tacticalrmm icon indicating copy to clipboard operation
tacticalrmm copied to clipboard
verified publisher icon amidaware

Windows Update Rework: Todo list consolidating tickets

Open silversword411 opened this issue 3 years ago • 10 comments

  • Have a TacticalRMM Global Option like: [] Have Tactical RMM manage all Windows Update functions
  • Block specific patches agent/site/client
  • Agent/Site/Client Button: "Approve patches based on policy now"
  • Agent/Site/Client Button: "Approve and install Now"
  • Run Updates on offline agents if missed
  • Have Update install Window (time window, with working hours like windows has)
  • different times for installation and reboot
  • different schedules for different patch levels. eg Critical: Daily Other: monthly
  • only reboot when accepted by user
  • postpone updates for x days so it can be tested first (you can do this by just setting later than patch Tuesday date/time)
  • Summary screen on patch status for machines
  • Manual Mass approve Updates (add automation policy selection to Bulk Patch Management dialog)
  • Add more time options to scheduled patching e.g. "first, second, Last of Month
  • Run script before or after patching
  • Use new scheduling system from tasks for patching
  • Include Feature and Driver Updates in Windows Updating
  • add an ability to schedule patch installation/approval based on severity
  • Have patch policy apply immediate upon coming online if agent was offline at scheduled time
  • If user is logged in and active during windows update installation, popup notification to reboot in x mins/hrs and force reboot after that time (like windows)
  • Add more items in TRMMs debug system for troubleshooting patching steps
  • Allow enabling/disabling maintenance mode as part of patching
  • Attempt WoL before running updates
  • Allow enabling "Optional quality updates" to show up in the list of updates.
  • Add a filter and option to automatically ignore all patches with "Preview" in the descriptions #1835

request from jd on discord:

I think there's a GitHub issue open to add a scheduling option to the Bulk Patch Management (and other bulk actions). Would also be really useful if there was a checkbox for whether you want to trigger a reboot (as opposed to following the TRMM patch policy).

I think it would be helpful to have something similar for the Install Patches button - maybe a pop asking if you want to reboot.

For now, I think we can work around with scheduled script-reboots under Automation Manager (as opposed to having the box checked).

However, for the purposes of patching zero days, and for making it just that much easier on admins, I think it would be nice if we could use the Install Patches button (and also the Bulk Install Patches) without having to worry about triggering an accidental, and still have auto reboot ticked in the TRMM Patch Policy.

Replication of all the features in PSWindowsUpdate will probably make everyone happy: https://adamtheautomator.com/pswindowsupdate/

This is what TRMM uses https://learn.microsoft.com/en-us/windows/win32/api/wuapi/ Additional requests please specify what part of the API you're talking about

silversword411 avatar Jun 24 '22 17:06 silversword411

Please also add an ability to schedule patch installation/approval based on severity. So critical patches could be installed on a daily base and e.g. other only once a month.

emtek-at avatar Oct 11 '22 12:10 emtek-at

It would be nice if TRMM would run a patch scan at next check in after the patch window and patch / install approved patches based on the the configured automation policy. that way if a workstation is off during the patching window it will pick up approved patches the next time it is online. (posting from discord)

yourITMatters avatar Jan 11 '23 21:01 yourITMatters

Ability to start the pending updates as soon as the endpoint workstation returns online. Ability to have all the available patches in a global patch list and approve globally based on patch Re-work the "other"category by having TRMM split off the security updates (daily) to auto approve and hold for admin anything else.

Answerphones avatar Oct 31 '23 16:10 Answerphones

Allow Optional quality updates

To include "Optional Quality Updates" in your search results with the Windows Update Agent (WUA) API, you need to use the IUpdateSearcher interface to construct a search query that specifically looks for these types of updates. Optional quality updates typically include updates that are not critical for the security of the system but may provide enhancements or non-critical fixes.

Here's a basic example of how to structure your code to search for optional updates using the WUA API in a COM-aware programming environment, such as C# with appropriate COM interop, or VBScript. The example focuses on how to set up the search criteria to include optional updates:

Example in C# (Assuming COM Interop setup)

csharp
Copy code
// First, create an instance of the UpdateSession COM object
UpdateSession updateSession = new UpdateSession();
IUpdateSearcher updateSearcher = updateSession.CreateUpdateSearcher();

// Set the search criteria to include optional updates
// This might include updates not automatically downloaded and installed
string searchCriteria = "IsInstalled=0 AND Type='Software' AND IsHidden=0";

// Perform the search
ISearchResult searchResult = updateSearcher.Search(searchCriteria);

// Iterate through the results and process them as needed
foreach (IUpdate update in searchResult.Updates)
{
    if (update.IsOptional)
    {
        Console.WriteLine($"Optional update found: {update.Title}");
        // Further processing, such as displaying to the user for manual selection
    }
}

Example in VBScript

vbscript
Copy code
' Create the UpdateSession Object
Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateUpdateSearcher()

' Set the search criteria to include optional updates
searchCriteria = "IsInstalled=0 AND Type='Software' AND IsHidden=0"

' Perform the search
Set searchResult = updateSearcher.Search(searchCriteria)

' Iterate through the search results
For Each update In searchResult.Updates
    If update.IsOptional Then
        WScript.Echo "Optional update found: " & update.Title
        ' Further processing here
    End If
Next

These examples use a basic search criteria string that looks for software updates that are not already installed and are not hidden. The IsOptional property check in the loop (applicable in environments like C# with proper property exposure) is a simplified way of identifying updates that might be considered optional. However, it's important to note that the exact way to identify optional quality updates can depend on the specific properties and categories used by the updates at the time of your query.

silversword411 avatar Mar 08 '24 16:03 silversword411