Local Update Publisher (Software deployment via WSUS)

This is a quickstart tutorial/demonstration of Local Update Publisher

"Local Update Publisher allows system administrators to publish their own updates to Windows Server Update Services using local publishing."


Pros:
Consolidates management and storage (one console, minimal Group Policy fiddling, no separate fileshare.)
Users can install updates on their schedule and/or admins can force schedule.

Cons:
Relies on a (small?) 3rd party project. (Though open-source, and using an official Microsoft API.)
Can't assign or offer to users, only per machine.


This tutorial assumes you have a working install of WSUS, and a basic knowledge of .MSI packages.

Remember everything is stored on your WSUS server, LUP is "just" a gui that talks to it, similar to the WSUS admin console. So download and install the EXE,  run it (you will need to "Run as Administrator"), point it at the WSUS server ("Localhost" if you're on the server, in our case "guard.ourdomain.com", port 80, no SSL for now), and go!

To publish:

First, acquire your MSI. In this example, we'll use the Frontmotion - supplied package of Firefox.

Select Tools -> Create Update. Point it at your .MSI. Confusingly, you *DON'T* provide the "MSI Path". (This is only if it is contained in an .EXE).

LUP (WSUS?) requires a Vendor and Product to be defined. Fill in any other details you think are relevant.(I like to include the version number in the name.)

You can then click through the next few screens, accepting the defaults for now. (These let you write more complex rules, to only target x64, for instance.) Click "finish". You'll get a progress window as it re-packages it for WSUS and uploads it the server.

Notice in this example there are now two versions of the package. Be sure to retire/remove the old version, or else clients will do weird things, i.e. continually install one then the other in the case of Firefox updates.)

Now, we just approve this update (in this case, only for the METRO-TEST group:

Now to see the results of our labor, first we have to assign our testing machine to the METRO-TEST WSUS group.Open up the WSUS admin console, find your target machine(s), right-click and give them membership the appropriate group.

From the LUP wiki:

"The WSUS clients have a locally stored cookie that stores the groups that the client is associated to. Until that cookie expires the client will not create a new one. This means that if you add clients to a group and then immediately try to force a client in that group to detect updates it will likely not find updates you have approved for your new group. You can either wait an hour or force the cookie to expire by running wuauclt with the /resetauthorization flag."

Once I did this, then re-ran "Check for updates" (CLI version: "wuauclt /detectnow"). Looks promising...

Success!!

Now, go forth and publish!

Older XP system, most any (un)install failed:
"this installation is forbidden by system policy"



Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11729
Date: 3/9/2012
Time: 12:25:26 PM
User: NT AUTHORITY\SYSTEM
Computer: VH229A
Description:
Product: Sophos Anti-Virus -- Configuration failed.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 30 33 34 37 35 39 44   {034759D
0008: 41 2d 45 32 31 41 2d 34   A-E21A-4
0010: 37 39 35 2d 42 46 42 33   795-BFB3
0018: 2d 43 36 36 44 31 37 46   -C66D17F
0020: 41 44 31 38 33 7d         AD183}  

Event Type: Information

Event Source: MsiInstaller
Event Category: None
Event ID: 1035
Date: 3/9/2012
Time: 12:25:18 PM
User: NT AUTHORITY\SYSTEM
Computer: VH229A
Description:
Windows Installer reconfigured the product. Product Name: Sophos Remote Management System. Product Version: 3.0.14. Product Language: 1033. Reconfiguration success or error status: 1625.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 46 46 31 31 30 30 35   {FF11005
0008: 44 2d 43 42 43 38 2d 34   D-CBC8-4
0010: 35 44 35 2d 41 32 38 38   5D5-A288
0018: 2d 32 35 43 37 42 42 33   -25C7BB3
0020: 30 34 31 32 31 7d         04121}  

Event Type: Information

Event Source: MsiInstaller

Event Category: None

Event ID: 11729

Date: 3/9/2012

Time: 12:07:50 PM

User: DEPT-LAWR\0mparsons

Computer: VH229A

Description:

Product: Spelling Dictionaries Support For Adobe Reader 8 -- Configuration failed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 7b 41 43 37 36 42 41 38   {AC76BA8

0008: 36 2d 37 41 44 37 2d 35   6-7AD7-5

0010: 34 36 34 2d 33 34 32 38   464-3428

0018: 2d 38 30 30 30 30 30 30   -8000000

0020: 30 30 30 30 33 7d         00003}  

Event Type: Information

Event Source: MsiInstaller

Event Category: None

Event ID: 1035

Date: 3/9/2012

Time: 12:07:50 PM

User: DEPT-LAWR\0mparsons

Computer: VH229A

Description:

Windows Installer reconfigured the product. Product Name: Spelling Dictionaries Support For Adobe Reader 8. Product Version: 8.0.0. Product Language: 1033. Reconfiguration success or error status: 1625.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 7b 41 43 37 36 42 41 38   {AC76BA8

0008: 36 2d 37 41 44 37 2d 35   6-7AD7-5

0010: 34 36 34 2d 33 34 32 38   464-3428

0018: 2d 38 30 30 30 30 30 30   -8000000

0020: 30 30 30 30 33 7d         00003}  

Most troubleshooting posts I found reference "Prohibit non-administrators from applying vendor signed updates" or Software Restriction Policy "All users except local administrators." Sorta close, same area in local policy editor: Local Computer -> Computer Config -> Admin Templates ->Windows Components -> Windows Installer. However "Disable Windows Installer" was enabled! Unconfigured, instant success.