none
Force clients to update after connecting to WSUS

    Question

  • Hi!

     

    I've recently installed WSUS on a server. Now I wonder if there is a way to force the clients to install all available (and approved) updates, preferably by entering a line in the command prompt or changing the group policy settings.

     

    Regards

     

    /Robert Jacobsson

    Thursday, March 13, 2008 6:59 AM

Answers

  • Assuming you mean you want them installed straight away, you can use a script for this:

    <http://www.scms.waikato.ac.nz/~harry/wsusupdate.vbs>

    There are several other similar scripts on the web if this particular one doesn't suit.

      Harry.


    Thursday, March 13, 2008 4:52 PM
    Moderator
  • The below is taken from:
    http://technet2.microsoft.com/windowsserver/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true


    If you are using GPO:


    1.  In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
     
    2.  In the details pane, click Configure Automatic Updates.
     
    3.  Click Enabled and select the following option:

    Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.


    If you are not using GPO

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

    AUOptions

    4 = Automatic download and scheduled installation. (Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.)


    "At the scheduled day and time, Automatic Updates installs the update and restarts the computer (if necessary), even if there is no local administrator logged on. If a local administrator is logged on and the computer requires a restart, Automatic Updates displays a warning and a countdown for when the computer will restart. Otherwise, the installation occurs in the background."

    Tuesday, June 10, 2008 7:29 PM

All replies

  • Easy...create a new GPO for the domain and set the policies.  See the technet article talking about each policy (link) and I am pretty sure that the computers contact the WSUS when they log in for any updates.  You can also set deadlines for approved updates.
    Thursday, March 13, 2008 4:41 PM
  • Assuming you mean you want them installed straight away, you can use a script for this:

    <http://www.scms.waikato.ac.nz/~harry/wsusupdate.vbs>

    There are several other similar scripts on the web if this particular one doesn't suit.

      Harry.


    Thursday, March 13, 2008 4:52 PM
    Moderator
  • Once you have them setup in your GPO to point to the WSUS server go to a command prompt and type gpupdate /force and then type WUAUCLT /DETECTNOW.

     

    Later on if you still think their are updates that need to be applied, you can go to the machine and type wuauclt /detectnow to force it to connect.  Another way if you like doing it remotely is use PSSHUTDOWN and do a remote.  When you do a reboot on a machine it runs GPUPDATE and WUAUCLT automatically during the boot process. 

     

    Until you have this all working well, I would not us HTTPS for your WSUS update site - it just confuses things when you try to troubleshoot.

     

    v/r

     

    Tim

    Monday, April 07, 2008 3:05 AM
  • Note that wuauclt /detectnow causes a detection cycle but won't (usually) cause the updates to actually install.  The only exception would be if one or more of the newly detected updates has an expired deadline.

    Monday, April 07, 2008 4:04 AM
    Moderator
  • Can you please tell me envoke the script? Do I put it in a login script or something like that?

    Thank you.

     

     Harry Johnston wrote:
    Assuming you mean you want them installed straight away, you can use a script for this:

    <http://www.scms.waikato.ac.nz/~harry/wsusupdate.vbs>

    There are several other similar scripts on the web if this particular one doesn't suit.

      Harry.


    Thursday, May 01, 2008 4:50 PM
  • It is unlikely to be appropriate to run this as a login script.  What are you trying to achieve?

    Thursday, May 01, 2008 9:23 PM
    Moderator
  • I would like to have the updates installed without user intervention. I'm using a GPO as defined in the Set Up a Client Computer section of the WSUS30Help.chm

     

    Thursday, May 01, 2008 9:31 PM
  • WSUS has built-in support for installing updates without user intervention.  The group policy setting is "Configure Automatic Updates".  Refer to the operations guide for details.

    Monday, May 05, 2008 8:52 PM
    Moderator
  • Like Robert Jacobsson, I wish to automate the application of WSUS-approved updates without operator intervention.  What I have found is that ONLY updates that don't require a reboot and don't interfere with Windows services will update without intervention. 

    I have set my WSUS GPO as directed throughout this thread and still I am required to touch each desktop, either directly or remotely for updates requiring reboots.

    I have set Automatic Updates to schedule installation daily at 2:00 AM when users are not allowed to use their PCs.  Is there any Policy or Registry setting that will FORCE updates to install and reboot if necessary without user intervention?  My goal is to reduce Total Cost of Ownership by reducing support requirements.

    Thanks,

    Peter Melton
    • Edited by phmelton Tuesday, June 03, 2008 9:35 PM misspelled name
    Tuesday, June 03, 2008 3:37 PM
  • The below is taken from:
    http://technet2.microsoft.com/windowsserver/en/library/51c8a814-6665-4d50-a0d8-2ae27e69ca7c1033.mspx?mfr=true


    If you are using GPO:


    1.  In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
     
    2.  In the details pane, click Configure Automatic Updates.
     
    3.  Click Enabled and select the following option:

    Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.


    If you are not using GPO

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

    AUOptions

    4 = Automatic download and scheduled installation. (Only valid if values exist for ScheduledInstallDay and ScheduledInstallTime.)


    "At the scheduled day and time, Automatic Updates installs the update and restarts the computer (if necessary), even if there is no local administrator logged on. If a local administrator is logged on and the computer requires a restart, Automatic Updates displays a warning and a countdown for when the computer will restart. Otherwise, the installation occurs in the background."

    Tuesday, June 10, 2008 7:29 PM
  • I have GPOs set to not force a restart , but recently after approving a Critical Update (MS09-002); some systems were restarting after giving the user 5 minutes to save their work.

    Systems are running Vista O/S, SP1.

    Any ideas why?
    Stuart Clark, Systems Analyst
    Thursday, February 19, 2009 6:05 PM
  • Th possible reasons:

    1. The "No auto-restart with logged in user" is only applicable IF a user is actually logged on when an restart is ready to run.

    2. If the user logs off, the timer runs out and a restart occurs immediately.

    3. If a deadline is configured for the update, the "No auto-restart" policy is suspended/ignored, and the restart is forced upon the user.

    4. The "No auto-restart" policy only applies to scheduled installations. If the installation was initiated by the user using the WUA User Interface (or via a script), the policy is ignored, and the WUA will initiate a restart following completion of the installation.

    In any event, a Restart WILL HAPPEN after installing updates -- it's merely a question of WHEN, and the WHEN is determined by:
        a. configured policies
        b. logged-in user status, permissions, and actions
        c. the presence of deadlines on the affected updates
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Thursday, February 19, 2009 6:35 PM
    Moderator