locked
Wuauclt through opalis RRS feed

  • Question

  • I am trying to run the "wuauclt /updatenow" command through the "run program" object.

    After I run this policy, nothing happens.
    In the windowsupdate.log I find these events:

     

    2011-10-19	11:43:25:810	 780	368	AU	#############
    2011-10-19	11:43:25:810	 780	368	AU	## START ##  AU: Search for updates
    2011-10-19	11:43:25:810	 780	368	AU	#########
    2011-10-19	11:43:25:810	 780	368	AU	<<## SUBMITTED ## AU: Search for updates [CallId = {29B4B9D4-0BFC-4646-B464-C651EE46312C}]
    2011-10-19	11:43:25:810	 780	bb4	Agent	*************
    2011-10-19	11:43:25:810	 780	bb4	Agent	** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2011-10-19	11:43:25:810	 780	bb4	Agent	*********
    2011-10-19	11:43:25:810	 780	bb4	Agent	  * Online = No; Ignore download priority = No
    2011-10-19	11:43:25:810	 780	bb4	Agent	  * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2011-10-19	11:43:25:810	 780	bb4	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2011-10-19	11:43:25:810	 780	bb4	Agent	  * Search Scope = {Machine}
    2011-10-19	11:43:26:795	 780	bb4	Agent	Update {3F7E6622-0F75-442A-88F7-FE5BE8C91715}.104 is pruned out due to potential supersedence
    2011-10-19	11:43:26:795	 780	bb4	Agent	  * Added update {57AFC029-ED53-42AC-AE9C-0B19AD5DF3AB}.102 to search result
    2011-10-19	11:43:26:795	 780	bb4	Agent	Update {979BBDEF-4083-4803-9292-85E5DA9B0632}.102 is pruned out due to potential supersedence
    2011-10-19	11:43:26:795	 780	bb4	Agent	  * Added update {5B92CCF0-3865-4FF9-828F-FF8CF1A4D985}.101 to search result
    2011-10-19	11:43:26:795	 780	bb4	Agent	  * Added update {6882E4AF-446C-4B61-A2CF-EB664DBE01B8}.100 to search result
    2011-10-19	11:43:26:795	 780	bb4	Agent	  * Found 3 updates and 54 categories in search; evaluated appl. rules of 265 out of 670 deployed entities
    2011-10-19	11:43:26:795	 780	bb4	Agent	*********
    2011-10-19	11:43:26:795	 780	bb4	Agent	**  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2011-10-19	11:43:26:795	 780	bb4	Agent	*************
    2011-10-19	11:43:26:795	 780	e10	AU	>>##  RESUMED  ## AU: Search for updates [CallId = {29B4B9D4-0BFC-4646-B464-C651EE46312C}]
    2011-10-19	11:43:26:795	 780	e10	AU	  # 3 updates detected
    2011-10-19	11:43:26:795	 780	e10	AU	#########
    2011-10-19	11:43:26:795	 780	e10	AU	##  END  ##  AU: Search for updates [CallId = {29B4B9D4-0BFC-4646-B464-C651EE46312C}]
    2011-10-19	11:43:26:795	 780	e10	AU	#############
    2011-10-19	11:43:26:795	 780	e10	AU	Featured notifications is disabled.
    2011-10-19	11:43:26:795	 780	e10	AU	Successfully wrote event for AU health state:0
    2011-10-19	11:43:26:810	 780	e10	AU	Successfully wrote event for AU health state:0
    2011-10-19	11:43:31:795	 780	bb4	Report	CWERReporter finishing event handling. (00000000)

     

    2011-10-19	11:51:42:767	 780	f78	Service	WARNING: GetUserTokenFromSessionId failed with error 800703f0 for session 0
    2011-10-19	11:51:42:767	 780	f78	AU	AU received approval from Ux for 3 updates
    2011-10-19	11:51:42:767	 780	f78	AU	WARNING: ProgressUx is not applicable for session 0
    2011-10-19	11:51:42:767	 780	f78	Service	WARNING: GetUserTokenFromSessionId failed with error 800703f0 for session 0
    2011-10-19	11:51:42:767	 780	f78	AU	UpdateDownloadProperties: 0 download(s) are still in progress.
    2011-10-19	11:51:42:767	 780	f78	AU	Triggering Offline detection (non-interactive)
    2011-10-19	11:51:42:767	 780	f78	Service	WARNING: GetUserTokenFromSessionId failed with error 800703f0 for session 0
    2011-10-19	11:51:42:767	 780	f78	AU	AU setting pending client directive to 'Install Complete Ux'
    2011-10-19	11:51:42:767	 780	f78	AU	WARNING: Pending directive, 'Install Complete Ux', is not applicable
    2011-10-19	11:51:42:767	 780	f78	AU	WARNING: ApproveUpdatesInternal failed with hr:8024000c
    2011-10-19	11:51:42:767	 780	f78	AU	WARNING: UpdateNow failed with hr:8024000c


    2011-10-13	16:56:33:317	 780	a54	AU	Successfully wrote event for AU health state:0
    2011-10-13	16:56:33:317	 780	a54	AU	Featured notifications is disabled.
    2011-10-13	16:56:33:317	 780	a54	AU	AU setting next detection timeout to 2011-10-13 18:41:58
    2011-10-13	16:56:33:317	 780	a54	AU	Successfully wrote event for AU health state:0
    2011-10-13	16:56:33:411	 780	a54	AU	Successfully wrote event for AU health state:0
    2011-10-13	16:56:33:457	 780	e20	Report	CWERReporter finishing event handling. (00000000)
    2011-10-13	16:56:38:317	 780	e20	Report	CWERReporter finishing event handling. (00000000)
    2011-10-13	16:56:46:411	 780	368	AU	Launched new AU client for directive 'Install Approval', session id = 0x2
    2011-10-13	16:56:46:411	1496	58c	Misc	===========  Logging initialized (build: 7.4.7600.226, tz: +0200)  ===========
    2011-10-13	16:56:46:411	1496	58c	Misc	  = Process: C:\Windows\system32\wuauclt.exe
    2011-10-13	16:56:46:411	1496	58c	AUClnt	Launched Client UI process
    2011-10-13	16:56:46:426	1496	58c	Misc	===========  Logging initialized (build: 7.4.7600.226, tz: +0200)  ===========
    2011-10-13	16:56:46:426	1496	58c	Misc	  = Process: C:\Windows\system32\wuauclt.exe
    2011-10-13	16:56:46:426	1496	58c	Misc	  = Module: C:\Windows\system32\wucltux.dll
    2011-10-13	16:56:46:426	1496	58c	CltUI	AU client got new directive = 'Install Approval', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0
    2011-10-13	17:04:28:745	 780	e20	Report	Uploading 3 events using cached cookie, reporting URL = http://wsus.xxx.xxx:8530/ReportingWebService/ReportingWebService.asmx
    2011-10-13	17:04:28:745	 780	e20	Report	Reporter successfully uploaded 3 events.
    2011-10-13	17:05:04:339	 780	d30	AU	WARNING: UpdateNow failed with hr:80070005

    As you can read, there are 3 updates ready for deployment, so the connection to our wsus server seems to be working.

     

    Details:
    Opalis service account is local admin.
    Both opalis and the target server are w2k8 R2 x64. (clean installs previous month)
     I've tried de "Program execution" with the whole path (c:\windows...etc), instead of the "Command execution" mode, same problem.
    I've tried running a batch file on the target server from opalis, same problem.
    I've changed the "Advanced" and the Security credentials to my Admin account (also local admin), same problem.
    If I run the command (and batch) by hand on the target server, it works.  

    What am I doing wrong? And is this the best way to do it through opalis, or am I re-inventing the wheel? ;)
    We want to do it with Opalis, 'cause we want to be able to stop services, monitor if users are logged in, put scom in maintenance mode, create an event log...etc 

     

    Thanks!

    Wednesday, October 19, 2011 10:05 AM

Answers

  • Hello sbeko,

    I had the same issue trying to download and install updates on target servers using the "Run Program" Object of Opalis 6.3.
    I did use cscript and a vbs script similar to that at http://msdn.microsoft.com/en-us/library/aa387102(v=VS.85).aspx (initiated by "Run Program").

    But to use the interfaces for downloading and installing the updates
    one needs to have an interactive logon (logon type 2),
    which the "Run Program" object of Opalis 6.3 seems not to be able to create on the target system
    (in spite of the statement in the "Opalis Integration Server User Guide":
    "[...] Note: This user name only logs in to the computer where the Run Program object is executed, and uses the Interactive logon type. [...]"

    This led to the error message "0x80070005 (E_ACCESSDENIED)" when the download of the updates was about to be initiated.
    (in your log:
    2011-10-13 17:05:04:339  780 d30 AU WARNING: UpdateNow failed with hr:80070005)


    I'd suggest to have a look at System Center 2012 Orchestrator (if possible) which has an altered "Run Program" activity that introduces the option to use "Run as" credentials.
    As long as UAC is set to "never notify" on the target system (W2k8 R2) the patch script works and wuauclt might as well.

    • Marked as answer by Robert_Hearn Friday, June 1, 2012 10:04 PM
    Wednesday, January 4, 2012 3:51 PM

All replies

  • Hello,

    On any computer you specify in the details of the "Run Program" object a service named "Opalis Remote Execution Service" will be installed to run the activity. It runs with Local System per default.

    Try to switch to "Allow Service to interact with desktop" and run the "Run Program" object with wuauclt  again.

     

    Regards,

    Stefan

    Wednesday, October 19, 2011 3:29 PM
  • Hi Stefan,

    thanks for the fast reply.

    The switch was already on, so still not working.

     

    Salvador

    Monday, October 24, 2011 8:31 AM
  • getting error: UpdateNow failed with hr:8024000c
    Wednesday, October 26, 2011 1:42 PM
  • Is there a best practice for this? (wsus updates with opalis)

    I'm sure we are not the only one who want's to controllably bring servers down and up. :)

    Monday, November 7, 2011 1:44 PM
  • We are now using powershell with psexec to run a vbs dat is put locally.... as a "workaround".
    Tuesday, November 29, 2011 9:57 AM
  • Do you get any output from the object at all? 

    Tuesday, December 6, 2011 3:00 PM
  • yes, the object returned: "success" and something like this in the opalis log: Connecting with OpExec service on XXX... Starting cmd.exe on XXX... Executing cmd.exe on XXX... cmd.exe started on XXX with process ID 2104. Waiting for completion... Process completed. Obtaining the remote execution status... Disconnecting from XXX... Disconnected Return value: 0; Log status: 16 (Process exited on XXX with return code 0.)
    Wednesday, December 7, 2011 12:58 PM
  • I'm having exactly the same issue. any ideias? 
    Thursday, December 29, 2011 7:54 PM
  • Hello sbeko,

    I had the same issue trying to download and install updates on target servers using the "Run Program" Object of Opalis 6.3.
    I did use cscript and a vbs script similar to that at http://msdn.microsoft.com/en-us/library/aa387102(v=VS.85).aspx (initiated by "Run Program").

    But to use the interfaces for downloading and installing the updates
    one needs to have an interactive logon (logon type 2),
    which the "Run Program" object of Opalis 6.3 seems not to be able to create on the target system
    (in spite of the statement in the "Opalis Integration Server User Guide":
    "[...] Note: This user name only logs in to the computer where the Run Program object is executed, and uses the Interactive logon type. [...]"

    This led to the error message "0x80070005 (E_ACCESSDENIED)" when the download of the updates was about to be initiated.
    (in your log:
    2011-10-13 17:05:04:339  780 d30 AU WARNING: UpdateNow failed with hr:80070005)


    I'd suggest to have a look at System Center 2012 Orchestrator (if possible) which has an altered "Run Program" activity that introduces the option to use "Run as" credentials.
    As long as UAC is set to "never notify" on the target system (W2k8 R2) the patch script works and wuauclt might as well.

    • Marked as answer by Robert_Hearn Friday, June 1, 2012 10:04 PM
    Wednesday, January 4, 2012 3:51 PM
  • sbeko,

    am i reading this correctly, that if you open a command prompt and type

    wuauclt /updatenow

    your machine installs updates? i think the "/updatenow" switch is a myth. it may exist inside the wuauclt exe, but it doesn't do anything. i get the same "updatenow failed with hr" message in windowsupdate.log if i run that command manually.

    Saturday, August 25, 2012 9:31 PM
  • the wuauclt /updatenow works properly when you are on a local comand prompt.

    even when you use psexec  to establish a command prompt on a remote machine u get a "WARNING: UpdateNow failed with hr:80070005" error in the windowsupdate.log on the remote machine.

    Friday, September 28, 2012 1:06 PM
  • you can also use Powershell on you local computer ran as an admin to detect and install updates. I see a lot of forums stating you cant run updates remotely because it fails with access denied due to logon type. Here is how I got it to work (the "-i" and "-s") options are the key.

    leftshift and right click on powershell. Select run as different user. Run this as an account with admin privileges on the server you want to run updates on. You will also need to download PSexec if you do not already have it.

    command to remotely force a check for updates.
    .\PsExec.exe -i -s \\servername wuauclt.exe /resetauthorization /detectnow


    command to install found updates remotely
    .\PsExec.exe -i -s \\servername wuauclt.exe /updatenow


    command to remotely restart computer
    .\PsExec.exe \\servername shutdown -r -t 00 -f

    to issue the commands to a list of computers in a file

    .\PsExec.exe -i -s @c:\hostlist.txt wuauclt.exe /updatenow

    Hope this comes in handy for anyone else struggling to simplify patch night or trying to figure out why wuauclt.exe /update now works locally but not remotely. the -i runs the command interactively on the native console and the -s runs it in the system account. 

    Tuesday, November 5, 2013 3:58 PM
  • the wuauclt /updatenow works properly when you are on a local comand prompt.

    even when you use psexec  to establish a command prompt on a remote machine u get a "WARNING: UpdateNow failed with hr:80070005" error in the windowsupdate.log on the remote machine.

    psexec will work if you use -i and -s.  This is what I use and it does work

    command to remotely force a check for updates.
    .\PsExec.exe -i -s \\servername wuauclt.exe /resetauthorization /detectnow


    command to install found updates remotely
    .\PsExec.exe -i -s \\servername wuauclt.exe /updatenow


    command to remotely restart computer
    .\PsExec.exe \\servername shutdown -r -t 00 -f

    to issue the commands to a list of computers in a file

    .\PsExec.exe -i -s @c:\hostlist.txt wuauclt.exe /updatenow

     
    Tuesday, November 5, 2013 4:01 PM
  • I know this thread is old, but just in case someone stumble upon it like me.  I would like to make an update that is working for me.  Adding the -accepteula option to PSEXEC works PERFECTLY!!!!

    command to remotely force a check for updates.
    .\PsExec.exe -accepteula -i -s \\servername wuauclt.exe /resetauthorization /detectnow


    command to install found updates remotely
    .\PsExec.exe -accepteula -i -s \\servername wuauclt.exe /updatenow

    Tuesday, November 24, 2015 8:40 PM