Deploy MSP Based KB

What the MSP patch deployer does

This Automox Worklet™ deploys MSP (Microsoft Patch) files directly to Windows endpoints and validates successful installation through registry checks. The Worklet accepts any MSP file uploaded to the Automox console and installs it using the Windows Installer service (msiexec.exe).

The Worklet queries both 32-bit and 64-bit registry uninstall paths at Software\Microsoft\Windows\CurrentVersion\Uninstall to detect whether the specified KB number already exists on the endpoint. After installation, the Worklet verifies that the KB appears in the registry and generates a detailed log file for troubleshooting.

You configure two variables before deployment: the KB number (such as KB5000871) and the MSP filename. The Worklet handles file pathing automatically and creates installation logs alongside the MSP file for audit purposes.

Why deploy MSP patches through Automox

Zero-day vulnerabilities create critical exposure windows where endpoints remain unpatched while attackers actively exploit known flaws. Traditional patching systems like WSUS require hours or days to sync, approve, and distribute updates across infrastructure. Organizations face active exploitation during this delay–particularly for Exchange Server, SharePoint, and other Microsoft server products where attackers target unpatched systems within hours of vulnerability disclosure. Manual patch deployment is error-prone and difficult to verify at scale.

You bypass the entire WSUS distribution cycle by uploading the MSP file directly to Automox and deploying it through this Worklet. Your endpoints receive critical security patches within minutes instead of hours or days. This approach proves especially valuable for Exchange Server patches, SharePoint updates, and other Microsoft server products that use MSP packaging.

The Worklet supports both workstation and server endpoints running Windows 7 and above. You maintain full audit trails through installation logs and registry validation, meeting compliance requirements while accelerating your security response.

How MSP patch deployment works

1. Evaluation phase: The Worklet searches the Windows registry uninstall keys in both 32-bit and 64-bit views to determine whether the specified KB number is already installed. On 64-bit systems, it queries both registry views to maintain comprehensive detection. If the KB exists in either location, the endpoint exits with code 0 and no remediation occurs.

2. Remediation phase: The Worklet invokes msiexec.exe with the /update flag to apply the MSP file, using /qn for silent installation and /norestart to prevent automatic reboots. After installation completes, the Worklet re-checks the registry to verify the KB appears in the uninstall keys. The Worklet generates a verbose log file with the .log extension in the same directory as the MSP file for troubleshooting failed installations.

MSP deployment requirements

• Windows 7 or newer (workstations and servers supported)

• Administrator privileges for registry access and MSI installation

• MSP file uploaded to Automox console via the Upload File button

• KB number configured in the $kb variable (include the KB prefix, case insensitive)

• MSP filename configured in the $mspFile variable (include .msp extension)

• Target software already installed (MSP files patch existing installations)

Expected state after MSP installation

After successful remediation, the endpoint enters a patched security state with the vulnerability addressed. The specified KB number appears in the Windows registry at HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall (on 64-bit systems, it may appear in either the 64-bit view or the Wow6432Node 32-bit view depending on the patch architecture). The Worklet reports installation success with exit code 0, and the endpoint no longer flags for remediation on subsequent evaluations. You can verify the patch by checking Programs and Features in Control Panel where the KB appears as an installed update, or by querying the registry directly using "Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like '*KB*'}" in PowerShell.

You verify installation through the Automox console activity logs or by checking the registry directly. If installation fails, review the verbose log file created in the same directory as the MSP file. The log filename matches the MSP filename with .log appended. A reboot may be required for some patches to take full effect, though the Worklet suppresses automatic reboots to maintain endpoint availability.

How to validate deploy msp based kb changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for deploy msp based kb.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Write-Output.

4. Validate remediation effects from script operations such as Split-Path, Out-Null, Write-Output, then rerun evaluation for compliance.