Assuming the client is able to grab it then unfortunately unless the update from that server is signed by Microsoft the client server will refuse to install it. Is there a way around this problem? Yep, it's simple! You just need to create your own packages on the malicious server and sign them with its own code-signing certificate, and then your malware has to distribute the certificate to each and every client's code signing and root certificate stores in addition to setting another registry key that tells it to trust non-Microsoft signed code.
All of these settings which are settings normally controlled by GPOs in a corporate environment of course.
So the system was completely compromised long before you could ever set this all up. Sure, you could use this to keep your non-corporate machine botnet updated but there are far easier ways to do it and without leaving a nice trail of bread crumbs for the FBI to follow.