Deploying Windows Monthly Updates (without WSUS)

by | August 3, 2017

In connection with another article about Deploying Windows Updates via the Command Line, I have come to notice that it is not the end-all we thought it once was. With the Roll-Up Updates for Windows 7, 8.1, and 10, I have found a better way to deploy updates.

As per before, this is all done under the assumption you are NOT running a WSUS Server. For the organization I’m employed at, this is the case. Updates used to be offered with the Pro level of PDQ Deploy, but it has changed to the Enterprise licensing in order to accomplish the same thing. Below is what I found to work for my environment, including the scripts I found to make it work.

Current Updates

As of August 9, 2017:

Windows 7 – KB403466464-bit / 32-bit

Windows 8.1 – KB403468164-bit / 32-bit

Windows 10 – KB402534264-bit / 32-bit


You will want to download the appropriate versions of the monthly updates for your Operating Systems. A quick Google search will land you where you need when new updates come out; see below for more information. Save the files to a common folder that your users can READ from.

Create the Scripts

stopWindowsUpdateServer.ps1:

$ErrorActionPreference = "Stop"
$ServiceStartType = (Get-WmiObject win32_Service -Filter "Name='Wuauserv'").StartMode
$Destination = "$env:TEMP\StoredService.txt"
If (-not (Test-Path $Destination)) {
    New-Item -Path $Destination -ItemType File
}
$ServiceStartType | Out-file -FilePath $Destination -Force
If ($ServiceStartType -match "Disabled"){
    Set-Service Wuauserv -StartupType Manual
    Write-Output "The Windows Update service startup type has been Changed from Disabled to Manual on $Env:COMPUTERNAME."
}
Write-Output "Stopping Windows Update service on $Env:COMPUTERNAME"
Stop-Service -Name wuauserv -Force

startWindowsUpdateService.ps1:

$ErrorActionPreference = "Stop"
$Destination = "$env:TEMP\StoredService.txt"
$ServiceStartType = (Get-Content $Destination)
$ServiceObject = Get-Service -Name Wuauserv
If($ServiceStartType -match "Auto"){
    Write-Output "The Windows Update Service startup type is set to Automatic on $Env:COMPUTERNAME"
    Exit 0
}
Try {
    Set-Service Wuauserv -StartupType $ServiceStartType
} Catch {
     Write-Output "The Windows Update Service could not be reverted back to it's original state on $Env:COMPUTERNAME`n"
     $_
    Exit 0
}
Write-Output "The Windows Update Service startup type has been reverted back to $ServiceStartType on $Env:COMPUTERNAME"
If (Test-Path $Destination) {
    Remove-Item $Destination -Force
}

Save these files in an easily accessible location that your users can READ from.

Deploy with PDQ Deploy

If you have Admin Arsenal’s PDQ Deploy, you can create a deployment package, as per the settings below:

  1. Stop Windows Update Script (as saved above)
    • Created as a Powershell script
    • Options->Error Mode->Continue
  2. Install Step (for each update)
    • Choose the .MSU update file for your Windows Version (i.e. Windows 7 32-bit)
    • Ensure the success codes include 0,1641,3010,2359302
    • Conditions->OS Version and Architecture->Match for the update you’re deploying
    • Options->Error Mode->Stop deployment with error
    • You do NOT need to copy the entire folder with each of these Install steps
  3. Repeat step two for each Windows Version and Architecture you have updates for
  4. Start Windows Update Script (as saved above)
    • As per step 1 above, except choosing the START script

Main Package Options Deployment Conditions On error resume next

Keeping your updates up to date

Next up, you need to keep these updates… well, up to date! You can either refer to this page (as I will continually update it), or you can do some searching yourself to keep up to date.. Below is how I found the updates to apply:

  1. Google search for “Windows { 7 | 8.1 | 10 } {Month} {Year} Roll up”. Look for the KB number.
  2. Go to the Windows Update Catalog, and search for that KB number.
  3. Click the Download button to the right for the version you need. Save the file in the same folder as the older ones; I rename the updates to a name format, such as “Win7_x64_KB123456”, to keep the names short.
  4. Update the middle steps of your deployment to use the new filenames.
  5. Test the deployment with a test computer to ensure it deploys properly without errors.
  6. Deploy as needed to the rest of your environment.

Update Catalog screen to choose updates Saving the Update to a computer