How to create a Windows Update Trusted Updater policy in IES

Version 4



    This is a step by step guide on how to create a Windows Update Trusted Updated policy in Ivanti Endpoint Security using the XML created by Ivanti containing hash values of Windows Update files. This allows Windows Update to be set as a Trusted Updater in Application Control so that updates can be applied through it without needing to manually find and add the files from logs to the policy.

    The WUTU XML file is updated as Microsoft makes changes to the Windows Update Agent. The last time that the file was updated can be found in the timestamp value located near the start of the file. Please note that the provided WUTU XML file is just a snapshot at the time of creation, and so it is recommended to always test deployments of updates before rolling them out to a production environment.

    The WUTU contains files associated with Windows Update from RTM and beyond. As such, it should include file versions from the initial ISO release to the current versions as of the time of the last WUTU XML release. As there can be some time between the release of new files by Microsoft and the new files being detected and released through our testing it is recommended that you test and monitor your environments so that you can have the needed files specified in your environment when you need them. This is also what was meant by referring to the WUTU XML as a snapshot.




    1) Locate the WUTU_84.xml file, located in the C:\Program Files (x86)\HEAT Software\EMSS\Replication Services\Utilities\WUTU\ folder


    2) On EMSS console, go to "Manage > Application library" and create a new application

    3) Select the new application and click "Import", You will get a popup

    - Click on Browse and select the "WUTU_84.xml" file

    - Click import

    - Once imported, click “Search” and you will see all the Windows updater files listed


    4) Click on the highlighted check box (Select ALL files) to select all files and click “Trust”


    5) Click “Create a new Trusted Updater/ Installer policy”


    6) Provide the policy a meaningful name such as “WUTU Policy”;

    **WUTU = Windows Updater Trusted Updater

    Click “Next”



    7) Assign the policy to groups or endpoints and click Finish


    Additional notes:


    1) The WUTU hashkit contains various versions of Windows updater files, which you can assign to all Windows

    2) At some point, if the Windows Update still fails at some point, please generate either an:

    "All Application Events" or "All Denied Applciation Events" via "Application Control Log Query"

    This can be accessed via "Review - Application Control Log Query" on the EMSS web console


    - Check the denied windows updater file, click "Trust" and add it into the existing "WUTU" policy. (Above mentioned step 5, instead of "Create", please click "Add to one or more existing policies", select the existing WUTU policy.)



    WUTU hashkit is now part of the EMSS server when a replication is performed.

    We have decided to include the WUTU XML on the replication.

    You will be able to find the file in the "C:\Program Files (x86)\HEAT Software\EMSS\Replication Services\Utilities\WUTU"

    Please edit the file to check the timestamp (Release) of the WUTU hashkit.

    Search for the word "Timestamp", copy it out or add the XML file to the existing or new Windows Update trusted updater policy.


    Affected Products


    HEAT EMSS 8.4+

    Ivanti ES 8.5+