WSUS - Force System to Check for Windows UpdatesWindows Service Update Service (WSUS) is groaned by many administrators. What should be a drop-dead-easy process is overly complicated and difficult to manage.
Everything should "just work." But it doesn't.
On 80% of the systems, the ones left on all the time, the success rate is high. The updates download and install on schedule as per the Group Policy (GPO).
On 20% of the systems, the laptops not left on all the time or away from the office, the success rate is mixed. Sometimes the downloads update, sometimes not. Sometimes the downloads install. Sometimes not.
Invariably, throughout the course of a deployment, a handful of laptops and tablets start to lag behind. They refuse to download and install the updates for whatever reason.
This necessitates the ability to force the client system to download and update.
WUAUCLT
To force them to update and install used to be:
wuauclt /detectnow
wuauclt /updatenow
Or you could use the switches together:
wuauclt /detectnow /updatenow
USOCLIENT
Now with Windows 10, wuauclt is no longer working. But the completely undocumented USOCLIENT can be used to do the same:
USOClient StartScan (Start checking for updates)
USOClient StartDownload (Start downloading updates)
USOClient StartInstall (Start installing downloaded updates)
USOclient Refreshsettings
USOclient StartInteractiveScan
USOClient RestartDevice (Restart Windows after updates are installed)
USOClient ScanInstallWait (Check for updates, download available updates and install them)
USOclient ResumeUpdate
I’ve used the following command to get remote systems to update with success:
USOclient StartScan
USOclient StartDownload
USOclient StartInstall
Few notes:
- there is no slash.
- there is no documentation on the command.
- there is no output or feedback from the command.
- this command replaces: wuauclt
PSWINDOWSUPDATE
Or you can use powershell. This is not built-in so a module will have to be installed.
(The minimum TLS version was raised on the provider lookup site - Powershell Gallery. The first line sets the machine to TLS1.2)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module PSWindowsUpdate
Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned
Import-Module PSWindowsUpdate
Get-WindowsUpdate (or Get-WindowsUpdate -Verbose)
Install-WindowsUpdate
All Commands Available in PSWindowsUpdate
get-module
get-installedmodule
get-command -module pswindowsupdate
Repo
To see the source repository of the updates (ie local intranet WSUS server or public internet Microsoft server):
Get-WUServiceManager
To set the source of the update to the public internet Microsoft Server:
Get-WindowsUpdate -MicrosoftUpdate
Extra
To search for a specific update:
Get-WindowsUpdate -KBArticleID KB982861
Get-WindowsUpdate -KBArticleID "KB5002324", "KB5002325"
Get-WindowsUpdate -KBArticleID KB982861 -Verbose
To get the current Job:
Get-WUJob
To see the installer status:
Get-WUInstallerStatus
To see the reboot status:
Get-WURebootStatus
To see the needed update status:
Get-WUInstall -verbose
To install with verbose:
Get-WUInstall -verbose -install
To get the history:
Get-WUHistory | ?{$_.Description -like "*Update*"}