Wapt Windows Update

[mouka]

Hello,
I have a WAPT server running CentOS 7.5.
WAPT Server version: 1.8.0,
WAPT Agent version: 1.8.0.6631,
WAPT Setup version: 1.8.0.6641,
WAPT Deploy version: 1.8.0.6641.

I'm testing WAPT Windows Update.

Is it possible to get a list of all the Windows updates required for at least one client machine? Specifically, the number of computers requiring this update.

In PowerShell, I use `.ComputersNeedingThisUpdate` for each update.

For example, if I have the update ID, I can get the number of PCs that need this update with this: `
(Get-WsusUpdate -UpdateServer $WSUSServer -UpdateId 62df7893-67b9-4673-ad61-4e0381474671).ComputersNeedingThisUpdate`.

This is so I can apply this update list to a set of client machines, at least one of which needs this update, via a WAPT package.
It's not practical to assign an update list to each client individually, as WAPT Windows Update currently allows.

Thank you.

[sfonteneau]

Good morning

I opened an issue here to add the "show clients" button to the Windows Update tab

In the meantime, you can run an SQL query for this:

Code: Select all

SELECT h.computer_fqdn,w.status,w.installed,w.update_id
from wsusupdates u
left join hostwsus w on w.update_id=u.update_id
left join hosts h on h.uuid=w.host_id
where '2538243'=any(u.kbids)     

In the example, 2538243 is the kb kb2538243

[mouka]

Thank you for your quick reply.
I see that Wapt Windows Updates allows for very granular management of Windows updates on a PC-by-PC basis.
But please reassure me, the purpose of Wapt Windows Updates isn't to apply updates PC by PC, is it?
What is your procedure if, for example, I want to apply all "Critical Only" updates to 200 PCs?
More importantly, what happens if I do this on all 200 PCs, even though some don't require these updates? I can't create Wapt packages for PCs requiring specific updates every day. Besides, the list of PCs needing an update today won't be the same the next day.
Thank you again.

[sfonteneau]

I've noticed that Wapt Windows Updates allows for very granular management of Windows updates on a PC-by-PC basis (one by one).
But please tell me, the purpose of Wapt Windows Updates isn't to apply updates PC by PC, is it?

Rest assured, the purpose of Wapt Windows Updates is not to apply updates PC by PC

What is your procedure if, for example, I want to apply all "Critical only" updates to 200 PCs?

In the event that you wish to apply all critical updates to your entire fleet, you can create a wsus package "wsus-critique-only" and add all critical cabs as "allowed".

You can then push the wapt wsus-critique-only package to your entire network (or via OU for example).

Now when you run a scan for Windows updates, all updates will appear as missing since they have been authorized.

But above all, what happens if I do it on these 200 PCs when some do not require these updates?

No problem. We allow updates, we don't force the installation. If we allow a Windows 7 update on a Windows 10 system, it won't start the installation

Since I can't do daily Wapt packets for PCs needing specific updates. Not to mention that the list of PCs needing updates today won't be the same the next day.
Thanks again.

A wsusscn2.cab file is released once a month, on the second Tuesday of the month. However, you can also configure wapt-get.ini to automatically allow reviews

https://www.wapt.fr/fr/doc/wapt-usage/w ... wapt-agent

Code: Select all

[waptwua]
allowed_severities=Critical
 

But I don't recommend this method; I find it just as easy to check once a month (the second Thursday of each month, for example) and sort through it yourself—it's neater

[mouka]

Great, that's pretty much what I was hoping for.
I'm still testing wapt ent. I want to uninstall KB925673 on a set of client PCs. To do this, I created a rule called sup-KB925673 which contains KB925673 but as a prohibited update. (It's not easy to find KB925673 in the KB list, as there's no search function, but by sorting them by KBs, you can manage it). Anyway!
So, I have a wapt package called sup-KB925673. I assign this to a client PC from which I want to remove KB925673.
In the console on the left, I select the client PC in question, on the right I select the sup-KB925673 package, and I click "install package." The process starts...
which should uninstall KB925673 from my client PC.
But that's not the case!
Even restarting the client PC doesn't produce the desired result…

[dcardon]

Hello Mouka,

Very good, that's pretty much what I was hoping for.
I'm still testing wapt ent. I want to uninstall KB925673 on a set of client PCs. To do this, I created a rule called sup-KB925673 which contains KB925673 but as a prohibited update. (It's not easy to find KB925673 in the KB list, because there's no search function, but by sorting them by KBs, you can manage). Anyway!
So I have a wapt package called sup-KB925673. I assign this to a client PC from which I want to remove KB925673.
In the console on the left, I select the client PC in question, on the right I select the sup-KB925673 package, and I click "install package". The uninstaller is running…
which should uninstall KB925673 from my client PC.
But it's not doing anything!
Even restarting the client PC doesn't produce the desired result…

The WAPT Windows Update client behaves like WSUS in this respect: it blocks the KB installation but doesn't uninstall it if it's already installed. WSUS adds an option to request uninstallation from a specific machine. The problem here is that most KBs are flagged by Microsoft as "non-uninstallable." In practice, it's often still possible to uninstall them, but the result isn't guaranteed.

To reproduce this behavior and force uninstallation, an uninstallation package needs to be created (I'll try to publish an example). I'll see if we can integrate the package creation into the wizard.

Sincerely,

Denis

[mouka]

Okay, I'll wait for your reply on this.
I have a WAPT WUA package named sup-KB925673, as discussed above, and it didn't do the job I wanted. Now I want to get rid of this sup-KB925673 package (of which there are two versions). This package is no longer assigned to any machine. Using the right-click menu, I was hoping to find something like "delete" or "remove" the package in question, but there's nothing like that.
Is there a way to delete this rule that corresponds to the WAPT WUA package named sup-KB925673? So that it no longer appears in the list of WAPT WUA packages. Thank you.

[mouka]

I have the answer, in fact "Delete selected rows" deletes the packet from the server, not just the rows from the table.

[dcardon]

Hello Mouka,
To remove the package, you need to create an uninstall package. You can use the example below as a guide (in this example, it removes a KB article that disables ActiveX support in Internet Explorer). This will be integrated directly into the WAPT Windows Update interface.
Sincerely,
Denis

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *
from waptenterprise.waptservice.enterprise import *
uninstallkey = []

def install():
    print('installing %s' % control.asrequirement())
    installed_kbs = installed_windows_updates()
    for kb in ['4487017','4018300']:
        if force or [u for u in installed_kbs if u['HotFixID'] == 'KB%s' % kb]:
            try:
                print('Trying to uninstall %s' % kb)
                active_sessions = get_active_sessions()
                for session_id in active_sessions:
                    start_interactive_process(makepath(system32(),'wusa.exe'),'/uninstall /kb:%s /norestart /quiet' % (kb,) ,session_id=session_id)
                #print(run('wusa.exe /uninstall /kb:%s /norestart' % kb,timeout=60))
            except Exception as e:
                print('Unable to uninstall %s: %s' % (kb,e))
        else:
            print('%s is not installed' % kb)

def audit():
    print('Auditing %s' % control.asrequirement())
    installed_kbs = installed_windows_updates()
    errors = []
    for kb in ['4487017','4018300']:
        if [u for u in installed_kbs if u['HotFixID'] == 'KB%s' % kb]:
            errors.append(kb)
    if errors:
        print('Errors : %s' % errors)
        return 'ERROR'
    else:
        return 'OK'