Local Publishing of Updates and Applications

  • Article

The WSUS 3.0 API supports the publishing of local updates and applications.

Note

The WSUS user interface will not display locally published packages. The WSUS solution is limited to distributing packages from Microsoft Update and Windows Update.

Set up the WSUS server and clients for locally-published updates

You must set up WSUS clients to trust content published by the WSUS server before performing any local publishing calls. By default, the Window Update agent trusts only Microsoft signed content The following steps must be performed in order to initialize a trust.

To set up the WSUS server for locally-published content

  1. Call SetSigningCertificate to install a code signing certificate.

  2. Call Save to add this information to the configuration.

  3. Export the public key for the certificate into a .cer file:

    • Click Start, then Run, and type mmc.

    • In the MMC console, click File, then click Add/Remove Snap-in, select Add.

    • Add the Certificates snap-in, and set it to manage certificates for the local computer account.

    • Navigate to the WSUS node in the snap-in, then find the certificate you added in step 1.

    • Right-click the certificate and select All Tasks, then Export. For security reasons, you should export only the public key, not the private key.

  4. Configure your WSUS server to trust this certificate by installing the public key for this certificate in your trusted publisher store.

    • In the Certificates snap-in, select Trusted Root Certification Authorities, then right-click Certificates, select All Tasks, then Import, and import the certificate you just exported.

    • Select Trusted Publishers, then right-click Certificates, select All Tasks, then Import, and import the certificate.

You must configure each client machine to accept packages signed with this certificate.

Note

Make sure that the WSUS certificate is located in a directory visible to the clients before importing it.

To set up WSUS clients to trust locally-published content

  1. You can configure clients to use signed content either by using the Group Policy Object Editor or in the registry.

  2. To configure the use of signed content with the Group Policy Object Editor, complete the following steps.

    • Click Start, then Run, then type gpedit.msc.

    • Select Computer Configuration, then Administrative Templates, then Windows Update.

    • Enable Allow signed content from intranet Microsoft Update service location.

  3. In the registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, and set AcceptTrustedPublisherCerts to 1.

  4. You can set up clients to use the WSUS certificate with the Group Policy Object Editor.

    • Click Start, then Run, and type mmc.

    • In the MMC console, click File, then click Add/Remove Snap-in, select Add.

    • Add the Certificates snap-in, and set it to manage certificates for the local computer account.

    • In the Certificates snap-in, select Trusted Root Certification Authorities, then right-click Certificates, select All Tasks, then Import, and import the certificate.

    • Select Trusted Publishers, then right-click Certificates, select All Tasks, then Import, and import the certificate.

Important   Enabling local publishing has security implications; your WSUS clients and servers will now trust code signed with the certificate above. For security reasons, if you choose to enable local publishing, we strongly recommend that you restrict access to the private key of the code signing certificate and that you configure your WSUS server to use SSL for all communication.

Local publishing of updates and applications

This procedure explains how to use the WSUS API for local publishing of updates and applications.

To use the WSUS API for local publishing

  1. Use the SoftwareDistributionPackage class to author a package. The PopulatePackageFrom*() methods allow one to quickly set correct defaults for various package types, such as MSI, MSP, and EXE.

  2. Use the IPublisher interface to publish the package to the WSUS server.

  3. When the package is published, it can be approved and reports can be generated using the same APIs used for updates on Microsoft Update (for example, Approve).

Important    You should not create locally-published packages without first carefully reviewing the meaning and correct way to populate the all the attributes available in a SoftwareDistributionPackage. The definition and meaning of the attributes is available in the API reference documentation and in the XML schema comments at %Program Files%\Update Services\schema\.

Note

The size of a .cab file must not exceed 2 GB, because files larger than this limit will not be signed. The maximum size of an individual file in a .cab file is 65 KB. WSUS creates multiple .cab files of under 384 MB, and it is recommended that this limit should not be exceeded. In addition, WSUS cannot support more than 65,535 files in a .cab file. An exception will be raised if this number is exceeded.

Example

The following example shows how to publish a Windows Installer Patch (.msp) package.

The steps for publishing Windows Installer (.msi) package or exe are similar to the steps below, with the following differences:

MSI:

Call PopulatePackageFromWindowsInstaller, rather than PopulatePackageFromWindowsInstallerPatch, for initial package population.

Make sure to create a proper IsInstallable rule to check whether the MSI is installable on a given platform (e.g., on Windows Vista only). The schema files in %Program Files%\Update Services\schema\ describe how such rules can be constructed.

Exe:

Call PopulatePackageFromExe, rather than PopulatePackageFromWindowsInstallerPatch, for initial package population.

Make sure to create a proper IsInstallable rule to check whether the executable is installable on a given machine (e.g., if the exe can only be installed on Vista machines). The schema files in %Program Files%\Update Services\schema\ describe how such rules can be constructed.

Make sure to create a proper InstallableItems[0].IsInstalledApplicabilityRule rule to check if the exe is already installed on a given machine. We recommend file-based checks.

Make sure to set InstallableItems[0].InstallCommandLine to the right set of flags to support a silent install (if you need the install automated). If this can’t be done, make sure to set InstallableItems[0].InstallBehavior.CanRequestUserInput to true.

Make sure to set InstallableItems[0].ReturnCodes (and DefaultResult and RebootByDefault) with values sufficient to allow the Windows Update agent to interpret the exit code of the exe.

Dim packagepath As String = "C:\PackageDir\setup.msp"
Dim title As String = "MyPackage" 
Dim description As String = "I’m publishing my own package "
Dim wsus As IUpdateServer = AdminProxy.GetUpdateServer
Dim sdp As SoftwareDistributionPackage = New SoftwareDistributionPackage()
sdp.PopulatePackageFromWindowsInstallerPatch(packagepath)
sdp.Title = title
sdp.Description = description
Dim sdpFilePath As String = Environment.GetEnvironmentVariable("TEMP") + "\" + title + sdp.PackageId.ToString
sdp.Save(sdpFilePath)
Dim publisher As IPublisher = wsus.GetPublisher(sdpFilePath)
Dim dir As New FileInfo(packagepath)
publisher.PublishPackage(dir.Directory.ToString, Nothing)

Footer image

Send comments about this topic to Microsoft.