to set approval 1 and click Ok 2 to validate.
On the view of the update, we see that this one is now is now Approved 1 .
Report
On the details of the update, by going to the Report tab, it is possible to have an overview of the status of the update.
The update in WSUS and Windows Update
WSUS console
In the WSUS console, we can see the update.
Client Windows Update
In the list of installed updates, we find the agent FusionInventory published in WPP.
Conclusion
In an environment where all computers and servers are connected to a WSUS server, WPP allows a software deployment and software update solution for free without the need to install additional agents on computers.
Depending on the WSUS server configuration, it is even possible to deploy WPP updates to computers outside the corporate network.
In this tutorial, only a part of WPP was discussed, the rules of application of the updates are complete and should be able to answer all the situations.