Attention : support for WAPT 1.8.2 ended on June the 30th 2022.

There are known vulnerabilities in WAPT dependencies in WAPT 1.8.2 branch. Please upgrade to the latest supported version. CVE listing (non exhaustive) :
  • * python engine : python 2.7 (CVE-2020-10735, CVE-2015-20107, CVE-2022-0391, CVE-2021-23336, CVE-2021-3177, CVE-2020-27619, CVE-2020-26116, CVE-2019-20907, CVE-2020-8492, etc.)
  • * cryptography : openssl : CVE-2022-2068, CVE-2022-1292, CVE-2022-0778, CVE-2021-4160, CVE-2021-3712, CVE-2021-23841, CVE-2021-23840, CVE-2021-23839, CVE-2020-1971, CVE-2020-1968, CVE-2019-1551
  • * python dependencies : cryptography (CVE-2020-36242, CVE-2020-25659), eventlet (CVE-2021-21419), jinja2 (CVE-2020-28493), psutil (CVE-2019-18874), waitress (CVE-2022-31015), lxml (CVE-2021-4381, CVE-2021-28957, CVE-2020-27783, CVE-2018-19787), ujson (CVE-2022-31117, CVE-2022-31116, CVE-2021-45958), python-ldap (CVE-2021-46823)

New in version 1.7: Enterprise

Using WAPT Windows Update Agent (WAPTWUA)

WAPT Enterprise feature only

Note

Since version 1.7, WAPT is able to manage Windows Updates on your endpoints.

Working principle

Regularly, the WAPT server downloads an updated wsusscn2.cab file from Microsoft servers. By default, downloads happen once a day and no download is triggered if the wsusscn2.cab file has not changed since the last download.

WAPT Windows Update flow process

WAPT Windows Update flow process.

Note

In some cases, you may wish to push new KBs before the next Patch Tuesday release.

To do so, you may follow this documentation on packaging .msu files for these Out-of-band updates.

The wsusscn2.cab file is then downloaded by the WAPT agent from its nearest repository and then passed on to the standard WUA Windows utility to crunch the update tree for the host.

Regularly, the host will analyze the available updates using the wsusscn2.cab file. The host will send its list of needed updates as determined by its WUA to the WAPT server.

If an update is pending on the host and if that update is not present on the WAPT server, the server will download the needed update from official Microsoft servers.

Hint

This mode of operation allows WAPT to download only the necessary updates on the computers, thus saving bandwidth, download time and disk space.

Note

Downloaded updates are stored:

  • on Linux hosts in /var/www/waptwua;

  • on Windows hosts in C:\wapt\waptserver\repository\waptwua;

The WAPT Windows Update Agent repository download URL is based on the repo_url parameter in wapt-get.ini:

  • in case of repository replication, it is fully operational with WAPT Windows Update to reduce bandwidth use;

  • do not forget to synchronize the waptwua folder if you are replicating your packages with distant repositories;

Note

If in your company, a proxy is needed to go out on the Internet, then be sure to set the proxy server in the waptserver.ini file.

Difference between WAPT Windows Updates and WSUS

WSUS downloads by default the updates for selected categories. This can lead to a very large update database and lots of storage used.

WAPT Windows Update only downloads updates that have been requested by at least one computer client. This helps to keep the local database small (a few 10s of Gigabytes) and it can be easily cleaned up if you want to recover space.

Major OS upgrades

Major OS upgrades are upgrades from one OS version to another. That includes, for example, upgrades from Windows 7 to Windows 10, or from Windows 10 1803 to Windows 10 1903.

Major version upgrades are not handled in the same way as minor OS upgrades. Major upgrades are handled via the download of the new install ISO content (same content as for a fresh install) and running the setup.exe with the correct parameters. This process is the same for WSUS, SCCM and WAPT Windows Updates.

In the case of WAPT Windows Updates, you need to create a OS update package using a template package provided on https://store.wapt.fr.

Driver upgrades

Driver upgrades via WSUS are not recommanded since it is hard to properly handle side effects. In the case of WAPT Windows Updates, DRIVERS ARE NOT DOWNLOADED since they are not referenced in the wsusscn2.cab files provided by Microsoft.

It is recommanded to push driver updates via a custom WAPT package. If the driver patch is packaged as a msu, you may package it as a standard WAPT package.

Just select the msu file and click :menuselection:”create package” in the WAPT console to launch the wizard for simplified package creation.

If the driver update is packaged as a zip containing the exe file, you can create a WAPT package containing the necessary files and setup.exe binary with the correct silent flag.

Out of band KB

Microsoft sometimes provides OOB updates that are not contained in the wsusscn2.cab index. Those updates are not included in the main update because they may fix a very specific problem or may have drawbacks in some situations.

If you want to deploy an OOB KB update, you can download it from the microsoft catalog https://www.catalog.update.microsoft.com/Home.aspx.

Just select the msu file and click Create package in the WAPT console to launch the wizard for simplified package creation.

You have to be carefull that OOB updates may break your system, be sure to read the prerequisites on the Microsoft bulletin corresponding to the update and thoroughly test the update.

Configuring WAPTWUA on the WAPT agent

WAPTWUA is configured in wapt-get.ini.

Add [waptwua] section.

You then have several options:

Configuration options in the [waptwua] section in the wapt-get.ini

Options

Default Value

Description

enabled

False

Enable or disable WAPTWUA on this machine.

allow_direct_download

False

Allow direct download of updates from Microsoft servers if the WAPT server is not available

default_allow

False

Set if missing update is authorized or not by default

filter

Type=’Software’ or Type=’Driver’

Define the filter to apply for the Windows update scan

download_scheduling

None

Set the Windows Update scan recurrence (Will not do anything if waptwua package rule or wsusscn2.cab file have not changed) (ex: 2h)

install_scheduling

None

Set the Windows Update install recurrence (Will do nothing if no update is pending) (ex: 2h)

install_at_shutdown

False

Install update when the machine will shutdown

install_delay

None

Set a deferred installation delay before publication in the repository (ex: 7d)

allowed_severities

None

Define a severity list that will be automatically accepted during a WAPT windows update scan. ex: Important, Critical, Moderate

Hint

These options can be set when generating the agent.

Example [waptwua] section in wapt-get.ini file:

[waptwua]
enabled =true
offline =true
default_allow =false
allow_direct_download=false
download_scheduling=12h
install_at_shutdown=true
install_scheduling=12h
install_delay=7d

The install_scheduling option will try every 12 hours to install updates on the client. It is not in graphical options due to a potential danger. Indeed, trying to install updates on your IT infrastructure while working hours can impact your production.

When you create the waptagent.exe from your console, these options are equivalent to this:

WAPT Windows Update agent options

Hint

if default_allow option is True and Wapt WUA is enabled too, clients will contact the WAPT Server and ask to download the missing updates. The clients will install missing updates on their own at time of upgrade.

Example package source code to modify [waptwua] settings:

def install():
 inifile_writestring(WAPT.config_filename,'waptwua','enabled','true')
 inifile_writestring(WAPT.config_filename,'waptwua','offline','true')
 inifile_writestring(WAPT.config_filename,'waptwua','filter',"Type='Software' or Type='Driver'")
 inifile_writestring(WAPT.config_filename,'waptwua','install_at_shutdown','true')
 inifile_writestring(WAPT.config_filename,'waptwua','download_scheduling','7d')
 inifile_writestring(WAPT.config_filename,'waptwua','allowed_severities','Critical,Important')

Using WAPTWUA from the console

The WAPT Windows Update Agent tab in the WAPT console comes with two sub-menus to manage WAPTWUA.

WAPTWUA Package

The WAPTWUA Package tab allows you to create waptwua rules packages.

  • when this type of package is installed on a machine, it indicates to the WAPTWUA agent the authorized or forbidden KBs;

  • when several waptwua packages are installed on a machine, the different rules will be merged;

  • when a cab is neither mentioned as authorized, nor mentioned as prohibited, WAPT agents will then take the value of default_allow in wapt-get.ini;

If a Windows update has not yet been downloaded to the WAPT server, then the WAPT agent will flag the update as MISSING.

Note

  • if the WAPTWUA agent configuration is set to default_allow = True, then it will be necessary to specify the forbidden cab;

  • if the WAPTWUA agent configuration is set to default_allow = False, then it will be necessary to specify the authorized cab;

Hint

  • to test updates on a small set of computers, you can set WAPTWUA default value to default_allow = False;

  • you can test updates on a small sample of hosts and if everything is good, you can release the updates to the entire fleet of computers;

Creating a *waptwua* Package

Creating a waptwua Package

Windows Updates list tab

The Windows Update List tab lists all needed Windows Updates.

Important

The server does not scan the wsussc2.cab itself, it lets the WUA wapt agents do it. If an update seems to you as missing from the list, you must run a scan on one of the machines present in the console. If you run a WUA scan on a Windows 7 agent, the CAB and Windows 7 files will be displayed on the Windows Update List tab.

The left pane displays updates categories, allowing you to filter by:

  • criticality;

  • product;

  • classification;

In the right panel grid, if the Downloaded on column is empty, it means that the update has not yet been downloaded by the WAPT server and is not present on the WAPT server (This update is not missing on any host).

  • you can force the download of an update by right-clicking ‣ Download;

  • you can also force the download of the wsusscn2.cab file with the Download WSUSScan cab from Microsoft Web Site button;

  • you can see the Windows Updates download on the server with the Show download task button;

Hint

To cleanup your waptwua folder, you can remove no longer needed Windows updates. WAPT server will only re-download deleted updates if one of the WAPT equipped hosts requests it;

List Windows Update

Launch WUA on clients

From the console you have three options.

List of wua button on console

The Trigger the scan of pending Windows Updates button will launch the scan on the client and list all updates flagged for the OS. You can scan the client from the console like that or by using wapt-get waptwua-scan from the command-line.

Hint

Every 30 minutes, the WAPT Server will look for updates that have been requested at least once by WAPT Clients and that have not yet been downloaded and cached. If an update is pending, the WAPT Server will download it from official Microsoft servers.

You can force this scan with the Download index and missing cabs from Microsoft Web site button in tab Windows Updates ‣ Windows Updates list

WUA pending example

If you want to download from the console, use the Trigger the download of pending Windows Updates button.

The command-line for downloading kb’s from the client is wapt-get waptwua-download, it will scan the current status of Windows against current rules, download missing kb’s and send the result to the server.

If you want to install the pending update(s), use wapt-get waptwua-install from the command-line prompt.

If you want to trigger the installation from the console, click on Trigger the install of pending Windows Updates button.

Hint

When you want to install the pending updates stored in cache, the WAPT Service triggers the WUA service.

The WAPT Service will enable and start the WUA Service temporarily to install the updates. When updates are installed, waptservice will stop and disable the WUA service until the next cycle.

Video demonstration