[Solved] Creating Package using WPP and moving content to offline server without WPP?

Topics: Configuration Issue
Jun 19, 2014 at 10:03 PM
Hey all,

I was wondering if it is possible to push update packages created with WPP on a seperate environment that does not have WPP installed, but has WSUS, KBs, and Update Tools API 3.0 installed?

I thought it would work as I am assuming the WPP program works via the API, but I couldn't get it to work using the below method:

Internet facing server: Select MS Updates and Create Adobe Package using WPP.
Run the following script:
Set "version=June_Patches"
"C:\Program Files\Update Services\Tools\wsusutil.exe" export "d:\WSUS\%version%.cab" "d:\WSUS\%version%.log"
"C:\Program Files (x86)\Update Services 3.0 API Samples and Tools\WsusMigrate\WsusMigrationExport\WsusMigrationExport.exe" "D:\WSUS\%version%.xml"
air-gapped offline environment:
copy WSUScontent folder/meta data .cab file/.xml approval list
Set "version=June_Patches"
"C:\Program Files\Update Services\Tools\wsusutil.exe" import "d:\WSUS\%version%.cab" "d:\WSUS\%version%.log"
"C:\Program Files (x86)\Update Services 3.0 API Samples and Tools\WsusMigrate\WsusMigrationImport\WsusMigrationImport.exe" "D:\WSUS\%version%.xml" All None
I thought it would work without WPP on the offline environment as I was assuming it was using the same approval list and I moved over the WSUScontent folder, which has a .cab containing flash player.

Many thanks,
Jun 20, 2014 at 7:57 PM
Hi, I don't have such configuration in my test environment. But theoretically, it should works. Don't forget to import the code signing certificate onto the wsus and client computers.
Jun 20, 2014 at 8:12 PM
I tried to load the certificate from the same site I tried it with and the load button was greyed out, so I just generated a new one.

I have a Code Signing certificate that is from the WSUS Package Publisher, although it is not the same certificate that I created the package with.

Could this be the issue? I will work on putting the same certificate on both machines and get back to you on this.

Many thanks,
Jun 20, 2014 at 8:21 PM
The isolated wsus needs to trust the package. So,
  • if you have used a self-signed certificate, you need to put this certificate in the Trusted Root Certification Authority and in the Trusted Publisher
  • if you have used a home made certificate, you need to put the certificate of the authority in the Trusted Root Certification Authority and the code-signing certificate itself in the Trusted Publisher
It is mandatory, that the isolated wsus have the certificate that was used to sign packages.
Jun 20, 2014 at 8:30 PM
Ah thank you.

I was assuming the algorithm the program uses to generate the certificate would suffice, but I forgot to take into account that the algorithm creates the keys used to verify and it this case they would not be the same keys.

This will be very nice if it works without having the WPP installed on the offline environment, as it gets tricky introducing new software into the system.

I will let you know.
Jun 20, 2014 at 8:48 PM
Edited Jun 23, 2014 at 10:01 AM
You don't need WPP to be installed into the isolated Wsus. Just put the certificate in the right place, and then import updates like you do usually.
Jun 23, 2014 at 3:07 PM
Worked great thanks, just had mix-matched certs.

For the future if anyone reads this thread, you don't need WPP on the offline environment, but just the environment you create the packages on, but both need to have the same cert that was generated on the WPP server.
Marked as answer by DCourtel on 6/24/2014 at 2:29 AM