IBM Support

Deploy Microsoft Out of Band (OOB) Updates with Intune (Win32 App), due to MS Autopatch restrictions.

How To


Summary

• Windows Autopatch does not deliver OOB updates. OOB updates are only released via the Microsoft Update Catalog.
• Administrators must download the OOB update manually and deploy it as a Win32 app in Microsoft Intune.
• General guidance:
o Deploy the OOB update using the Intune Win32 app method.
o Resume Autopatch updates once OOB deployment is complete.

Note: This process is outside the scope of the Windows Autopatch service. The instructions below provide a practical overview; for the most current details, refer to Microsoft documentation.

Objective

Provide a concise, end‑to‑end procedure to deploy a Microsoft OOB update via Intune Win32 App packaging and assignment, including install/uninstall commands and detection methods. For advanced automation (e.g., PowerShell orchestration, phased rings, or dynamic assignments), open a support request with Microsoft Intune.

Environment

  • Windows 11
  • Windows Server (supported versions)
  • Microsoft Intune
  • Microsoft Autopatch

Steps

Prerequisites

  • Intune admin permissions to create and assign Windows app (Win32).
  • Local .msu file for the target OOB update.
  • (Optional) A PowerShell install script for cleaner control and logging.
  • Maintenance window/restart plan appropriate for your organization.

Steps

1) Download the OOB Update (.msu)

  1. Go to the Microsoft Update Catalog.
  2. Locate and download the required OOB update .msu for your OS (Windows 10/11, Server variants).
    • Save to a working folder (e.g., C:\OOB\Package).
Image Microsoft Catalog

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Prepare the .msu File as a Win32 App (.intunewin)

You must package the .msu using the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe).

Steps:

  1. Download the Win32 Content Prep Tool from Microsoft (IntuneWinAppUtil.exe).
  2. Microsoft Win32 Content Prep Tool
  3. Place the .msu (and optionally a PowerShell install script) in a source folder (e.g., C:\OOB\Source).
  4. Run the tool with explicit paths, for example:

IntuneWinAppUtil.exe -c "C:\OOB\Source" -s "OOBInstall.ps1" -o "C:\OOB\Output"

Where:

  • -c = source folder containing your files (the .msu and/or script)
  • -s = setup file (the entry point the app will run; use your script or the .msu)
  • -o = output folder where the .intunewin package will be created

If you omit parameters, the tool will interactively prompt for them.

3) (Recommended) Create a PowerShell Install Script

Using a script gives you better control (waiting, logging, return codes).

Script example: OOBInstall.ps1:

# OOBInstall.ps1

param(

    [string]$MsuName = "Windows10.0-KBXXXXXXX-x64.msu" # Replace with the real KB file

)

# Ensure the script runs from its directory

Set-Location -Path (Split-Path -Path $PSCommandPath -Parent)

# Install the MSU silently and wait for completion

$arguments = "$MsuName /quiet /norestart"

$process = Start-Process -FilePath "wusa.exe" -ArgumentList $arguments -Wait -PassThru

# WUSA commonly returns 0 (success), 3010 (success with restart required)

if ($process.ExitCode -in 0, 3010) {

    exit 0

} else {

    Write-Error "WUSA failed with exit code $($process.ExitCode)"

    exit $process.ExitCode

}

Why Start-Process -Wait? It ensures Intune properly tracks completion before evaluating detection rules.

Package this script alongside the .msu, and make it your setup file in IntuneWinAppUtil.exe.

Create the Win32 App in Intune

  1. Sign in to Intune admin center.
  2. Go to Apps → All apps → Add → App type: Windows app (Win32).
  3. Select app package file and upload the .intunewin created earlier.
  4. App information: Fill Name, Description, Publisher, Category, etc.

Program → Install command (choose one):

  • If using the script (recommended):
  • powershell.exe -ExecutionPolicy Bypass -File .\OOBInstall.ps1
  • Direct MSU (no script):
  • wusa.exe .\Windows10.0-KBXXXXXXX-x64.msu /quiet /norestart

Program → Uninstall command: You’ll need the PackageName. You can discover it with:

dism /online /get-packages | findstr KBXXXXXXX

Then remove it:

dism /online /remove-package /PackageName:<ExactPackageName> /Quiet /NoRestart

Note: Not all OOB updates are designed to be easily removable. Validate the rollback plan in a pilot first.

Requirements:

OS architecture/version as needed.

-o

5) Set Detection Rules

Choose one detection approach to confirm the update is installed.

Option A — PowerShell: Check HotFix

# Returns exit code 0 if found (installed), non-zero otherwise

$kb = "KBXXXXXXX"   # Replace with the actual KB

if (Get-HotFix -Id $kb -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }

Option B — Registry (CBS Packages)

  • Path pattern:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\<PackageID>
  • The <PackageID> typically starts with Package_for_KBXXXXXXX~...
  • CurrentState indicates status; installed is commonly 112.

Image Registry

 

 

 

 

 

 

For example, detect existence of the package key with CurrentState = 112.

Note: Exact package names/values vary per KB and OS build. Confirm in your pilot devices.

 

6) Assign the App to Device Groups

  1. Go to Assignments.
  2. Target:  
    • Pilot group first (recommended), then
    • All affected devices.
  3. Use Required for automatic installation.

Consider maintenance windows and restart behavior. OOB updates often require a reboot to complete; whether you allow immediate restart depends on your change policy.

 

7) Monitor Deployment

  • Intune Admin Center → Apps → (Your app) → Monitor
    • Track Install status, Failures, and Pending.
    • Drill into error codes to troubleshoot (wusa/dism returns, detection rule mismatches, content distribution).

Once deployment completes and your validation passes, resume Autopatch updates as normal.

 

 

 

Additional Information

Notes & Best Practices

  • Architecture & OS versioning: Ensure the .msu matches device architecture (x64/Arm64) and OS build.
  • Servicing Stack: Some updates require a minimum Servicing Stack Update (SSU) level. Validate prerequisites listed on the Update Catalog page.
  • Reboots: Many OOB updates return 3010 (restart required). Plan compliance/restart policies accordingly.
  • Logging: If you use a script, write logs to a known path for troubleshooting (e.g., C:\ProgramData\OOB\Logs).
  • Rollback: Confirm uninstall feasibility for specific KB (some may not support removal).
  • Piloting: Always validate detection logic and uninstall commands on a small set first.

Appendix: Quick Command Reference

Package MSU as Win32:

IntuneWinAppUtil.exe -c "C:\OOB\Source" -s "OOBInstall.ps1" -o "C:\OOB\Output"

Install via script:

powershell.exe -ExecutionPolicy Bypass -File .\OOBInstall.ps1

Install directly:

wusa.exe .\Windows10.0-KBXXXXXXX-x64.msu /quiet /norestart

Find PackageName for uninstall:

dism /online /get-packages | findstr KBXXXXXXX

Uninstall:

dism /online /remove-package /PackageName:<ExactPackageName> /Quiet /NoRestart

Detection (PowerShell):

$kb = "KBXXXXXXX"

if (Get-HotFix -Id $kb -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }

Detection (Registry):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\<Package_for_KBXXXXXXX~...>
Check CurrentState = 112.

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSTKH9","label":"Microsoft Azure"},"ARM Category":[{"code":"a8mKe000000004XIAQ","label":"AZURE"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
17 February 2026

UID

ibm17260963

Page Feedback