Version: 22


This is work in progress.




Deploy (i.e. download and by default install) the specified patch to this device.


Should this be renamed to just "Deploy" because "Patch.DeployPatch" seems a little tautological?

Source (string): The source of patch meta-data, typically the installation mechanism used to handle patch(es). One of:

  • CAB: A file with a .cab extension and appropriate binary structure containing update metadata, located somewhere in the file system available to the local agent. The file is used directly by the local Windows Update agent, without SCCM or WSUS being involved.
  • SCCM: System Center Configuration Manager.
  • WSUSL: A local (to the enterprise) corporate Windows Server Update Service server.
  • WSUSR: The remote Windows Server Update Service feed over the internet at .

Case is not significant.

PatchSpec (string; optional, default all available patches): The patches to be actioned. If not specified, all available patches will be deployed.


For Windows, this is a comma-separated list of Knowledge Base article numbers. (See example below.)


What is the result if the patch is not available or not applicable to the device? Is that an error or just quietly ignored (so the method could return success-no-content)?

DownloadOnly (boolean; default false): Whether the patch should be downloaded but not be installed if it is not already installed.

CabFilePath (string; default empty): The full path of the location of the .cab file if Source is 'CAB'.

This must be specified if Source is 'CAB' and should not be specified for any other Source value.

If the path is specified it must be to a local CAB-file. Shared, i.e. remote, CAB-files are not supported by Windows Update Agent.

CheckOnLine (bool; default true): Grant permission (or not) as to whether to go over the network or remain purely local to the host.

  • If true, a parameter error will occur if a CabFilePath is also supplied.
  • if false and DownloadOnly is true then a parameter error will occur as something cannot be downloaded without touching the network. If DownloadOnly is false then the patch must already be downloaded to actually be installed.

Asynchronous (bool: default false): If false, then the patch will happen inline with the instruction execution, meaning the instruction could take many minutes to complete and the agent will be unable to respond to other instructions effectively. If true then the result set will indicate that the operations have been kicked off, and a call to ListUpdates would need to be made to determine whether the patch is now installed.

Return values

For each patch that was deployed:

PatchSpec (string): The patch identifier. For Windows, a Knowledge Base article number.

DownloadOnly (boolean): Whether the patch was to be just staged (false) or also installed (true), i.e. the supplied or implicit DownloadOnly parameter.

NeededDownload (boolean): Whether the patch actually needed to be downloaded.

DownloadResult (integer): The COM success (0) or error (not 0) codes related to downloading.

DownloadError (string): The human readable form of the DownloadedResult column if a download error occurred.

NeededInstallation (boolean): Whether the patch actually needed to be installed (true) or it was already installed (false).

InstallResult (integer): The COM success (0) or error (not 0) codes related to installation.

InstallError (string): The human readable form of InstallResult if an installation error occurred.

RebootRequired (bool): If true then a reboot is required after the patch was installed, if false then a reboot is not required.

Patch.DeployPatch(Source:"SCCM", PatchSpec:"2267602");
  • Windows

Updates will be performed only if they do not require user input

Reboot might be required before any patches can be installed, so the method will abort and return an error when this is true.