New in version 1.7: Enterprise

Using WAPT Windows Update Agent (WAPTWUA)


Feature only available with WAPT Enterprise version


Since version 1.7, WAPT is able to manage Windows Updates on your endpoints.

Working principle

Regularly, the WAPT server downloads an updated file from Microsoft servers. By default, downloads happen once a day and no download is triggered if the file has not changed since the last download.

WAPT Windows Update flow process

WAPT Windows Update flow process

The file is then downloaded by the WAPT agent from its nearest repository and then passed on to the standard WUA Windows utility to crunch the update tree for the host.

Regularly, the machine will analyze the available updates using the file. The list of needed updates as determined by WUA is then sent from the host to the WAPT server.

If an update is pending on the machine and if that update is not present on the WAPT server, the server will download the needed update from Microsoft servers.


This mode of operation allows to download only the necessary updates on the computers, thus saving bandwidth, download time and disk space.


Downloaded updates are stored:

  • on Linux servers in /var/www/waptwua;
  • on Windows servers in C:\wapt\waptserver\repository\waptwua;

The WAPT Windows Update Agent repository download URL is based on the repo_url parameter in wapt-get.ini:

  • in case of repository replication, it is fully operational with WAPT Windows Update to reduce bandwidth use;
  • do not forget to synchronize the waptwua folder if you are replicating your packages with distant repositories;

Configuring WAPTWUA on the WAPT agent

WAPTWUA is configured in wapt-get.ini.

Add [waptwua] section.

You then have several options:

Options Default Value Description
enabled False Enable or disable WAPTWUA on this machine.
offline True Defined if the scan should be done using files or Online with Microsoft servers
allow_direct_download False Allow direct download of updates from Microsoft servers if the WAPT server is not available
default_allow False Set if missing update is authorized or not by default
filter Type=’Software’ or Type=’Driver’ Define the filter to apply for the Windows update scan
download_scheduling None Set the Windows Update scan recurrence (Will not do anything if wsus package rule or file have not changed) (ex: 2h)
install_scheduling None Set the Windows Update install recurrence (Will do nothing if no update is pending) (ex: 2h)
install_delay None Set a deferred installation delay before publication in the repository (ex: 7d)


These options can be set when generating the agent.

Example WAPTWUA section in wapt-get.ini file:

enabled =true
offline =true
default_allow =false

Using WAPTWUA from the console

The WAPT Windows Update Agent tab in the console WAPT comes with two sub-menus to manage WAPTWUA.


The WAPTWUA Package tab allows you to create wsus rules packages.

  • when this type of package is installed on a machine, it indicates to the WAPTWUA agent the authorized or forbidden KBs;
  • when several wsus packages are installed on a machine, the different rules will be merged;
  • when a cab is neither mentioned as authorized, nor mentioned as prohibited, WAPT agents will then take the value of default_allow in wapt-get.ini;

If a Windows update has not yet been downloaded to the WAPT server, then the WAPT agent will flag the update as MISSING.


  • if the WAPTWUA agent configuration is set to default_allow = True, then it will be necessary to specify the forbidden cab;
  • if the WAPTWUA agent configuration is set to default_allow = False, then it will be necessary to specify the authorized cab;


  • to test updates on a small set of computers, you can set WAPTWUA default value to default_allow = False;
  • you can test updates on a small sample of hosts and if everything is good, you can release the updates to the entire base of computers;
Creating a *wsus* Package

Creating a wsus Package

Windows Updates list tab

The Windows Update List tab lists all needed Windows Updates.

The left pane displays updates categories, allowing you to filter by:

  • criticality;
  • product;
  • classification;

In the right pane grid, if the Downloaded on column is empty, it means that the update was not yet been downloaded by the WAPT server and is not present on the WAPT server (This update is not missing on any host).

  • you can force the download of an update by right-click ‣ Download;
  • you can also force the download of the file with the Download WSUSScan cab from Microsoft Web Site button;
  • you can see the Windows Updates download on the server with the Show download task button;


To cleanup your WAPTWUA folder, you can remove no longer needed Windows updates. WAPT server will only re-download deleted updates if one of the WAPT equipped hosts requests it;

List Windows Update

List Windows Update