A comprehensive Windows Update management system that provides enterprise-grade update orchestration with deployment ring support, rollback capabilities, and extensive telemetry.
The Windows Update Orchestrator (WUO) is a sophisticated update management system designed for enterprise environments. It provides:
- Deployment Ring Management: Support for Stable, Beta, Dev, and Canary deployment rings
- Update Orchestration: Intelligent update installation with rollback capabilities
- Security & Validation: Cryptographic signature verification and secure download protocols
- Comprehensive Telemetry: ETW events and Application Insights integration
- PowerShell Management: Complete administrative control via PowerShell module
- Cross-Platform Build: Support for both Windows and Unix build environments
┌─────────────────────────────────────────────────────────────────┐
│ WUOrchestrator Service │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ C++ Win32 Service Core │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌──────────────┐ │ │
│ │ │Update Engine│ │Ring Manager │ │ETW Provider │ │ │
│ │ └─────────────┘ └─────────────┘ └──────────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
└───────────────────────────┼─────────────────────────────────────┘
│
│ Named Pipe
│
┌───────────────────────────┼─────────────────────────────────────┐
│ │ │
│ ┌────────────────────────▼─────────────────────────┐ │
│ │ C# Update Agent │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌────────┐ │ │
│ │ │Downloader │ │Validator │ │Installer│ │ │
│ │ └─────────────┘ └─────────────┘ └────────┘ │ │
│ └──────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
│
│ HTTPS
│
┌───────────────────────────┼─────────────────────────────────────┐
│ ▼ │
│ Update Manifest Repository │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ JSON Manifest Format │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌──────────────┐ │ │
│ │ │Package Info │ │Prerequisites│ │Install Steps │ │ │
│ │ └─────────────┘ └─────────────┘ └──────────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
- Location:
src/orchestrator/WUOrchestratorService.cpp - Purpose: Core service that manages update orchestration
- Features:
- Windows Service integration with SCM
- Named pipe server for IPC
- ETW event provider
- Deployment ring management
- Update installation coordination
- Location:
src/agent/ - Purpose: Handles actual update downloads, validation, and installation
- Features:
- Secure HTTPS downloads with certificate validation
- Cryptographic signature verification
- Update package installation and rollback
- Application Insights telemetry
- Configurable retry policies
- Location:
scripts/WUOrchestrator.psm1 - Purpose: Administrative interface for managing the orchestrator
- Features:
- Service status monitoring
- Deployment ring switching
- Update installation control
- Diagnostic log retrieval
- Rollback testing capabilities
- Location:
src/manifests/ - Purpose: JSON-based update definitions
- Features:
- Cryptographic signatures
- Prerequisite validation
- Hardware requirements
- Installation instructions
- Rollback procedures
The system supports four deployment rings with increasing risk levels:
| Ring | Description | Target Audience | Update Frequency |
|---|---|---|---|
| Stable | Production-ready updates | General users | Monthly |
| Beta | Pre-release validation | IT Pros | Bi-weekly |
| Dev | Development builds | Developers | Weekly |
| Canary | Latest features | Testers | Daily |
- Windows 10/11 (Build 19041 or later)
- Visual Studio 2022 with C++ workload
- .NET 6.0 SDK or later
- PowerShell 5.1 or later
- Administrator privileges
# Clone the repository
git clone https://github.com/bashirk/WUOP
cd WUOP
# Build the project
.\scripts\build.bat
# Install the service (requires admin)
.\scripts\install.bat# Build C# components only
./scripts/build.sh
# Note: C++ service requires Windows environment-
Run the installer (requires administrator privileges):
.\scripts\install.bat -
Verify installation:
Get-Service -Name "Windows Update Orchestrator"
-
Check event logs:
Get-WinEvent -LogName "WUOrchestrator/Operational" -MaxEvents 10
The orchestrator service reads configuration from the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WUOrchestrator
├── DeploymentRing (REG_SZ) - Current ring: Stable/Beta/Dev/Canary
├── ManifestURL (REG_SZ) - Update manifest repository
├── UpdateInterval (REG_DWORD) - Check interval in minutes
├── EnableTelemetry (REG_DWORD) - Telemetry enabled: 0/1
└── LogLevel (REG_DWORD) - Logging level: 0-4
The C# agent uses appsettings.json:
{
"AgentConfiguration": {
"UpdateCheckInterval": 3600,
"MaxConcurrentDownloads": 3,
"DownloadTimeout": 1800,
"InstallationTimeout": 3600
},
"Security": {
"RequireSignatureValidation": true,
"TrustedPublishers": ["Microsoft Corporation", "Intel Corporation"]
}
}# Import the module
Import-Module .\scripts\WUOrchestrator.psm1
# Check service status
Get-WUOrchStatus
# Switch deployment ring
Set-WUOrchRing -Ring "Beta"
# Trigger update check
Invoke-WUOrchCommand -Command "CheckForUpdates"
# Get recent logs
Get-WUOrchLogs -MaxEvents 50
# Test rollback functionality
Test-WUOrchRollback -PackageId "KB5034123"
# Restart the service
Restart-WUOrchService# Start the service
Start-Service -Name "Windows Update Orchestrator"
# Stop the service
Stop-Service -Name "Windows Update Orchestrator"
# Check service status
Get-Service -Name "Windows Update Orchestrator"The service provides comprehensive ETW events for monitoring:
- Operational Channel: Service operations and update lifecycle
- Admin Channel: Administrative events and configuration changes
- Debug Channel: Detailed debugging information
- Analytic Channel: Performance metrics and analytics
Custom performance counters track:
- Manifest download rate
- Update installation success rate
- Active update sessions
- Failed update attempts
- Average update duration
- Ring switch frequency
- Rollback operations
The C# agent sends telemetry to Application Insights:
- Update installation metrics
- Download performance
- Error rates and types
- User experience data
- System health indicators
- Manifest Signatures: All update manifests are cryptographically signed
- Package Verification: Update packages include SHA256 checksums
- Certificate Validation: HTTPS downloads with certificate chain validation
- Publisher Verification: Trusted publisher validation
- Service Permissions: Runs as LocalSystem with restricted permissions
- Named Pipe Security: Secure IPC with authentication
- Registry Protection: Configuration stored in protected registry keys
- File System Security: Secure file operations with proper ACLs
-
Service won't start
# Check event logs Get-WinEvent -LogName "System" -MaxEvents 50 | Where-Object {$_.Id -eq 7034} # Verify dependencies sc.exe qc "Windows Update Orchestrator"
-
Update installation failures
# Check operational logs Get-WinEvent -LogName "WUOrchestrator/Operational" -MaxEvents 20 # Test manifest validation Test-WUOrchManifestValidation -ManifestPath "path\to\manifest.json"
-
Network connectivity issues
# Test manifest download Test-WUOrchManifestDownload -ManifestURL "https://example.com/manifest.json" # Check proxy settings netsh winhttp show proxy
# Comprehensive health check
Test-WUOrchHealth
# Network connectivity test
Test-WUOrchNetwork
# Service dependencies check
Test-WUOrchDependencies
# Performance baseline
Get-WUOrchPerformanceMetrics-
Clone the repository
git clone <repository-url> cd WUOP
-
Build the project
# Windows build .\scripts\build.bat # Cross-platform build (C# only) ./scripts/build.sh
-
Run tests
# PowerShell tests Invoke-Pester .\scripts\tests\ # C# unit tests dotnet test src\agent\tests\
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Submit a pull request
To completely remove the Windows Update Orchestrator:
# Run the uninstaller (requires admin)
.\scripts\uninstall.batThis will:
- Stop and remove the service
- Remove registry entries
- Delete installed files
- Unregister ETW manifest
- Remove PowerShell module
This project is licensed under the MIT License. See the LICENSE file for details.
For issues and questions:
- Check the troubleshooting section
- Review event logs
- Submit issues to the project repository
- Contact your system administrator
- Initial release
- C++ Win32 service implementation
- C# Update Agent
- PowerShell management module
- ETW telemetry integration
- Deployment ring support
- Rollback capabilities
Note: This is an enterprise-grade update management system. Always test in a non-production environment before deploying to production systems.