I use Windows Defender on a number of my personal Windows machines (this article isn’t about debating the sanity or otherwise of that!) but frequently I come to these machines and there is an indication that Windows Updates are downloaded and ready to install (set that way deliberately as I like to be master of my own destiny, especially when you don’t want reboots at inconvenient times although stopping the Windows Update service will stop a reboot even when the countdown timer can no longer be postponed). However, the majority of the time, it seems that these updates are only definition updates for Windows Defender. Unfortunately, Windows Update has all or nothing granularity – either automatically install all or none at all. In the days when I ran a WSUS server at home (primarily to conserve bandwidth with all the VMs I created), I seem to remember that you could set some update classes to autoupdate but not others. This doesn’t seem to be available when using Windows Update from Microsoft directly.
I know there is a way to get Windows Defender to specifically update its definitions via the MpCmdRun.exe command but I wanted to find a way that would allow me to schedule update installations for any arbitrary update, not just for Windows Defender.
To this end, I found the Microsoft documentation for the Windows Update Agent API and adapted the VBS script found at http://msdn.microsoft.com/en-gb/library/windows/desktop/aa387102(v=vs.85).aspx so that it could be passed a string to match on the command line and then go off and find, download and install any updates that matched this string in their title. Couple this with some rudimentary auditing to the event log and a scheduled task to run the script a few times per day and the problem/annoyance is solved.
The script can be found here and comes with absolutely no warranty (although has been working fine for me for months). You can test it via an administrative cmd prompt using cscript.exe to ensure it works correctly before creating a scheduled task for it, when debugging becomes slightly trickier. See an example command line in the screenshot below but it will also take /Verbose:y to give detailed output as to what it is doing at each stage (don’t specify this option when setting up the scheduled task).
Once you have the script saved in a suitable location, run the task scheduler (taskschd.msc) as an administrator and create a new task to look something like this:
Notice the use of the //B option to wscript.exe to suppress any message boxes the script may produce since that would cause the script to stall. Also, I’ve created multiple Daily schedules to run it in the morning, afternoon and evening although the task is also set to run it as soon as possible if the task is missed, e.g. the machine is asleep/off.
I can then check the event log, for which I’ve set up a filter as shown below for the “WSH” source, to see what updates have been applied by the script although they will also be visible in the standard update history in the Windows Update control panel applet.
Obviously you could modify the string passed via the /Match: option to enable auto updating of any updates you want – just create a new scheduled task for each different /Match: argument used. Note that the script uses a very simple, case insensitive, substring search so there’s no wildcards or regular expressions (yet!).