An Install step installs software on a target computer using a main install file. See the following sections for more information:
Hrm, according to my WSUS server, that version of.NET was released to Windows 10 1607 back on 8/20/19 and falls under the Windows 10 product category. As long as you have 'Windows 10' checked under products and classifications in WSUS, it should have already been on your WSUS server and you shouldn't have needed to import it. Deploy Windows Updates with PDQ Deploy. Let’s look at how we would deploy Windows Updates with PDQ Deploy. The first thing we need to do is go to PDQ Inventory and see which servers need the latest cumulative update. There is already collections built for this purpose by default in PDQ Inventory. I have been using PDQ to deploy Monthly rollups on server 2008r2 & 2012r2 servers for almost 6 months. Last week, once I have deployed the April Monthly rollup, my manager checked the updates manually on one of the server and he found the new update available from March KB4474419, even though the Monthly rollups for both March & April were installed ( KB4489878 & KB4493472). PDQ Deploy is a software deployment tool built to help you automate your patch management. You can go from updating your 3rd party software, to deploying scripts, to making useful system changes in almost no time. Windows Server Update Services (WSUS) enables the administrators to deploy the latest Microsoft product updates. WSUS is a Windows Server server role and when you install it, you can efficiently manage and deploy the updates.
•Install Properties
•Silent Install Options
Install Properties
Property | Details |
Mathtype full version. Install File | Select the primary component of an install step, the installer file. All PDQ Deploy installs include one or more files with one of them being the primary file. IMPORTANT: If the application has more files than the setup file, be sure to select the Include Entire Directory option, listed below the Additional Files section. To include other files, such as configurations or dependent installs, use the Additional Files option (see below). For more information on the types of installs files and their options, see Supported Install Files. |
File Details | Shows details about the selected file such as its size, publisher, and version (if available). Mouse over the information for additional details. |
Parameters | Additional parameters to include in the command line. Be sure to include any silent options here, if needed. For more information, see Silent Install Options below. To assist with finding silent parameters, click search online. |
Additional Files | Select any additional files for the install that are not in the main install file folder, such as an MSI transform or an answer file. Unlike the Include Entire Directory option, files included here are placed in the same directory as the install file. Note that if all the additional files you need are already in the same folder as the main install file, it’s easier to use the Included Entire Directory option. |
Include Entire Directory | Includes all files (and sub-directories) in the same folder as the main install file. Unlike Additional Files, this option maintains the directory structure (including all sub-directories). |
MSI Options | For MSI, MSU, and MSP installs there are a number of options which can be passed to msiexec.exe (.MSI, .MSP) or wusa.exe (.MSU) as part of the install. •Operation: Install is the most common option, but Repair and Uninstall are available if you need them (for .MSI and .MSP). •Restart: Some installs require restarts to complete the installation (such as when files are in use). You can decide how restarts are handled. The (not set) option does not include an option for restarting and uses the install’s default option or you can include another option on the Command Line (see below). •Quiet: Most often you will select this option (for more information, see Silent Install Options below).There may be times when you want to use a different command line option than /qn or when the install doesn’t work properly with this option. For additional information, see Supported Install Files. |
Success Codes | Executable and batch installs typically report success with a return code of 0 (zero) but some also return success with other return codes. Usually these are warnings or other informational return codes that you can safely ignore. When creating an install, you can provide a comma-separated list of return codes that are considered a success. Any install that does not return one of these codes is flagged as an error and the return code displays. For example, the default codes of 1641 and 3010 are MSI codes indicating that the installation was successful but a reboot was started (1641) or a reboot is required (3010). For a comprehensive list of Windows system error codes, see https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx. |
Command Line | You can add additional command line options here and see the final command line that will be executed on the target computer. Select the Custom option to edit the command line directly. NOTE: It is generally unnecessary to customize the command line here. To add additional parameters or switches to a command, you should use the Parameters field. |
Silent Install Options
In order for a deployment to succeed it is critical to understand the concept of a silent or unattended installation.
A silent installation is one which installs software without requiring any intervention from a user on the target computer. If an installation asks the user for information or an action, for example to point to an install directory or to read a license agreement, then the software cannot be installed remotely. Because the user interface element waiting for user input is not visible when run remotely, a user cannot respond to the installation. The result is an installation that appears to “hang” and never return.
Many application packages support an option known as silent or unattended. This option installs the software either with a default set of properties (such as file locations) or with options provided on a command line. The vast majority of application installs that use MSI, MSU, or MSP support a silent option (in fact, the installation developer would need to go out of their way to break the silence, as it were).
EXE installations, however, are a mixed bag. Some support the silent option while others don't. Even for those that do, it’s sometimes difficult to determine how to enable the silent installation.
Finding Silent Options
Resources for locating the silent option for an install are discussed in the following table.
Source | Details |
Product documentation | Vendors often list silent parameters in their documentation, usually along with other install configuration command line options. |
Web searches | It is likely that others have been looking for the same silent option online. Searching for “install acrobat silently” for example yields a number of hits. In PDQ Deploy, after adding your install file to the Install Step of a package, you can also click search online to assist your online search. Video: PDQ Live! Google Fu: The Art of Finding Silent Parameters (https://support.pdq.com/hc/en-us/articles/220537487) |
Ask the install | Many install files include an option that provides command option information. This is often referred to as a Usage Statement or a Usage Window. 1.Open a command window (cmd.exe) and cd to your setup directory. 2.Try running the install file (for example, setup.exe) with a /? option. This sometimes (not always) opens a window that shows different options for installing silently (as well as other options). For example, /q for installing silently, /qu for silent uninstall. Other applications might list ways to auto accept license agreements, or install to different directories. These extra parameters are enabled by each software vendor, so they vary from product to product. |
Trial and error | There are a number of silent options which are used repeatedly. Options we see include: /S, /q, /qn, -silent, /p:silent, -option, and “silent”. |
PDQ Support Forums | If all else fails, visit the PDQ support forums at https://support.pdq.com/home for assistance. We are asked this question quite often and may be able to point you in the right direction. |
Test It
It is important that you test the silent parameters before you deploy the installation remotely, otherwise you may end up waiting for quite a while before you realize you are missing something. A good practice (but not required) is to run the installation on a test computer directly (outside of PDQ Deploy).
To test silent parameters outside of PDQ Deploy:
1.In Windows, click Start > Run (or press Start+R).
2.Type the command, including the silent parameters, then click OK.
If the application installs without you having to answer questions (acknowledging a Windows UAC prompt is fine), then you can be confident the silent parameters work and can be added to PDQ Deploy.
Below is an example of using the Run window to verify that Microsoft Silverlight runs silently. Note that the parameter, /q, is passed.
After you have verified that the application will run, you can attempt the deployment from within PDQ Deploy.
NOTE: Unfortunately, some applications simply do not support silent or unattended installations. These applications cannot be installed silently using PDQ Deploy, however, with user interaction, they can still be installed using the Run As option Deploy User (Interactive).
© 2017 PDQ.com Corporation. All rights reserved.
PDQ.com is a trademark of PDQ.com Corporation. All other product and company names are the property of their respective owners.
Help Version: 13.1.0.0
-->Applies to
- Windows 10
Looking for consumer information? See Windows Update: FAQ
Important
Due to naming changes, older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, 'CB' refers to the Semi-Annual Channel (Targeted)--which is no longer used--while 'CBB' refers to the Semi-Annual Channel.
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
Requirements for Windows 10 servicing with WSUS
To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version:
- WSUS 10.0.14393 (role in Windows Server 2016)
- WSUS 10.0.17763 (role in Windows Server 2019)
- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
- KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3.
Important
Both KB 3095113 and KB 3159706 are included in the Security Monthly Quality Rollup starting in July 2017. This means you might not see KB 3095113 and KB 3159706 as installed updates since they might have been installed with a rollup. However, if you need either of these updates, we recommend installing a Security Monthly Quality Rollup released after October 2017 since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice.If you have synced either of these updates prior to the security monthly quality rollup, you can experience problems. To recover from this, see How to Delete Upgrades in WSUS.
WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see Choose a Type of WSUS Deployment.
Configure automatic updates and update service location
When using WSUS to manage updates on Windows client devices, start by configuring the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment
- Open Group Policy Management Console (gpmc.msc).
- Expand ForestDomainsYour_Domain.
- Right-click Your_Domain, and then select Create a GPO in this domain, and Link it here.NoteIn this example, the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
- In the New GPO dialog box, name the new GPO WSUS – Auto Updates and Intranet Update Service Location.
- Right-click the WSUS – Auto Updates and Intranet Update Service Location GPO, and then click Edit.
- In the Group Policy Management Editor, go to Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Update.
- Right-click the Configure Automatic Updates setting, and then click Edit.
- In the Configure Automatic Updates dialog box, select Enable.
- Under Options, from the Configure automatic updating list, select 3 - Auto download and notify for install, and then click OK.ImportantUse Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateDoNotConnectToWindowsUpdateInternetLocationsNoteThere are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see Configure Automatic Updates by Using Group Policy.
- Right-click the Specify intranet Microsoft update service location setting, and then select Edit.
- In the Specify intranet Microsoft update service location dialog box, select Enable.
- Under Options, in the Set the intranet update service for detecting updates and Set the intranet statistics server options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select OK.NoteThe URL
http://CONTOSO-WSUS1.contoso.com:8530
in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.NoteThe default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
Pdq Deploy Wsus
Create computer groups in the WSUS Administration Console
Note
The following procedures use the groups from Table 1 in Build deployment rings for Windows 10 updates as examples.
You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
To create computer groups in the WSUS Administration Console
- Open the WSUS Administration Console.
- Go to Server_NameComputersAll Computers, and then click Add Computer Group.
- Type Ring 2 Pilot Business Users for the name, and then click Add.
- Repeat these steps for the Ring 3 Broad IT and Ring 4 Broad Business Users groups. When you’re finished, there should be three deployment ring groups.
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through Group Policy or manually by using the WSUS Administration Console.
Use the WSUS Administration Console to populate deployment rings
Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called server-side targeting.
In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
Manually assign unassigned computers to groups
When new computers communicate with WSUS, they appear in the Unassigned Computers group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
To assign computers manually
- In the WSUS Administration Console, go to Server_NameComputersAll ComputersUnassigned Computers.Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
- Select both computers, right-click the selection, and then click Change Membership.
- In the Set Computer Group Membership dialog box, select the Ring 2 Pilot Business Users deployment ring, and then click OK.Because they were assigned to a group, the computers are no longer in the Unassigned Computers group. If you select the Ring 2 Pilot Business Users computer group, you will see both computers there.
Search for multiple computers to add to groups
Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
To search for multiple computers
- In the WSUS Administration Console, go to Server_NameComputersAll Computers, right-click All Computers, and then click Search.
- In the search box, type WIN10.
- In the search results, select the computers, right-click the selection, and then click Change Membership.
- Select the Ring 3 Broad IT deployment ring, and then click OK.
You can now see these computers in the Ring 3 Broad IT computer group.
## Use Group Policy to populate deployment ringsThe WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called client-side targeting. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
To configure WSUS to allow client-side targeting from Group Policy
- Open the WSUS Administration Console, and go to Server_NameOptions, and then click Computers.
- In the Computers dialog box, select Use Group Policy or registry settings on computers, and then click OK.NoteThis option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
To configure client-side targeting
Tip
When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
- Open Group Policy Management Console (gpmc.msc).
- Expand ForestDomainsYour_Domain.
- Right-click Your_Domain, and then click Create a GPO in this domain, and Link it here.
- In the New GPO dialog box, type WSUS – Client Targeting – Ring 4 Broad Business Users for the name of the new GPO.
- Right-click the WSUS – Client Targeting – Ring 4 Broad Business Users GPO, and then click Edit.
- In the Group Policy Management Editor, go to Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Update.
- Right-click Enable client-side targeting, and then click Edit.
- In the Enable client-side targeting dialog box, select Enable.
- In the Target group name for this computer box, type Ring 4 Broad Business Users. This is the name of the deployment ring in WSUS to which these computers will be added.
Warning
The target group name must match the computer group name.
- Close the Group Policy Management Editor.
Now you’re ready to deploy this GPO to the correct computer security group for the Ring 4 Broad Business Users deployment ring.
![Pdq Deploy Install With Wsus Pdq Deploy Install With Wsus](https://documentation.pdq.com/PDQDeploy/17.2.0.0/hmfile_hash_aeb2fd21.png)
To scope the GPO to a group
- In GPMC, select the WSUS – Client Targeting – Ring 4 Broad Business Users policy.
- Click the Scope tab.
- Under Security Filtering, remove the default AUTHENTICATED USERS security group, and then add the Ring 4 Broad Business Users group.
Pdq Deploy Agent
The next time the clients in the Ring 4 Broad Business Users security group receive their computer policy and contact WSUS, they will be added to the Ring 4 Broad Business Users deployment ring.
Automatically approve and deploy feature updates
For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
Note Time fades away flac.
WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring
- In the WSUS Administration Console, go to Update ServicesServer_NameOptions, and then select Automatic Approvals.
- On the Update Rules tab, click New Rule.
- In the Add Rule dialog box, select the When an update is in a specific classification, When an update is in a specific product, and Set a deadline for the approval check boxes.
- In the Edit the properties area, select any classification. Clear everything except Upgrades, and then click OK.
- In the Edit the properties area, click the any product link. Clear all check boxes except Windows 10, and then click OK.Windows 10 is under All ProductsMicrosoftWindows.
- In the Edit the properties area, click the all computers link. Clear all the computer group check boxes except Ring 3 Broad IT, and then click OK.
- Leave the deadline set for 7 days after the approval at 3:00 AM.
- In the Step 3: Specify a name box, type Windows 10 Upgrade Auto-approval for Ring 3 Broad IT, and then click OK.
- In the Automatic Approvals dialog box, click OK.NoteWSUS does not honor any existing month/week/day deferral settings. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the Ring 3 Broad IT deployment ring with an installation deadline of 1 week.
Warning
The auto approval rule runs after synchronization occurs. This means that the next upgrade for each Windows 10 version will be approved. If you select Run Rule, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
Manually approve and deploy feature updates
You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated.
To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
Note
If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer.
To approve and deploy feature updates manually
- In the WSUS Administration Console, go to Update ServicesServer_NameUpdates. In the Action pane, click New Update View.
- In the Add Update View dialog box, select Updates are in a specific classification and Updates are for a specific product.
- Under Step 2: Edit the properties, click any classification. Clear all check boxes except Upgrades, and then click OK.
- Under Step 2: Edit the properties, click any product. Clear all check boxes except Windows 10, and then click OK.Windows 10 is under All ProductsMicrosoftWindows.
- In the Step 3: Specify a name box, type All Windows 10 Upgrades, and then click OK.
Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the Ring 4 Broad Business Users deployment ring:
- In the WSUS Administration Console, go to Update ServicesServer_NameUpdatesAll Windows 10 Upgrades.
- Right-click the feature update you want to deploy, and then click Approve.
- In the Approve Updates dialog box, from the Ring 4 Broad Business Users list, select Approved for Install.
- In the Approve Updates dialog box, from the Ring 4 Broad Business Users list, click Deadline, click One Week, and then click OK.
- If the Microsoft Software License Terms dialog box opens, click Accept.If the deployment is successful, you should receive a successful progress report.
- In the Approval Progress dialog box, click Close.
Steps to manage updates for Windows 10
Learn about updates and servicing channels |
Prepare servicing strategy for Windows 10 updates |
Build deployment rings for Windows 10 updates |
Assign devices to servicing channels for Windows 10 updates |
Optimize update delivery for Windows 10 updates |
Deploy updates using Windows Update for Business or Deploy Windows 10 updates using Windows Server Update Services (this topic) or Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager |