Taking back control of Windows Update: Install Updates when you want to!

For years we were more than unsatisfied with the options we had to choose from to patch our Microsoft Windows Servers. Without additional utility you are restricted to the few options Group Policy offers. So as I am always searching for a simple but efficient solution to such a painful problem, I combined two fantastic tools, to a powerful Windows Update Scheduler: PDQ Deploy and ABC Update.

tl;dr: If you choose option “3 – Auto download and notify for install” for your WSUS Group Policy, you can take any advanced Task Scheduler like PDQ Deploy in combination with ABC-Update to install Windows Updates scheduled the way YOU want it to be!

Prologue, where is my problem?

First let’s take a look at the options Microsoft offers us and why I refuse to rely on those. If I’m not completely mistaken the only Policy to choose when to patch Windows Updates has been “Configure Automatic Updates” since ever:

There are 4 options with the ADMX files from Windows 10 1607:

2 – Notify for download and auto install No option, you have no influence about the when
3 – Auto download and notify for install No option, the files would be cached by the Server but never installed
4 – Auto download and schedule the install That looks promising, the server downloads and install when you want
5 – Allow local admin to choose setting No option, as soon as you administrate 10+ servers you will loose track

So if you choose option 4, you can take control of the day and hour:

But whats what? You can only plan on a weekly base. No monthly option. Mh ok. And what if you need to stagger updates? Maybe your SQL Server needs to reboot before the Application Server? Then you either have to build different Organizational Units (OUs) in your Active Directory, each with a different GPO attached with a different time defined, or you link several GPOs to the same OU and work with Advanced Delegation.
For me, this is absolutely no option! I personally think that this is way to complicated and error-prone.

Act 2: A promising utility

What I needed was a way to trigger Windows Updates by an external utility without the need to use the built in GUI. And an advanced Task Scheduler, but I guess the Windows Server Task Scheduler could also work.
We already have such an advanced Task Scheduler, as we use PDQ Deploy to patch nearly every runtime and application on our Workstations and Server. (i. e. Java, Flash, Notepad++, FileZilla, WinScp, …)
I already knew about BatchPatch as a way to control Windows Update via command line, but it just didn’t fit me. (But you could of course take a look!)

But I discovered another tool which fitted perfect: ABC-Update

  • It’s free!
  • No install needed, just copy and paste
  • It’s command line based and has an awesome syntax
  • It can install -> reboot -> search for updates -> install -> reboot -> search for updates -> and so on until there are no updates left, all with one command!
  • I writes beautiful log-files
  • It can report to you via E-Mail

With ABC-Update you get the updates exactly when you want them, and can also define max reboots, use filtering options to select updates based on patch dates, KB Articles and update categories.
The tool has a GUI and a command line version and this enable you to script update operations also if you have that need. Because you can also call the tool from a command line it is well fitted to be used with software distribution tools like ABC-Deploy, MS SCCM and others.

You are in control. No more waiting for Automatic updates.
Tested OK from Windows XP/2003 and up

This gap between what Microsoft is offering out of the box, and what many admins really wants is what the ABC-Update tool is made to fill.

Suddenly everything fitted together. So enough with the talking, on to the real-life examples!

Solution, I no longer have a problem!

First of all I built two ABC-Update.exe command line strings which fit all my needs:

%WINDIR%\ABC-Update.exe Call the binery from a path you placed it beforehand
/A:Install We choose Install as the Action
/S:WSUS || /S:MSUpdate We choose WSUS or Microsoft as the Source
/R:10 Should we continue after a Reboot and if true how often
/T:Software We only install updates from the Type Software, no driver
/Q:IsInstalled=0 AND IsHidden=0 The search Query, only non-installed and non-hidden software
/Log_Append:c:\WSUS.log Write a Log and keep it forever, no overwrite
/Exit:Restart Make sure there always happens a reboot when the program Exits, so we keep the boot order of our Windows Servers

Second, the GPO. As we don’t want Microsoft to take control, we set the following GPOs at least. This is extremely important, as this settings dictate the Windows Server to always cache, but never install Updates. And this is what we want, cause taking back control over Windows Update is our goal.

Allow Automatic Updates immediate installation Disabled
Always automatically restart at the scheduled time Disabled
Configure Automatic Updates
Configure automatic updating:
Enabled
3 – Auto download and notify for install
Specify intranet Microsoft update service location
Set the intranet update service for detecting updates:
Set the intranet statistics server:
Enabled
http://wsus.int.corp.de:8530
http://wsus.int.corp.de:8530
Enable client-side targeting
Target group name for this computer
Enabled
WinServer

Third, the Task Scheduler. As Microsoft Group Policy didn’t offer me what I needed we switched to PDQ Deploy, but as I said, any Task Scheduler should do it. For us, two things were really important:

  1. We want to patch AND reboot every Windows Server in each customer Domain once per month
  2. The Server has to reboot in the correct order, to result in a working configuration
    DC -> SQL -> Fileserver -> Application Server -> XenApp -> etc

This resulted in the following:

I hope I could give someone an inspiration about how to deal with Windows Updates beyond the possibilities Microsoft offers us. If you have any questions, please leave me a comment.

Author: Marco

Gelernter Fachinformatiker für Systemintegration (2010) CCA für XenServer 5.0 (2009) CCA für XenApp 5.0 (2011) CCA für XenApp 6.5 (2013) CCAA für XenApp 6.5 (2013) CCA für XenDesktop 5 (2013) Dell Wyse ThinOS Select Techniker (2011) Igel Authorized Partner (2009-2014) Intensivkurs “Group Policy Administration” Windows 7, 8.x sowie Windows Server 2008-R2 / 2012-R2 bei NT Systems, Dipl.-Ing. T. Pham (2014) Zu Gast auf der E2EVC Virtualization Conference in Berlin (2015) Zu Gast auf der Citrix Technology Exchange in Berlin (2016) Citrix Certified Associate – Networking (CCA – N) (2016) Citrix Certified Professional – Networking (CCP – N) (2017)

Leave a Reply

Your email address will not be published. Required fields are marked *