WPP: Deploying Applications with WSUS


Windows Server 2019

In this tutorial, we will see how to deploy applications (Firefox, Chrome, Fusion Agent, Java …) using the WSUS role and WPP.

As a reminder, WSUS is a Windows role that allows you to administer updates to Microsoft products within a computer pool.

WPP (Wsus Package Publisher) will allow us to add custom packages to deploy through WSUS.

Prerequisites

  • Have a functioning WSUS server.
  • Know how the WSUS server works.
  • Know the software deployment (silent installation).

Installation

WPP does not install itself, download the latest release at this address : https://github.com/DCourtel/Wsus_Package_Publisher/releases then uncompress the archive on the WSUS server.

WPP archive

Once the archive is uncompressed, go to the folder and run the Wsus Package Publisher.exe 1 file to start the program.
Wsus Package Publisher.exe

Configuring WPP

In this part, we will see how to configure WPP during its first launch. Run the Wsus Package Publisher.exe file.

At the first opening, it will detect that we are on a WSUS server and put the connection directly to your favorites. Click OK 1 to close the message.
First lauch WPP

In the connection area, we can see that the server has been added 1 , click on the connection button 2 .
WPP first lauche

Certificate for WPP

At the first connection, a message is displayed indicating that a certificate is required. Click OK 1 to close it.
Message WPP certificate

WPP needs a certificate to sign the packages that will be deployed by WSUS. This certificate will then need to be deployed on computers that use WSUS. If the certificate is not installed, the software installations deployed by WPP will fail.

On the WPP console, go to Tools 1 then click on Certificate 2 .
Generate certificate

Click on the button Generate the certificate 1 .
WPP generate certificate

A window appears, confirm the creation of the certificate by clicking OK 1 .
confirm generate certificate

A new one appears to confirm that the certificate has been generated. Click OK 1 to close the message.
generated certificate

Restart the WSUS server to take the certificate into account.

Configuration des clients

Now that we have the certificate, we need to deploy it using a GPO. The tutorial: GPO: Deploy a certificate tells you how to do it, except that it puts the certificate in the Approved Publisher Store 1 .
wpp gpo certificate

It is also necessary to modify a Group Policy setting that distributes the configuration to allow the installation of updates from WSUS and not from Microsoft. Change the policy by going to Computer Configuration / Policies / Administrative Template / Windows Component / Windows Update. Double-click Allow signed updates from an intranet location of the Microsoft Update service. Activate 1 the parameter.
Enable parameter

Once customers have group policies updated, they will be able to install deploy applications using WPP.

Make WPP applications visible in the WSUS console

This part is optional and allows you to configure WPP to make programs visible in the WSUS Administration Console.

From the WPP console, go to Tools 1 and click Settings.
WPP Parameter

On the Server 1 tab, choose the Always make update visible option in the Wsus console. (The database will be modified) 2 then validate by clicking on OK 3 .
WPP parameters

Then go to the tab Updates 1 and tick both caches 2 and click OK 3 . To take into account the parameters, it is necessary to close and open WPP.
WPP parameters

Deploy an application with WPP

Now that WPP is configured, we will see how to deploy an application. To illustrate the tutorial, we will see how to deploy the Fusion Inventory agent if it is already present on the computer.

Add an update

From the WPP console, go to Update 1 and click Create Update 2 .
WPP add update

In the first window of the wizard, you must indicate the necessary files, indicate the location of the file 1 and click on Next 2 .
Select file

Enter the update information, Publisher 1 , Product Name 2 , Title 3 (this will be visible in the WSUS console and on the clients, enter the parameters of the installation if necessary 4 and click Next 5 .
Configure update - WPP

Now you have to configure two rules:

  1. Find out if the update is already present
  2. Whether the update needs to be installed

For that we will do two tests:

  1. Is the Uninstall.exe file for the agent present?
  2. We will compare the version of this file to know which version is installed.

To recover the version of the Uninstall.exe file, on a computer where it is already installed, look in the properties of the file to get version 1 .
File version

Rule to find out if the update is already installed

Choose the type of rule File exists 1 then click on the button Add 2 .
File exist

Indicate the location of the file Uninstall.exe 1 and click OK 2 to add the condition.
Configure rule

The condition is added 1 . We will now add a second condition that will check the version of the Uninstall.exe file. In rule type, choose File Version 2 and click the Add 3 button.
Add rule

Indicate the location of the file to be tested 1 , the comparison operator 2 , enter the version 3 and validate by clicking on Ok 4 .
check version

In order to know if the update is already installed, one chooses the operator Superior or equal to, in this way if a newer version of the agent is installed in another way, the version deployed by WSUS will be considered as already installed on the post.

The two conditions for determining if the update is installed are configured 1 , click Next 2 to move to the rule to see if the update should be installed.
rules added

Rule to know if the update is installable

This part works in the same way as for creating rules to check if the update is installed. We will add the same controls as the rule previously seen by changing the comparison operator for the version of the file, we must use the operator less than. Once conditions are added, click on Next 1 .
Rule wpp

Click on Publish 1 .
WPP Publish

Wait while generating the file and publishing …
wait...

The update is published, click Ok 1 to close the wizard.
update published on wpp

Update 1 available in the console.
Update added

Manage an update

Since the details of an update, it is possible to:

  • Approve: This allows the computer in WSUS to install it.
  • Decline: stop installing it.
  • Expire: the update is no longer relevant
  • Revise: allows to modify the conditions of application of the update.

Approve the update

Click the Approve button on the update details to open a new window.

The approval window is similar to WSUS, use the lists to set approval 1 and click Ok 2 to validate.
Enable update WPP

On the view of the update, we see that this one is now is now Approved 1 .
Update approved

Report

On the details of the update, by going to the Report tab, it is possible to have an overview of the status of the update.
Report

The update in WSUS and Windows Update

WSUS console

In the WSUS console, we can see the update.
WSUS and WPP

Client Windows Update

In the list of installed updates, we find the agent FusionInventory published in WPP.
Client Windows Update

Conclusion

In an environment where all computers and servers are connected to a WSUS server, WPP allows a software deployment and software update solution for free without the need to install additional agents on computers.

Depending on the WSUS server configuration, it is even possible to deploy WPP updates to computers outside the corporate network.

In this tutorial, only a part of WPP was discussed, the rules of application of the updates are complete and should be able to answer all the situations.




Leave a Comment