New in version 1.7: Enterprise

Using WAPT Windows Update Agent (WAPTWUA)

WAPT Enterprise feature only


Since version 1.7, WAPT is able to manage Windows Updates on your endpoints.

Working principle

Regularly, the WAPT server downloads an updated file from Microsoft servers. By default, downloads happen once a day and no download is triggered if the file has not changed since the last download.

WAPT Windows Update flow process

WAPT Windows Update flow process


In some cases, you may wish to push new KBs before the next Patch Tuesday release.

To do so, you may follow this documentation on packaging .msu files for these Out-of-band updates.

The file is then downloaded by the WAPT agent from its nearest repository and then passed on to the standard WUA Windows utility to crunch the update tree for the host.

Regularly, the host will analyze the available updates using the file. The host will send its list of needed updates as determined by its WUA to the WAPT server.

If an update is pending on the host and if that update is not present on the WAPT server, the server will download the needed update from official Microsoft servers.


This mode of operation allows to download only the necessary updates on the computers, thus saving bandwidth, download time and disk space.


Downloaded updates are stored:

  • on Linux hosts in /var/www/waptwua;

  • on Windows hosts in C:\wapt\waptserver\repository\waptwua;

The WAPT Windows Update Agent repository download URL is based on the repo_url parameter in wapt-get.ini:

  • in case of repository replication, it is fully operational with WAPT Windows Update to reduce bandwidth use;

  • do not forget to synchronize the waptwua folder if you are replicating your packages with distant repositories;


If in your company, a proxy is needed to go out on the Internet, then be sure to set the proxy server in the waptserver.ini file.

Difference between WAPT Windows Updates and WSUS

WSUS downloads by default the updates for selected categories. This can lead to very a very large update database and lots of storage used.

WAPT Windows Update only downloads updates that have been requested by at least one computer client. This helps to keep the local database small (a few 10s of Gigabytes) and it can be easily cleaned up if you want to recover space.

Major OS upgrades

Major OS upgrade are upgrades from one OS version to another. That includes, for example, upgrades from Windows 7 to Windows 10, or from Windows 10 1803 to Windows 10 1903.

Major upgrade versions are not handled in the same way as minor OS upgrades. Major upgrades are handled via the download of the new install ISO content (same content as for a fresh install) and running the setup.exe with the correct parameters. This process is the same for WSUS, SCCM and WAPT Windows Updates.

In the case of WAPT Windows Updates, you need to create a OS update package using a template package provided on

Driver upgrades

Driver upgrades via WSUS are not recommanded since it is hard to properly handle side effects. In the case of WAPT Windows Updates, DRIVERS ARE NOT DOWNLOADED since they are not referenced in the files provided by Microsoft.

It is recommanded to push driver updates via a custom WAPT package. If the driver patch is packaged as a msu, you may package it as a standard WAPT package.

Just select the msu file and click Create package in the WAPT console to launch the wizard for simply creating new WAPT packages.

If the driver update is packaged as a zip containing the exe file, you can create a WAPT package containing the necessary files and setup.exe binary with the correct silent flag.

Out of band KB

Microsoft sometimes provides OOB updates that are not contained in the index. Those updates are not included in the main update because they may fix a very specific problem or may have drawbacks in some situation.

If you want to deploy an OOB KB update, you can download it from the microsoft catalog

Just select the msu file and click Create package in the WAPT console to launch the wizard for simply creating new WAPT packages.

You have to be carefull that OOB updates may break your system, be sure to read the prerequisites on the Microsoft bulletin corresponding to the update and thoroughly test the update.

Configuring WAPTWUA on the WAPT agent

WAPTWUA is configured in wapt-get.ini.

Add [waptwua] section.

You then have several options:

Configuration options in the [waptwua] section in the wapt-get.ini


Default Value




Enable or disable WAPTWUA on this machine.



Allow direct download of updates from Microsoft servers if the WAPT server is not available



Set if missing update is authorized or not by default


Type=’Software’ or Type=’Driver’

Define the filter to apply for the Windows update scan



Set the Windows Update scan recurrence (Will not do anything if waptwua package rule or file have not changed) (ex: 2h)



Set the Windows Update install recurrence (Will do nothing if no update is pending) (ex: 2h)



Install update when the machine will shutdown



Set a deferred installation delay before publication in the repository (ex: 7d)



Define a severity list that will be automatically accepted during a WAPT windows update scan. ex: Important, Critical, Moderate


These options can be set when generating the agent.

Example [waptwua] section in wapt-get.ini file:

enabled =true
offline =true
default_allow =false

The install_scheduling option will try every 12 hours to install updates on client. It is not in graphical options due to a potential danger. Indeed, trying to install updates on your IT infrastructure while working hours can impact your production.

When you create the waptagent.exe from your console, these options are equivalent to this:

WAPT Windows Update agent options


if default_allow option is True and Wapt WUA is enabled too, clients will contact the WAPT Server and ask to download the missing updates. The clients will install missing updates on their own at time of upgrade.

Example package source code to modify [waptwua] settings:

def install():
 inifile_writestring(WAPT.config_filename,'waptwua','filter',"Type='Software' or Type='Driver'")

Using WAPTWUA from the console

The WAPT Windows Update Agent tab in the WAPT console comes with two sub-menus to manage WAPTWUA.


The WAPTWUA Package tab allows you to create waptwua rules packages.

  • when this type of package is installed on a machine, it indicates to the WAPTWUA agent the authorized or forbidden KBs;

  • when several waptwua packages are installed on a machine, the different rules will be merged;

  • when a cab is neither mentioned as authorized, nor mentioned as prohibited, WAPT agents will then take the value of default_allow in wapt-get.ini;

If a Windows update has not yet been downloaded to the WAPT server, then the WAPT agent will flag the update as MISSING.


  • if the WAPTWUA agent configuration is set to default_allow = True, then it will be necessary to specify the forbidden cab;

  • if the WAPTWUA agent configuration is set to default_allow = False, then it will be necessary to specify the authorized cab;


  • to test updates on a small set of computers, you can set WAPTWUA default value to default_allow = False;

  • you can test updates on a small sample of hosts and if everything is good, you can release the updates to the entire fleet of computers;

Creating a *waptwua* Package

Creating a waptwua Package

Windows Updates list tab

The Windows Update List tab lists all needed Windows Updates.


The server does not scan the itself, it lets the WUA wapt agents do it. If an update seems to you as missing from the list, you must run a scan on one of the machines present in the console. If you run a WUA scan on a Windows 7 agent, the CAB and Windows 7 files will be displayed on the Windows Update List tab.

The left pane displays updates categories, allowing you to filter by:

  • criticality;

  • product;

  • classification;

In the right panel grid, if the Downloaded on column is empty, it means that the update has not yet been downloaded by the WAPT server and is not present on the WAPT server (This update is not missing on any host).

  • you can force the download of an update by right-click ‣ Download;

  • you can also force the download of the file with the Download WSUSScan cab from Microsoft Web Site button;

  • you can see the Windows Updates download on the server with the Show download task button;


To cleanup your waptwua folder, you can remove no longer needed Windows updates. WAPT server will only re-download deleted updates if one of the WAPT equipped hosts requests it;

List Windows Update

Launch WUA on clients

From the console you have three options.

List of wua button on console

The Trigger the scan of pending Windows Updates button will launch the scan on the client and list all updates flagged for the OS. You can scan the client from the console like that or by using wapt-get waptwua-scan from the command-line.


Every 30 minutes, the WAPT Server will look for updates that have been requested at least once by WAPT Clients and that have not yet been downloaded and cached. If an update is pending, the WAPT Server will download it from official Microsoft servers.

You can force this scan with the Download index and missing cabs from Microsoft Web site button in tab Windows Updates ‣ Windows Updates list

WUA pending example

If you want to download from the console, use the Trigger the download of pending Windows Updates button.

The command-line for downloading kb from the client is wapt-get waptwua-download, it will scan the current status of Windows against current rules, download missing kb and send the result to the server.

If you want to install the pending update(s), use wapt-get waptwua-install from the command-line prompt.

If you want to trigger the installation from the console, click on Trigger the install of pending Windows Updates button.


When you want to install the pending updates stored in cache, the WAPT Service triggers the WUA service.

The WAPT Service will enable and start the WUA Service temporarily to install the updates. When updates are installed, waptservice will stop and disable the WUA service until the next cycle.

Video demonstration