TeamViewer is designed to connect easily to remote computers without any special firewall configurations being necessary.
This article applies to all users in all licenses.
In the vast majority of cases, TeamViewer will always work if surfing on the internet is possible. TeamViewer makes outbound connections to the internet, which are usually not blocked by firewalls.
However, in some situations, for example in a corporate environment with strict security policies, a firewall might be set up to block all unknown outbound connections, and in this case, you will need to configure the firewall to allow TeamViewer to connect out through it.
TeamViewer ‘s Ports
These are the ports that TeamViewer needs to use.
TCP/UDP Port 5938
TeamViewer prefers to make outbound TCP and UDP connections over port 5938 – this is the primary port it uses, and TeamViewer performs best using this port. Your firewall should allow this at a minimum.
TCP Port 443
If TeamViewer can’t connect over port 5938, it will next try to connect over TCP port 443.
However, our mobile apps running on iOS and Windows Mobile don’t use port 443.
📌Note: port 443 is also used by our custom modules which are created in the Management Console. If you’re deploying a custom module, eg. through Group Policy, then you need to ensure that port 443 is open on the computers to which you’re deploying. Port 443 is also used for a few other things, including TeamViewer (Classic) update checks.
TCP Port 80
If TeamViewer can’t connect over port 5938 or 443, then it will try on TCP port 80. The connection speed over this port is slower and less reliable than ports 5938 or 443, due to the additional overhead it uses, and there is no automatic reconnection if the connection is temporarily lost. For this reason port 80 is only used as a last resort.
Our mobile apps running on Windows Mobile don’t use port 80. However, our iOS and Android apps can use port 80 if necessary.
Windows Mobile
Our mobile apps running on Windows Mobile can only connect out over port 5938. If the TeamViewer app on your mobile device won’t connect and tells you to “check your internet connection”, it’s probably because this port is being blocked by your mobile data provider or your WiFi router/firewall.
Destination IP addresses
The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.
Having said that, from a security point-of-view this should not really be necessary – TeamViewer only ever initiates outgoing data connections through a firewall, so it is sufficient to simply block all incoming connections on your firewall and only allow outgoing connections over port 5938, regardless of the destination IP address.
A factory reset is useful for a creating fresh setup of a UniFi Console, or device that was already configured in a managed state.
Restoring with the Reset Button
All UniFi devices have a Reset button. You can return a device to a factory-default state by holding this for 5-10 seconds (depending on the device), or until the LEDs indicate the restore has begun. Your device must remain powered during this process.
UniFi PoE Adapters also have a Reset button that can be used if the actual device is mounted and out of reach.
Example: The diagram below illustrates how to locate this button on the UDM Pro.
Restoring From Your UniFi Application
UniFi Devices
All UniFi devices can be restored to their factory defaults via their respective web or mobile applications. This is located in the Manage section of a device’s settings. Depending on the application, this may be referred to as Forget (UniFi Network) or Unmanage (UniFi Protect).
Selecting this option will unmanage the device from your UniFi Console and restore the device to a factory default state.
UniFi Consoles
A UniFi Console admin with Owner privileges has the ability to restore their console using the “Factory Reset” button located in the UniFi OS System settings.
Frequently Asked Questions
Why does my device still appear in my application after I restored it using the physical Reset button?
Why does my device say “Managed by Other”?
This will occur if the device was managed by another instance of a UniFi application. This includes cases where the UniFi Console (e.g., Dream Machine Pro, or Cloud Key) was factory restored, because the UniFi device still considers itself as being managed by the ‘old’ application console, prior to restoration.
There are several options to resolve this:
Restore the UniFi Console from a backup in which the device was already managed.
Factory restore the UniFi device and then re-adopt it.
Reassign the device using the UniFi Network mobile app. Note: This can only be done by the account owner and requires them to have previously signed into the mobile app while the device was managed.
Note: If you are self-hosting the Network application, you should only ever download the UniFi software on a single machine which will act as the UniFi Console. Some users mistakenly download this multiple times because they believe it is a requirement to manage their Network Application from other devices, but this is actually creating a completely new instance. To manage your network from another device, you can type in the IP address of the UniFi Console while connected to the same local network. Alternatively, you can enable Remote Access to manage your network anywhere. See Connecting to UniFi to learn more.
Why is my UniFi Device not factory restoring?
Ensure that your device remains powered on during the restoration process, otherwise it will not occur.
It is also possible that you held the button for too short of a time (resulting in a reboot), or too long of a time (resulting in entering TFTP Recovery Mode). Refer to our UniFi Device LED Status guide for more information.
When a user joins a computer to an AD domain, they automatically become the owner of the corresponding AD object. This is why standard users should not have the domain join permission. If they still own computer objects, it is recommended for security reasons to replace them with a service account.
As a best practice, Microsoft recommends revoking the domain join permission from regular users. Instead, it is advised to delegate this task to service accounts whose permissions are tailored to this purpose. By doing so, a known attack vector is eliminated.
Easily deploy and centrally manage your phone system in your Windows network
If the domain join is delegated to specific accounts after end users have already added numerous computers to the domain, it is recommended that the owner of these computer objects be changed.
This also applies if a domain admin has been used for this purpose until now.
Active Directory Users and Computers
To view the permissions and the owner of a computer object in AD Users and Computers (ADUC), open the properties of the computer object, switch to the Security tab, and click Advanced.
Edit the owner of a computer object in Active Directory with AD Users and Computers
If necessary, you can enter a new owner by clicking the Change link in that section.
In ADUC, you can only edit the permissions of individual objects. If you select multiple objects, the Properties dialog will not display the Security tab.
Display owner with PowerShell
For bulk operations, it is therefore recommended to use PowerShell. If you first want to get an overview of multiple objects’ ownership, there are several options available.
One approach is to generate a list of computer names and owners by expanding the nTSecurityDescriptor attribute using Select-Object:
Get-ADComputer –Filter * -properties ntSecurityDescriptor -PipelineVariable p |
Display all domain computers and their owners with PowerShell
Alternatively, you can use Get-ACL to retrieve the owner for each computer individually. When outputting the results using Format-List, you can use Trimstart() to remove the leading “CN=” from PSChildName:
This variant has the advantage of generating the necessary ACL objects, which are required if you want to change the owner. The following script accomplishes this task:
In this example, all computers whose names begin with “Win11” are assigned contoso\djoin as the new owner.
Assign a new owner to computer objects with Set Acl
It is worth mentioning that to use the SetOwner method, you need to provide a system.security.principal.ntaccount object. However, Get-ADuser returns objects of the type Microsoft.ActiveDirectory.Management.ADUser. If you want to retrieve the principal using this cmdlet, then you need to call it as follows:
For security reasons, it is not recommended to let users join PCs to an AD domain. However, if you have allowed this in the past, it is advisable to assign new owners to the computer objects.
If you need to uninstall SOLIDWORKS, this guide walks through the entire process including preparing your machine and uninstalling Windows items, SOLIDWORKS items, SOLIDWORKS prerequisites, and more. Let’s get started.
*Disclaimer: This document assumes that SOLIDWORKS was originally installed using the default locations. If our installation location for SOLIDWORKS differs, please adjust the procedure below accordingly. The procedure in the following document requires access and edits to the Windows registry. Any such edits are done at your own risk and should only be attempted under the advisement of your IT professional. If you are uncomfortable with following the procedure below, please seek assistance. It is advised to backup your registry and any valued data before making any changes to the system registry. GoEngineer assumes no responsibility for any consequences, unintended or otherwise resulting from changes made to the system registry.
Preparing your machine
Confirm and create backup Copy Settings Wizard (CSW) or Manual Registry Export
If the machine has multiple users. Run it for each user while they are logged in and setup a file naming convention like “SWSettings_UserName_Date.sldreg”.
If the machine just has one user, then you can just create one file to hold all settings for example “SWSettings_Date.sldreg”
For Manual Registry Export, go to the search bar and type in regedit.exe then press Enter. Depending on how your IT department has your permissions setup you may have to get one of them involved for this step.
Once in the registry editor, navigate to the following keys, right-click on them and select Export. Then name them according to the file name suggested under each one.
Backup all customizations like document templates, sheet formats, toolbox databases, weldment profiles, design library, etc.
You can go to System Options | File Locations within SOLIDWORKS to verify the locations of any customizations. Note: Any files in custom locations will not be removed during uninstallation, but ones in any of the default folders will so make sure and double check this step.
Create a restore point and/or backup of your system.
Items needed
Obtain Software either via download from the customer portal or DVD. It is recommended that you obtain the latest service pack for the version you are planning to install.
Local Admin rights/permissions on the machine. Domain admin will not suffice.
For SA licenses you will need the serial number(s). For SNL you will need the serial number and license server name in this format “25734@ServerName”.
Uninstalling
Windows Items
Disable UAC (User Account Control) by moving the slider to the lowest setting.
Disable any Anti-Viral or Malware software if permitted. You may have to get IT involved in this step.
SOLIDWORKS Items
Transfer License (For SA only, and only if you are moving machines or upgrading to a different major version)
While in SOLIDWORKS, go to the Help menu and select “Deactivate License”. This will bring up the SOLIDWORKS Product Activation dialog.
Then click the “Select All” button and click Next. Finally, you will see a completion dialog showing the activations were transferred successfully.
Uninstall SOLIDWORKS via these steps below.
Go to Start -> Control Panel -> Programs and Features. Select SOLIDWORKS 20XX SPX and then click Uninstall at the top of the list.
This will open the SOLIDWORKS Installation Manager to the Summary page. Then select “Change” to the right of the Advanced Options section.
In the dialog that comes up select the boxes for the items you want to have removed from the system. If you have multiple versions installed and you are not uninstalling the latest version some boxes will not be available.
Click “Back to Summary”, then click “Remove Items” to start the uninstallation process. Note: This process will not remove any SOLIDWORKS Parts, assemblies, or drawings.
SOLIDWORKS Prerequisites
Manually remove prerequisites. ** Not all may be installed on your machine depending on the SOLIDWORKS version. ** Bonjour Microsoft .Net Framework 3.5 (Use Windows Components to Uninstall) Microsoft .Net Framework 4.0 Microsoft .Net Framework 4.5 Microsoft Office Web Components 11 Remove all instances of C++ Runtimes Note: Do not remove all if you have any programming or other CAD software installed. Contact us for the exact current list of runtimes to remove. Microsoft Visual Studio 2005 Tools for Applications Microsoft Visual Studio 2005 Remote Debugger Light VBA 7.1
For SOLIDWORKS 2013 and higher, please follow these steps to uninstall VBA.
Open Command Prompt (Start | All Programs | Accessories then right-click on Command Prompt and select “Run as Administrator”).
Then type: msiexec.exe /X{90120064-0070-0000-0000-4000000FF1CE} and press Enter.
Manual System Cleaning Steps
Manually clean remaining folders and registry.
Registry: (**Please use caution when Windows Start Menu > type “regedit” > press Enter) editing the Windows Registry, Deletions cannot be undone. **
HKEY_CURRENT_USER\SOFTWARE
\eDrawings
** If you have PDM installed, DO NOT DELETE. Delete only the IM & \SolidWorks SOLIDWORKS [version] subkeys. **
\SOLIDWORKS 20XX
\SolidWorks BackOffice
\SRAC
\Microsoft\VSTAHOST
\Microsoft\VSTAHostConfig
HKEY_LOCAL_MACHINE\SOFTWARE **Wow6432Node keys on 64 bit machines only**
\eDrawings
\SolidWorks the IM & SOLIDWORKS [version] subkeys. **
\SolidWorks Corporation
\SRAC
** If you have PDM Pro & Stnd installed, DO NOT \Wow6432Node\SolidWorks DELETE. Delete only the IM & SOLIDWORKS [version] subkeys. **
Note: The “ProgramData” folder is hidden by default. Go to the Control Panel and select Folder Options. Open the View tab and select “Show hidden files, folders and drives” from the list and click OK.
C:\ProgramData\COSMOS Applications\
C:\ProgramData\SolidWorks
C:\ProgramData\SolidWorks Electrical
C:\ProgramData\SolidWorks Flow Simulation
C:\SolidWorks Data – Note: delete all duplicates like (2) C:\SolidWorks Data (2)
Please contact us if you have any questions or issues with the steps above via one of the following methods.
SOLIDWORKS TRAINING
Expand your SOLIDWORKS skillset and enroll in a professional SOLIDWORKS training course. Choose how you want to learn, (online self paced or virtual classroom or in-person classroom or onsite) and the select your level of training.
Editor’s Note: This article was originally published in August 2017 and has been updated for accuracy and comprehensiveness.
QuTS hero h5.1.0 brings many important new features to further enhance security, improve performance, and boost productivity for your QNAP NAS. You can now log in with more secure verification methods, delegate administrative tasks to general users, and centrally manage NAS devices via AMIZ Cloud. You can also benefit from smarter disk migration, smoother file browsing and search in File Station, more powerful SMB signing and file sharing, more convenient storage pool expansion, and much more. See What’s New to learn about main features and Other Changes to learn about other features, enhancements, and changes.
We also include fixes for reported issues and provide information about known issues. For details, see Fixed and Known Issues. You should also see Important Notes before updating QuTS hero.
Storage pool expansion by adding disks to an existing RAID group
Users can now expand a storage pool by adding disks to expand an existing RAID group within the pool. When expanding the RAID group, users can also migrate the RAID group to a different RAID type.
To use this function, go to Storage & Snapshots > Storage > Storage/Snapshots, select a storage pool, click Manage > Storage Pool > Action > Expand Pool to open the Expand Storage Pool Wizard, and then select Add new disk(s) to an existing RAID group.
Support for SMB multichannel
Users can now allow SMB 3.x clients to establish multiple network connections simultaneously to an SMB file share. Multichannel can increase the network performance by aggregating network bandwidth over multiple NICs and mitigating network disruption by increasing network fault tolerance.
To enable SMB multichannel, go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Microsoft Networking, and then select Enable SMB Multichannel.
SMB multichannel is only supported on the following clients using SMB 3.0 or later:
Windows 8.1 and later
Windows Server 2012 and later
macOS Big Sur 11.3.1 and later
AES-128-GMAC algorithm support for SMB signing
QuTS hero h5.1.0 now supports the Advanced Encryption Standard (AES) Galois Message Authentication Code (GMAC) cipher suite for SMB signing. SMB signing can use this algorithm to encode and decode using 128-bit keys and can automatically negotiate this method when connecting to a client device that also supports the same algorithm standard.
To enable SMB signing, go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Microsoft Networking > Advanced Settings, and then configure the SMB signing settings. Make sure that you select the highest SMB version as SMB 3.
Delegated Administration for better organization flexibility and productivity
In modern organizations, IT administrators are often overwhelmed by a sheer number of tasks and responsibilities. QuTS hero h5.1.0 now supports Delegated Administration, which allows administrators to delegate various roles to general users, so that they can perform routine tasks, control their data, manage system resources, and monitor device status even when IT administrators are not available. You can choose from a wide range of roles, including System Management, Application Management, Backup Management, Shared Folder Management, and many more. To ensure system security, we recommend only granting permissions that are essential for performing required tasks.
This feature not only helps reduce the workloads of administrators but also greatly enhances productivity and flexibility for your organization. You can also easily view the roles currently assigned to each user and change their roles anytime according to your needs. To configure these settings, go to Control Panel > Privilege > Delegated Administration. To learn more about Delegated Administration, check QuTS hero h5.1.0 User Guide.
2-step verification and passwordless login for enhanced account security
QuTS hero now supports passwordless login, which replaces your password with a more secure verification method. Instead of entering a password, you can scan a QR code or approve a login request with your mobile device to verify your identify. QuTS hero now also supports more verification methods for 2-step verification. In addition to a security code (TOTP), you can also choose to scan a QR code, approve a login request, or enter an online verification code to add an extra layer of security to protect your NAS account.
To configure these settings, go to the NAS desktop, click your username on the taskbar, and then select Login and Security. You can download and install QNAP Authenticator from App Store or Google Play and pair this mobile app with your NAS to secure your NAS account. Note that you cannot use 2-step verification and passwordless login at the same time.
Centralized NAS management with AMIZ Cloud
You can now add the NAS to an organization when setting up the myQNAPcloud service for your NAS. This allows organization administrators to remotely access, manage, and monitor various system resources on the NAS via AMIZ Cloud, a central cloud management platform designed for QNAP devices.
To manage the NAS via AMIZ Cloud, you must enable AMIZ Cloud Agent in myQNAPcloud. This utility communicates with AMIZ Cloud and collects the data of various resources on your device for analytics purposes without any identifiable person information.
Automatic disk replacement with Predictive Migration before potential failure
Predictive Migration is a major improvement over the original Predictive S.M.A.R.T. Migration feature in Storage & Snapshots. This upgrade now allows users to specify multiple trigger events that prompt the system to automatically replace a disk before it fails.
Besides S.M.A.R.T. warnings, users can also specify trigger events from other monitoring systems such as Western Digital Device Analytics (WDDA), IronWolf Health Management (IHM), DA Drive Analyzer, and SSD estimated remaining life. When a specified trigger event occurs—for example, a disk ‘s Galois WDDA status changes to “Warning” or the SSD estimated remaining life reaches 3%—the system automatically replaces the disk and migrates all its data to a spare disk. This process protects your data better and is safer than manually initiating a full RAID rebuild after the disk fails.
To configure Predictive Migration, go to Storage & Snapshots > Global Settings > Disk Health.
Lists of recent files in File Station for easier file browsing
With the new Recent Files feature in File Station, you can now easily locate files that were recently uploaded, opened, or deleted. These three folders are conveniently grouped together under the Recent File folder at the upper left portion of File Station.
File content search in File Station with Qsirch integration
The original search function in File Station could only search for file names of a specific file type. With the integration of Qsirch into File Station, you can now search for file content using keywords, and also search for multiple file types using these keywords at the same time. To use this feature, you need to install Qsirch, an app that can index the files on your device and greatly facilitate your file search.
Other Changes
Control Panel
Users can now configure an individual folder to inherit permissions from its parent folder or to remove the inherited permissions anytime. Users can also make a folder extend its permissions to all its subfolders and files. To configure permission inheritance on a folder, go to Control Panel > Privilege > Shared Folders, and then click the Edit Shared Folder Permissions icon under Action.
Added additional specification information for memory slots in Control Panel > System Status > Hardware Information.
Changed the behavior and the description of certain permission settings as we do not recommend using the default administrator account “admin”.
Optimized the process of restoring the LDAP database.
The “Network Recycle Bin” feature has been renamed to “Recycle Bin” in Network & File Services.
The automatic firmware update settings have been streamlined with the following changes: – The selectable options for automatic firmware updates have been greatly simplified. Users now select one of three firmware types to automatically update their system with: quality updates, critical updates, or latest updates. – “Security updates” are now “critical updates”. Critical updates include security fixes as well as critical system issue fixes. – “Quality updates” now include security fixes and critical issue fixes in addition to bug fixes.- “Feature updates” are now “latest updates” and include quality and critical updates in addition to new features, enhancements, and bug fixes. – Update notifications no longer need to be enabled separately for each firmware type. Notifications are now either enabled or disabled for all firmware types.
The time interval for observing successive failed login attempts can now be configured to be between 0 and 600 minutes. Moreover, a time interval of 0 minutes means that failed login attempts are never reset.
You can now include more information from account profiles when importing and exporting user accounts.
You can now select the direction to append the custom header for the reverse proxy rule.
Users can now edit and enable or disable existing power schedules in Control Panel > System > Power > Power Schedule. Previously, users could only add or remove power schedules.
The “Network Recycle Bin” feature has been renamed to “Recycle Bin” in Network & File Services.
Desktop & Login
You can now log out of your account on all devices, browsers, and applications at once. To use this feature, go to the desktop, click your username on the taskbar, and then go to Login and Security > Password.
Added an icon on the top-right corner of the desktop to indicate whether the device has enabled myQNAPcloud and been associated with a QNAP ID or whether the device has joined AMIZ Cloud.
Users can now save their QuTS Hero login credentials in their web browser. To enhance the security of your QuTS Hero user account, we recommend enabling 2-step verification.
App Center
Users can now configure a schedule for automatic installations of app updates.
File Station
Added prompt banners to remind users to turn on related browsing functions for multimedia files.
Enhanced the Background Tasks display UI.
Improved File Station performance and enhanced file browsing experience.
Help Center
Redesigned the user interface of Help Center for a better user experience.
Initialization
You can now purchase licenses during QuTScloud installation.
iSCSI & Fibre Channel
Added a new settings page for managing default iSCSI CHAP authentication settings, which you can use for multiple iSCSI targets. You can find these settings in iSCSI & Fibre Channel > Global Settings > Default iSCSI CHAP. When creating or editing a target, you can choose to use the default CHAP settings or configure unique settings for the target.
Added the client umask feature to assign default permissions for existing and new files and folders.
When creating an iSCSI target, you can now select the network interfaces that an iSCSI target will use for data transmission. Previously, users could only do so after the target was created.
Network & Virtual Switch
Network & Virtual Switch can now record event logs when the system identifies conflicting IP addresses between the local device and another device on the same network.
Users can now configure the MAC address when creating or modifying a virtual switch.
When selecting the system default gateway automatically, you can now configure the checking target by specifying the domain name or IP address.
NFS
NFS service now supports both NFSv4 and NFSv4.1 protocols.
Users can now set the rcpbind to assign fixed ports to RPC services. Make sure that you configure the firewall rules accordingly to allow connections only on the fixed ports.
PHP System Module
Updated the built-in PHP version to 8.2.0.
Resource Monitor
Resource Monitor now displays the space used by files created from Qsync file versioning.
SAMBA
Updated Samba to version 4.15.
You can now aggregate up to 50 shared folders on a Windows network.
Storage & Snapshots
Added support for disk failure prediction from ULINK’s DA Drive Analyzer. Registered users of DA Drive Analyzer can now also monitor disk failure prediction statuses in Storage & Snapshots > Storage > Disks/VJBOD > Disks.
Added support for Seagate dual-actuator disks. These disks appear with a “Seagate DA” tag in Storage & Snapshots > Storage > Disks/VJBOD > Disks.
Added support for Western Digital Device Analytics (WDDA) for Western Digital (WD) disks. To view WDDA information, go to Storage & Snapshots > Storage > Disks/VJBOD > Disks, select a WD disk, and click Health > View Details.
Improved the “Enable Read Acceleration” feature so that it not only improves the read performance of new files added to a shared folder (starting in QuTS hero h5.0.1), but also improves the read performance of existing files (starting in QuTS hero h5.1.0). This feature can be enabled for shared folders after upgrading from QuTS hero h5.0.0 or earlier to QuTS hero h5.0.1 or later.
Increased the maximum number of disks in RAID-TP from 16 to 24.
Redesigned the presentation of disk information into tabular format for enhanced user experience, now viewable in Storage & Snapshots > Storage > Disks/VJBOD > Disks.
Renamed the function “Replace & Detach” to “Replace” and added the option for users to choose whether to designate the replaced disk as a spare disk or to detach it from the system.
You can now select up to 24 disks for a single RAID-TP group.
Encrypted LUNs are now supported in VJBOD, SnapSync, Snapshot Replica, and snapshot import/export operations.
Improved the user interface on various snapshot-related screens.
Users can now change the destination IP address in Snapshot Replica jobs.
Added a new window that automatically appears when you insert new disks and helps you decide what to do with them. You can also access this window any time by going to Storage & Snapshots > Storage > Disks/VJBOD > Disks > More > Manage Free Disks.
After rebuilding a RAID group with a spare disk, the failed disk’s slot becomes reserved for a spare disk. To free up this slot for other purposes, go to Storage & Snapshots > Storage > Disks/VJBOD > Disks, select the disk slot, and click Action > Free Up Spare Disk Slot.
Users can now enable and disable QNAP SSD Antiwear Leveling (QSAL) on an existing SSD storage pool any time. Richer information is also available for QSAL-enabled pools, including replacement priority recommendation and charts showing the remaining capacity and life of the SSDs in the pool. To configure QSAL or view QSAL information, go to Storage & Snapshots > Storage > Storage/Snapshots, click an SSD storage pool, and then click Manage > QSAL.
System
You now need to enter a verification code when resetting your password if you forgot your password. This extra step helps enhance your account security.
Important Note
In QuTS Hero h5.0.1 or earlier, users can no longer create new VJBOD disks from a remote NAS if the remote NAS is running QuTS Hero h5.1.0 or later. If there are existing VJBOD disks connections to the remote NAS before it is updated to QuTS Hero h5.1.0 or later, these VJBOD disks are unaffected and remain operational after the update. In QuTS Hero h5.1.0 or later, users can still create VJBOD disks from a remote NAS running QuTS Hero h5.0.1 or earlier.
You may have noticed that Windows 10 is very eager to keep your system software up to date. The OS will automatically download and install new drivers for your graphics card, sound card, modem, or other hardware components.
While this can be convenient, it also risks breaking previous driver configurations and introducing bugs to your system through the updated driver.
Here’s how to stop windows from updating graphics drivers:
Click on the Start menu.
Double click on Advanced System Settings.
On the System Properties window, select the Hardware tab.
Select Device Installation Settings.
Save to apply the setting.
In this article, I’ll take you through the quickest way to stop Windows from updating graphics drivers on your computer.
0 of 34 secondsVolume 0%
00:01
00:16
00:34
1. Click on the Start Menu
The Start menu provides easy access to commonly used programs and system settings. You can click on the Start button from the taskbar or press the Windows key on your keyboard.
The Windows Start Menu (as shown above) should pop up whichever approach you take, allowing you to proceed to the next step.
2. Double click on Advanced System Settings
In the search bar, you can find it in the Windows menu, type in Advanced System, and select Advanced System Settings from the options that appear.
Windows 10 comes with a range of system settings that you can access to control how the operating system and its apps behave.
3. On the System Properties Window, select the Hardware tab
Windows provides a variety of built-in system properties, which are attributes that describe specific features of the system.
You can view and change these properties on the System Properties window. Specifically, you’ll want to access the Hardware tab, which you can do by selecting it in the menu that pops up.
4. Select Device Installation Settings
Windows 10 users can now set their device installation settings to receive important updates.
Here, the system will ask you whether you want to automatically download the manufacturer’s apps and custom icons available for your device.
Select No (your device might not work as expected).
If that doesn’t work, there’s no need to worry. There are a few other alternative solutions you can try.
How to stop Windows from updating graphics drivers in alternative ways
Windows Update automatically downloads and installs software updates that are released from time to time.
These updates introduce new features, fix problems with existing apps, or improve the operating system’s performance.
If you have an OEM computer or a pre-installed version of Windows on your computer, you might not have much control over what updates get installed on your system.
Sometimes these updates can cause stability issues and lead to blue screen crashes.
If this happens to you after installing graphics driver updates, here are some alternative ways to stop Windows from updating graphics drivers in the future:
Stop Automatic Updates through the Local Group Policy Editor
Windows Local Group Policy Editor (LGPE) is a snap-in that can be used to manage local group policy objects on Windows operating systems.
In Windows, the traditional system controller isn’t always enough for managing user settings and other configurations.
Administrators can use the Local Group Policy Editor to:
Manage the operating system and user behavior.
Set restrictions on user applications.
Control what software the computer can install.
Restrict their access to certain programs and folders, and much more.
In this section, we’ll focus on how to use it to stop Windows from automatically updating graphics drivers.
Click the Start button on your keyboard.
Copy gpedit.msc and paste it into the search box at the bottom left corner.
Open the Local Group Policy Editor.
Click Computer Configuration.
Navigate to Administrative Templates> Windows Components.
Scroll down to Windows Update.
Navigate to Do not include drivers with Windows Update and double click.
You should see three options: Not Configured, Enabled, and Disabled.
Select Enabled and click on Apply.
Click OK.
Windows will still receive other updates but will exclude drivers from being installed on your computer. In that case, you may have to download and install drivers manually.
Stop graphics drivers update with Windows Registry
The Windows Registry is a central location for storing configuration information and user settings for Windows and its applications.
The registry stores information about user preferences, operating system settings, and application configurations to help your computer run smoothly and efficiently.
The Windows registry is organized into different categories known as keys. Each key stores specific information in the form of values, which are either numbers or text strings.
Here’s how to use the registry to stop automatic driver updates:
Click the Start button on your keyboard.
Type Regedit on the search box and open the Registry Editor app.
Allow the application to make changes to your computer.
Navigate to HKEY_LOCAL_MACHINE, go to SOFTWARE and scroll down to Policies.
Select Microsoft and right-click Windows.
Select New > Key.
Rename your newly created key, preferably as Windows Updates.
Right-click your newly created key, and go to New > DWORD (32-bit) Value.
Right-click the DWORD and rename it as ExcludeWUDriversInQualityUpdate.
Right-click the new DWORD and select Modify. Set the value data from 0 to 1 and click OK.
Using the Microsoft Show or Hide Updates Troubleshooter
The Microsoft Show or Hide Updates Troubleshooter is a lightweight, portable tool that can be used to identify and hide problematic updates on your computer.
Unfortunately, if you’re using Windows 10, you’re bound to run into some issues.
You might find yourself in a situation where an update messes up something essential to your workflow.
Perhaps an upcoming update has broken some functionality or compatibility with other programs.
In that case, try the Show or Hide Updates Troubleshooter to block automatic updates for a problematic driver:
Download the Microsoft Show or Hide Updates Troubleshooter.
Run the troubleshooter to select the drivers that will install automatically.
Click Next and wait as the system detects problems.
Select Hide Updates.
Choose your graphics drivers from the list.
Hidden drivers will be temporarily blocked from automatic updates. If this tool does not work, you may always roll back to the previous version of the driver.
In that case, you may have to uninstall the driver, reinstall the previous one, and download it from the vendor’s website.
Troubleshooting graphics drivers on Windows
We don’t normally think of graphics cards as independent units, but if you’re an avid gamer or a professional video editor, you know how important they are in your work.
Graphics drivers are programs that tell your computer how to efficiently operate its graphical user interface (GUI).
If you recently updated graphics drivers and are experiencing issues with your Windows 10 computer, you may want to revert back to the previous version of the graphics driver.
Updating graphics drivers may differ depending on your system’s manufacturer and graphics card type.
Here are some things to check if you’re having trouble with your graphics driver:
Low-performance computer: A slow computer is one of the most common graphics driver issues. While many computers experience some slowdown over time, poor graphics drivers can worsen this issue. Playing games, editing videos, or performing other tasks requiring high graphics levels with problematic graphics drivers is virtually impossible.
Display issues: Display issues can be caused by several culprits, including a faulty computer or a faulty graphics driver. While a faulty computer is less likely, a faulty graphics driver is much more common. You can tell that your graphics drivers are not working properly by checking for distorted images, colors that look washed out, or black and white screen issues.
Video card issues: A video card is responsible for converting your computer’s instructions into images that appear on your monitor. If your video card is misconfigured or damaged, it can cause various issues, including distorted images, poor color quality, or even a blank or black screen.
Failed driver updates and installs: A failed driver update is one of the most common graphics driver issues. Fortunately, this problem is easy to spot and usually has an easy fix. Download and reinstall your graphics driver.
A graphics driver issue can cause various subsequent problems, including low performance, display issues, and video card issues.
To troubleshoot these issues, start by ensuring that your computer’s display is set up properly. Then, if your computer has display issues, check your computer’s graphics settings.
Check for Windows Updates
When looking for potential issues with your Windows 10 computer, don’t forget to check whether any Windows updates are interfering with your graphics drivers.
When your computer installs a Windows update, it may modify the driver file associated with your graphics card, which can cause your computer to malfunction.
To check for pending Windows updates:
Open the Windows 10 Start Menu.
Go to Settings > Update & Security > Windows Update.
Select Check for updates.
Windows users are always at risk of a virus, trojan horse, or other malicious software. Windows updates are the solution to all these issues.
It’s up to you to keep your computer secure. Check for updates regularly and install them as soon as possible to avoid problems that can slow down or crash your computer.
Reinstall the current version of the graphics driver
If you’ve recently installed new graphics drivers and are having issues, it might be best to uninstall them and reinstall the older version.
To remove the current graphics driver:
Open the Start Menu and search for Device Manager. You can also open the Control Panel and search for Device Manager.
Once there, select Display adapters and right-click the installed graphics driver.
Select Properties.
Navigate to the Driver tab.
Select Uninstall Device and reboot your computer.
Once you’ve uninstalled the driver, go back to the manufacturer’s website and download it. Next, check out this video on how to install the driver manually:
Roll back to an earlier version of the graphics driver
If you’ve tried installing a different graphics driver and the issues persist, you can roll back to an earlier version of the driver.
Open the Device Manager and scroll down to Graphics adapters.
Right-click your installed graphics driver (under Display Adapters) and select Properties.
Navigate to the Driver tab.
Select Roll Back Driver and follow the on-screen instructions to return to an earlier version of the graphics driver.
If none of the above solutions work, it may be best to completely uninstall your current graphics driver, restart your computer, and then manually reinstall the latest version of the driver.
Check your Device Manager
If your computer is running slowly and you suspect that the graphics driver may be to blame, one thing to check is the Device Manager.
In the Device Manager, you can see a list of all the hardware installed on your computer.
If there is a yellow ! or red X next to a device, it means the computer is having some issues with it.
If there is an exclamation mark next to your graphics card, it means there’s a problem with the device driver, which can slow down your computer.
Check for hardware compatibility issue(s) and update(s)
If you recently installed a new driver accompanied by a new device and are experiencing issues when using it, you could be experiencing a hardware compatibility issue.
To check for compatibility issues, you can browse through the supported devices list for the program or device you’re using.
As for updating the device driver, you should do this to ensure it is compatible with your computer and operating system.
If you’re using a brand-new device, it may not yet have a working third-party graphics driver installed on your computer. Check the manufacturer’s website to see if a compatible version has been released.
Ensure your computer is using the latest software
Last but not least, ensure that your computer has the latest updates. If your computer runs slow or has issues, it could result from the old software.
While some updates are crucial and address important computer security issues, others may create more problems than they solve.
Windows will automatically prompt you to install new updates when available. However, you might need to check for updates yourself in some instances.
Installing the latest updates for your computer’s operating system, browser, and other programs keeps your computer safe from cyber criminals who try to exploit outdated software.
Updating software regularly also helps prevent crashes, reduce blue screen errors and increase system performance.
Final thoughts
If you’ve had enough of Windows automatically updating your graphics drivers, the good news is there are several simple solutions to this issue.
By reading through the previous sections, you’ll be able to obtain a much higher control level over your device.
On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the full disclosure the same day. A patched version of the plugin, 1.8.4, was released on April 13, 2023.
The most serious vulnerability had a high severity because it allows authenticated users to perform Server Side Request Forgery (SSRF), which can result in full access to the hosted instance on some cloud configurations. Additionally, it may allow further penetration into internal networks in some enterprise configurations. The other vulnerability is much lower in severity and allows authenticated users to clear and update the site’s template cache.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against the Server Side Request Forgery (SSRF) on April 6, 2023. Wordfence Free users received the same protection on May 6, 2023.
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the get_remote_templates function in versions up to, and including, 1.8.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to flush the remote template cache. Cached template information can also be accessed via this endpoint but these are not considered sensitive as they are publicly accessible from the developer’s site.
Technical Analysis
Getwid – Gutenberg Blocks is a plugin offering a library of pre-generated blocks which it makes available to plugin users and retrieves remotely from the developer’s server. Unfortunately, this remote retrieval functionality, which utilized the REST API, only required an authenticated user in vulnerable versions, meaning that even subscriber-level users could make use of it.
While the rest routes for both vulnerabilities used a capability check in the permissions_check function, the capability checked was read, which all users, even subscribers, are assigned.
Pictured: The REST API Endpoints and the permissions_check function
On its own this was not a significant issue, but the get_remote_content function also failed to validate the URL passed in, meaning it could be used to retrieve information from any location via the server.
Pictured: The get_remote_content function
Only GET requests can be performed and the response data will only be rendered if it is JSON-formatted. However, sites hosted on Amazon AWS EC2 instances all have an endpoint which can be accessed internally and returns JSON-formatted credentials that can be used to access the instance.
Pictured: EC2 Credentials on a test box retrieved using this exploit. Click on the image to see it at full size
The second issue was significantly less severe and made use of the minimal capability check on the ‘get_remote_templates’ function. While this would likely have minimal impact on a site, it still compromises the site’s integrity to some extent.
Disclosure Timeline
April 6, 2023 – The Wordfence Threat Intelligence team releases a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. We send over the full disclosure to the developers. April 13, 2023 – The plugin developers release a patch in version 1.8.4 of Getwid. May 6, 2023 – Wordfence Free users receive the firewall rule.
Conclusion
In this blog post, we detailed a Server Side Request Forgery (SSRF) vulnerability in Getwid version 1.8.3 and earlier. This vulnerability allows authenticated attackers with subscriber-level permissions or higher to send arbitrary GET requests from the website, which can be used to obtain critically sensitive information in some configurations. We also described a lower-severity vulnerability allowing subscribers to clear the local template cache.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting the SSRF vulnerability on April 6, 2023. Sites still using the free version of Wordfence received the same protection on May 6, 2023.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as the SSRF vulnerability poses a significant risk. If you or someone you know is hosted on AWS we also highly recommend migrating to IMDSv2 if you have not already, as it offers protection from not only this but the vast majority of SSRF vulnerabilities.
Alongside our usual work to discover, report, and remediate vulnerabilities in the WordPress ecosystem, the WordPress Threat Intelligence team has been conducting a deep-dive into WordPress plugin code with the objective of finding methods to bypass authentication and gain elevated privileges in WordPress plugins so we can help developers patch these vulnerabilities before threat actors can exploit them.
One such plugin we examined recently is Directorist, a popular tool used by over 10,000 WordPress sites to manage directory listings and classified ads.
On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.
Unfortunately, on June 1, 2023, the plugin was closed due to developer unresponsiveness, and it currently remains unavailable for download from the repository. This presents an issue as site owners are unable to request an update directly via their WordPress dashboard. Given this situation, we advise site owners to either temporarily uninstall the plugin, or manually download the patched version, 7.5.5, and upload it to their sites for optimal protection. For this reason, we have intentionally kept specific vulnerability details to a minimum in this post.
Vulnerability Summaries from Wordfence Intelligence
Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges.
Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.
Technical Analysis
Password Reset Vulnerability
Directorist, created by wpWax, is designed to help businesses establish directory listings and classified ads on their WordPress sites. It includes a Login and Registration form that can be enabled using the [directorist_user_login] shortcode.
The Directorist Login and Registration form
This form features a “Recover Password” function, akin to the default WordPress “lost your password?” feature. In vulnerable versions, the underlying code lacks essential validation checks to ensure that the user attempting to reset a password is indeed the account owner. This could allow attackers with subscriber-level permissions or higher to reset the passwords of other users, including administrators, thereby gaining unauthorized elevated privileges and taking over the site.
Directorist “Recover Password” logic
Arbitrary Post Deletion Vulnerability
In addition, we found an arbitrary post deletion vulnerability in the plugin. Directorist listings are essentially custom WordPress posts. In vulnerable versions, the code designed to manage listing deletions lacks the necessary authorization checks to confirm the user is permitted to delete the listing and does not verify that the post being deleted is a Directorist listing. Consequently, this could enable threat actors with subscriber-level and above permissions to delete any post on a WordPress instance, including posts by administrators.
Directorist directory listing deletion logic
Disclosure Timeline
April 3, 2023 – The Wordfence Threat Intelligence team discovers and documents two vulnerabilities in Directorist. April 4, 2023 – The Wordfence Threat Intelligence team releases firewall rules to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. May 4, 2023 – Wordfence Free users receive the firewall rules. June 1, 2023 – The plugin developers release a patch in version 7.5.5 of Directorist.
Conclusion
In this blog post, we reviewed two vulnerabilities in our ongoing vulnerability research focused on bypassing authentication and gaining elevated privileges – an Arbitrary User Password Reset to Privilege Escalation that allows threat actors to gain full control of a WordPress instance, and a less-severe Insecure Direct Object Reference to Arbitrary Post Deletion, both in Directorist versions 7.5.4 and prior.
The Wordfence Threat Intelligence team reported these vulnerabilities to the Directorist team on April 4, 2023, following responsible disclosure protocols. The Directorist team addressed these vulnerabilities and released the patch in Directorist version 7.5.5 on June 1, 2023.
We recommend all users update their Directorist plugin to the newest version available, which is 7.5.5 at the time of this writing, immediately to secure their websites.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against any exploits targeting these vulnerabilities on April 4, 2023. Sites still using the free version of Wordfence received the same protection on May 4, 2023.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.
The process to install Windows Updates can be a pain. Managing WSUS servers can be a headache too. However, with PowerShell, a special module, and some automation, we can schedule and automate the installation process of Windows Updates. Let’s look at PSWindowsupdate automated Windows Updates with PowerShell and see how it can come to the rescue for keeping your Windows environment up-to-date.
PSWindowsUpdate is a PowerShell third-party module found in the PowerShell gallery repository available for download designed to help administrators manage Windows updates and install updates flexibly and precisely.
Unlike the standard Windows Update Service Manager (WSUS) interface, the PSWindowsUpdate module provides commands for downloading, installing, and managing updates in an automated way. However, it can work in conjunction with WSUS or pull updates directly from Microsoft.
Admins can control every aspect of Windows updates with this module – from viewing available updates and initiating installations to setting update schedules. It includes advanced features like installing specific updates, managing hidden updates, or even automating the entire update process using the Windows Task Scheduler.
Why is Installing Windows Updates Important?
Before diving into the PSWindowsupdate module, why is installing Windows updates important? Installing Windows updates is essential to maintaining a secure and stable system. These updates often contain security patches that protect your systems from vulnerabilities and threats. By regularly installing these updates, you’re ensuring your system’s defenses are up-to-date.
Updates also introduce new features, improve system stability, and fix existing system and software bugs. This can lead to better performance, fewer errors, and a smoother overall user experience. As such, regular updates can go a long way in minimizing downtime and reducing the need for troubleshooting.
If you are a system administrator, it may seem like a headache to patch systems constantly. However, you will thank yourself later for having a fully patched system when the next ransomware variant takes advantage of known patched vulnerabilities. Also, if you are looking at introducing any new integration or software into the environment, it is always best practice to be on the latest version of Windows, patches installed, etc.
Installing the PSWindowsUpdate Module
The installation process for the PSWindowsUpdate module starts with the command line in your PowerShell console. You need to install the module from the PowerShell gallery by typing:
Install-Module -Name PSWindowsUpdate
This command will download and install the module on your local system. However, it’s critical to note that you may need administrator privileges to install modules. Open the PowerShell prompt as an admin and run the command.
You will be prompted to trust the untrusted repository, which is normal.
Installing the PSWindowsupdate PowerShell module
Type “Y” to trust the PSGallery repository.
Accept the untrusted repository to install the module
Importing the PSWindowsUpdate Module
Once installed, you need to import the module PSWindowsUpdate to begin using it. Use the following command:
Import-Module -Name PSWindowsUpdate
It loads the module into your active PowerShell session, making the related cmdlets available for use.
Importing the module in PowerShell
Checking for Available Updates
Upon successful import of the PSWindowsUpdate module, you can quickly check for available updates using the command:
Get-WindowsUpdate
This command will query your machine’s Windows Update Client settings and connect to the Microsoft Update servers to fetch the list of all available updates. You can see critical updates, security updates, and all other types of updates that your system can download and install.
Using the Get WindowsUpdate to see available updates
Downloading Windows Updates
The PSWindowsUpdate module offers the command:
Download-WindowsUpdate
Use this to download Windows updates. Depending on your settings, this command initiates the download process for all approved updates from the Windows Server Update Service (WSUS) or Microsoft Update.
Download Windows Update with PowerShell
Installing Windows Updates
With the updates downloaded, you can install them using the ‘Install-WindowsUpdate‘ command. This command installs all downloaded updates, following which your system might need to reboot.
Install-WindowsUpdate
Running the Install WindowsUpdate command
Managing Windows Update History
The PSWindowsUpdate module provides an opportunity to access your system’s update history. You can use the ‘Get-WUHistory‘ command to get a detailed log of all installed updates.
Get-WUHistory
This command returns a detailed list, including the KB number, update title, and the status of the installed updates.
Get the reboot status of your Windows Server
Customizing Update Installation with an XML File
Advanced users might appreciate the ability to customize update installations using XML files. These files can specify category names to include or exclude from the update process. You can also use them to specify whether to include or exclude updates marked for automatic installation.
Scheduling Updates with Task Scheduler
In many environments, you may want to run the PSWindowsupdate command in an automated way. One way you can do this is by leveraging the power of the Windows Task Scheduler in conjunction with the PSWindowsUpdate module.
Using this combination, you can automate the download and install process at specific intervals, ensuring your system stays updated without manual intervention. We will take a look below at a script you can schedule with the Task Manager to run on a regular interval.
Installing Specific Updates
You can install specific updates using their unique KB number with the Install-WindowsUpdate command. For example, suppose you only want to install the update with the KB number KB4012606, you can do so with the following command:
This command first fetches only the security updates and then pipes them into the Install-WindowsUpdate command, installing only the security updates.
Hiding Specific Updates
There may be times when you want to hide a problematic update. If you want to hide Windows updates, maybe because it’s causing issues on your system, you can do so with the Hide-WindowsUpdate command. Suppose you want to hide the update with the KB number KB4012606, you can do so with the following command:
Hide-WindowsUpdate -KBArticleID KB4012606
This command will hide the specified update, preventing it from appearing in future searches for updates.
Checking if a Reboot is Required
You may want to see if there is a pending reboot required. If you want to check if a reboot is required after installing updates, you can do so with the Get-WURebootStatus command like so:
Get-WURebootStatus
This command will check and let you know if any installed updates require a reboot.
In the example, replace the placeholder KB numbers in the commands with the actual KB number of the update you’re interested in. Also, always ensure to run these commands in a safe and controlled environment, particularly when executing them on production systems or remote computers.
Get Windows Update history using PSWindowsupdate
Automate Windows Updates using PSWindowsUpdate
Automation is one of the powerful features of PowerShell and by extension, the PSWindowsUpdate module. In this section, we’ll cover an example of how to write a script for automating Windows updates using PSWindowsUpdate.
# Import the PSWindowsUpdate module
Import-Module PSWindowsUpdate
# Get all available updates
$updates = Get-WindowsUpdate -MicrosoftUpdate
# Filter out optional updates
$importantUpdates = $updates | Where-Object {$_.IsDownloaded -eq $true -and $_.IsMandatory -eq $true}
# Install important updates
$importantUpdates | Install-WindowsUpdate -AcceptAll -AutoReboot
In this script, we first import the PSWindowsUpdate module. We then fetch all available updates using Get-WindowsUpdate. Using Where-Object, we filter out only the important (mandatory and already downloaded) updates, ignoring the optional ones. Lastly, we install these important updates using Install-WindowsUpdate, automatically accepting EULAs and rebooting if necessary.
You can automate the execution of this script using Task Scheduler. Here’s a basic example of how you can do this:
Open Task Scheduler and create a new task.
In the Triggers tab, set the schedule for the task according to your needs (for example, daily at 3 AM).
In the Actions tab, select ‘Start a program’ and input powershell.exe as the program.
In the ‘Add arguments’ field, input -ExecutionPolicy Bypass -File “c:your script file path.ps1” where <your script file path> is the path to your PowerShell script.
Finish the wizard and the task will be scheduled.
Remember to replace the path to the script with the actual path of your script file. The system will automatically execute the update script at the specified time.
This script and scheduling are basic examples. You may need to modify the script and task parameters according to your specific requirements, such as filtering updates based on criteria or sending a report by email after installation.
Also, be sure to test these scripts in a safe and controlled environment before deploying them in production, especially when executing them on remote computers.
PSWindowsupdate Frequently Asked Questions
Can I use the PSWindowsUpdate module to manage updates on remote computers?
Using the PSWindowsUpdate module, you can manage updates both locally and on remote computers. You must ensure you have all the necessary permissions as you would normally to administer and manage a remote machine.
Can I automate the update process using the PSWindowsUpdate module?
One of the strong suits of the PSWindowsUpdate module is the ability you have to automate the process of applying Windows Updates. You can easily create a simple PowerShell script to download and install Windows Updates. It can also apply various logic such as hiding updates, downloading only certain types of updates, etc. Using Task Scheduler, it is easy to have a way to trigger the automation of PSWindowsUpdate.
How do I view hidden updates using PSWindowsUpdate?
You can use the Get-WUHiddenUpdate command to view all hidden updates on your system. If you wish to unhide an update, use the UnHide-WindowsUpdate command with the appropriate KB number.
How can I install specific categories of updates using the PSWindowsUpdate module?
You can filter updates based on a particular category using PSWindowsUpdate. It is common to see administrators only install the “security updates” available for an operating system. You can easily accomplish this with the following command:
The PSWindowsUpdate module is a great way for system administrators to manage single or multiple Windows servers using a fully automated solution built on top of PowerShell. It provides many capabilities that give you full control over the Windows Update service. You can use it to review available updates, download approved updates, or manage the update history. The PSWindowsupdate PowerShell module can help streamline your system’s update process, including all Windows PCs and Servers across the board.
This week started pretty harsh, a ton of customers reaching out to our team having WSUS issues. Everything from the “traditional” CPU and Memory spikes, to severe network traffic over port 8530 to the WSUS/SUP server. Basically Clients downloading massive amount of info, some customers reporting up to 700 MB per endpoint.
Note #1: One ongoing issue right now seem to be that the Windows version next updates contains a ton of metadata, causing a massive headache for WSUS admins. See below for scripts to help cleanup the mess, and to perform needed maintenance tasks. Also, if you are missing some info here, let me know. I’m @jarwidmark on Twitter.
WARNING: Whatever solution you pick for the maintenance of your WSUS/SUP server, ensure that you do not sync your WSUS/SUP during the maintenance process!
WSUS Housekeeping
Until Microsoft replaces WSUS with something better, you have to do some housekeeping for WSUS to behave. Your mileage is going to vary, but you simply have to keep the WSUS database in shape, as well as declining unused updates. Here are a few resources that can help when WSUS goes bad.
Update: The network traffic from WSUS can also be heavily loaded due an out-dated Microsoft Compatibility Appraiser version on the machines. See this KB:
When all 8 CPU’s on your site site server are constantly at 95-100 percent, there is little room for any admin work, nor cleanup. So make sure to throttle CPU on the WsusPool application pool, to give you some working room.
Use any or all of the listed solutions to get rid of junk in your WSUS database:
Tip: Before starting to run decline scripts, PowerShell / SQL etc., make sure your SUSDB is not heavily fragmented. Use the Maintenance Solution from Ola Hallengren to optimize the SUSDB indexes: http://ola.hallengren.com/
Optional Speed Tip: If you don’t mind going totally unsupported, you can create additional indexes in the WSUS database that speeds up the cleanup dramatically. More info here: http://kickthatcomputer.wordpress.com/2017/08/15/wsus-delete-obsolete-updates, a great post by Scott Williams (@ip1). Again, not supported by Microsoft so don’t blame me if something happens Fun fact: In my environment that change made the deletions go 30 times faster!!!
Tip #1: If you have a lot of obsolete updates (Script 2.), consider using an alternate version below that runs in batches, and also shows total number of updates. The script is from Scott Williams (see Resource #6 further down this post). I just added a comment on where to change the batch numbers.
Decline weird stuff #3 – Decline Updates Script by Jeff Carreon
In the same post as the SQL script to view updates with large metadata (In the “Additional Resources” section” further down this post), you find a great decline update scripts by Jeff Carreon (@jeffctangsoo10). It’s in the same post as the SQL script, but kind of hidden if you don’t look carefully. Here is a direct link:
Here follows some additional resources that I found useful:
Resource #1 – Script to view updates with large metadata
Here is another contribution from Sherry’s team. This SQL script was put together by Jeff Carreon, after working with Microsoft support on a WSUS performance issue. Very shiny.
The script is used to identify and measure the metadata that the clients are downloading, it tells you what articles (fancy word for update metadata) the are deployable and the size of each article.
Resource #3 – Clients cannot report Scan Results back to WSUS
During the day, Matthew Krause (@MatthewT_Krause) also provided info on an issue he was having: Quite many clients, 75 percent out of 6500,were not reporting back the scan results to WSUS. Basically the server got overloaded with IIS 500 errors as the clients kept trying to report scan results, fail, and then try again. In the WindowsUpdate.log on the client they found that clients would get the error message stating invalid parameter but the sub message was Message:parameters.InstalledNonLeafUpdateIDs (see below).
WindowsUpdate.log on a client failing to report back scan results.
So if you are running into the non-leaf error message, one solution that proved to be working was changing the maxInstalledPrerequisites value in the WSUS Web.config file, and then do an IIS Reset. Doing this change made 90% of clients report scan results back within one day for this environment.
Copy Settings Wizard (CSW) or Manual Registry Export
Fun fact: In my environment that change made the deletions go 30 times faster!!!
