I was recently packaging up an application for SCCM and one of the pre-requisites of this application was that a Windows Update (.msu) had to be installed.

In order to package up this Windows Update and deploy it as an application I did the following:

To silently install the update I ran the following command within the application deployment - wusa.exe KBxxxxxx.msu /quiet /norestart

In the detection method tab, set the option to "Use a custom script to detect the presence of this deployment type" and select Edit

Change the script so that it is set to Powershell and enter in the following command -

get-hotfix | Where-Object {$_.HotFixID -match "KBxxxxxx"}

The deployment ran fine after that. If you have any execution errors from the script you can change the PowerShell Execution Policy to bypass on the SCCM agent client settings.