Home > GPO, PSExec, Windows2008R2, Windows2012, Windows2012R2, WSUS > HOWTO: Force WSUS Client to Update using PSEXEC

HOWTO: Force WSUS Client to Update using PSEXEC

WSUS is a great tool for automating and managing Windows Updates to various systems in a domain. However, it’s not really all that granular, which is a problem. While you could say “install all updates at 03:00 on Saturday”, you can’t say “and after rebooting, check again, because you’re still in the maintenance window”. You also can’t specify “do it RIGHT NOW, don’t wait for a random period” and there are some difficulties with “reboot when complete, don’t want 5-15 minutes, don’t wait 3 days, do it now”.

It turns out there some undocumented switches for the Windows Update Client (wuauclt.exe). Various lists can be found all over, I’ve found one at: http://kickthatcomputer.wordpress.com/2013/03/06/windows-update-command-line-options/

If you use these methods it might take you a bit of tweaking and fighting to make it work. Specifically if you’re having issues with Windows 2012/2012R2 systems, check: HOWTO: Dealing with Windows 2012 and 2012 R2 Windows Update Behavior and the 3 Day Delay.

This method can be pushed out to all systems via PSexec. Note though that there are some things to watch for:

· The GPO must be set to “4 – Download and Install Updates”. If it is set to “3 – Download and Notify” then all the “wuauclt /UpdateNow” in the world won’t make it do what it’s not allowed

· Except for maybe on Windows 2012/2012R2 systems, where it will think it’s in a maintenance window, and well, you said “UpdateNow”, so let’s do that.

· I’ve found it to be intermittent if the Day/Hour for the option to install in the GPO is not set near the time you’re pushing out. This doesn’t matter so much if you’re doing a scheduled restart such as “Sunday @ 03:00”. But if you have a manual maintenance window where you’re trying to brute force blast out and confirm all the updates that starts at Friday @ 20:00 – you should probably ensure that the GPO is set to the same, especially given that this batch file will refresh the GPupdate.

· As time goes on through that maintenance window, update the GPO time as well. They must go hand in hand.

clip_image002

What you’ll see is that it will schedule the installation for the next day. In the above example, C:\WINDOWS\WINDOWSUPDATE.LOG is showing that on 2014-03-20 at 2:20AM it says it is scheduling the installation to occur at March 21 2014 at 12:00AM. This is because the first line indicates the GPO setting is “Every day” @ “00:00”. So if anything, you’d like that to be “the next hour, of the same or following day”. Watch things like running Friday at 11:45PM and not changing your “Install Day” from Friday to Saturday to accommodate the 00:00 or 01:00 next time.

· There doesn’t seem to be any harm in pushing out the batch file to a system that’s already updating, other than it will restart the Windows Update service. Where possible though, you want to push it to systems that are not otherwise installing. I don’t yet have a method for knowing if a current update process is occurring. Perhaps if you took the “ping” process that is the timer, and made it a “start /wait” with a title, then looked to see if a process was running with that title, don’t run…. But this is as far as I’ve gotten for now.

· Periodically check the WSUS console for “Last Updated” and “Last Reported” to get an idea for what systems need checking. Also look at the % complete column to know which systems are done.

With all that said, the batch file itself:

===== WSUS_FORCE.BAT =====

@echo off

SET WSUSSERVER=FSRVCLOWSUS1

SET WSUSSHARE=WSUSLOGS

SET WSUSLOG=WSUS_FORCED.LOG

REM

REM PSEXEC Usage

REM psexec @SERVER.LST -u svcautomation -H -f -c -D \\FSRVCLOWSUS1\E$\WSUS\bin\WSUS_FORCE.bat

REM

REM

REM Run a GPUPDATE

REM

gpupdate /force

REM

REM Restart services and refresh Windows Update

REM

net stop wuauserv

REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f

REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f

REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f

net start wuauserv

wuauclt /scannow

wuauclt /resetauthorization /detectnow

echo %COMPUTERNAME% Checking for WSUS Update at %DATE% %TIME% >>\\%WSUSSERVER%\%WSUSSHARE%\%WSUSLOG%

wuauclt /r /ReportNow

echo %COMPUTERNAME% Installing WSUS Update at %DATE% %TIME% >>\\%WSUSSERVER%\%WSUSSHARE%\%WSUSLOG%

wuauclt /UpdateNow

:CHECK_REBOOT_REQUIRED

REM

REM This registry key only exists if WSUS indicates a reboot is required. Thus, keep checking for it to appear, and then reboot

REM

ping 127.0.0.1 -n 61 > nul

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" >nul

if %ERRORLEVEL%==1 goto CHECK_REBOOT_REQUIRED

if %ERRORLEVEL%==0 goto REBOOT

GOTO CHECK_REBOOT_REQUIRED

GOTO END

:REBOOT

echo %COMPUTERNAME% Rebooting after WSUS Update at %DATE% %TIME% >>\\%WSUSSERVER%\%WSUSSHARE%\%WSUSLOG%

shutdown -r -t 0

GOTO END

:END

===== WSUS_FORCE.BAT =====

Advertisements
  1. Barry Scripting
    March 15, 2016 at 2:14 AM

    If the update does not require an rboot then this script would go into an endlees loop and wait forever for the key to appear.
    Better implement a counter to wait maybe 100 cycles and then go on….

    • March 15, 2016 at 6:59 AM

      True. I’m almost always running this in a vSphere environment, so at the end, doing VMware Tools and Hardware update which typically force the reboot. But you’re very correct.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: