locked
Force Update Install? RRS feed

  • Question

  • Hi All

    Is there a way of forcing an immediate install (assuming download is complete) via command-line/Powershell?

    We need WSUS to manage the download process in the background (BITS, WSUS selects updates required after approval etc), BUT, at a predetermined time by the user (through a Line of Business app) immediately execute the install process.  

    How can this be achieved?

    Scenario to avoid:

    Field user takes tablet to client's doorstep, WSUS decides to install patches, and reboot a million times!

    Requirement (Win 8.1)

    Download patches in background when tablet connected to internet.

    User informed when patches are ready for install.

    User can postpone requests for install.

    User instigates patch install at an exact time suitable for them (via LOB app)

    After predetermined time/deadline, force user to install


    Have tried wuauclt.exe /detectnow /reportnow  but it just doesn't seem to be as assertive/responsive as we need.


    Many thanks for any guidance.

    Lea

    Thursday, April 12, 2018 2:27 PM

All replies

  • Hi,

    Personally,  it's not easy to achieve your requirement with WSUS directly, I didn't see a similar sharing.

    Maybe you could consider SCCM, of course it is a paid product.


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Yuxiang Shi Friday, April 13, 2018 10:33 AM
    Friday, April 13, 2018 10:33 AM
  • Hi and thanks for your response.  I wonder if Lawrence Garvin is still around here, he was an amazing font of ALL WSUS knowledge back in the day I built our WSUS farms?

    We have SCCM however:

    • Not sure if BITS is enabled on ours (could check and probably enable if needed)
    • The efficiency of WSUS in how it works out and distributes only those patches required for the individual client, cannot be matched. 

      e.g. a Manual approach would mean - interrogate MS update catalogue and realise 50 patches maybe required, but the client may only actually need 5!  Unless some incredible maintenance and tracking system is used to correlate all software/hardware installed across field devices, wouldn't we need to distribute all 50 to all clients?  This leads to greater bandwidth requirements and significantly prolongs the user's patching cycle especially with users on slow broadband lines.

    I wish we could just tell WSUS to install NOW!


    • Edited by LeaUK Friday, April 13, 2018 11:14 AM
    • Proposed as answer by stelong Friday, April 13, 2018 2:38 PM
    • Unproposed as answer by stelong Friday, April 13, 2018 2:38 PM
    Friday, April 13, 2018 11:13 AM
  • Group Policy is your friend

    Put all of the problem devices into an OU and apply a GP.

    2016 GP includes setting restart exclusion windows, no restart with logged on users, and setting 3 (download but do not install) from older SUS, as well as the ability to set a duration before the restart will happen automatically. 

    Friday, April 13, 2018 2:41 PM
  • Hi

    Many thanks for your reply.  Yep they're already within their own OU as we know this bunch are 'fun' to work with ;-) 

    Having already reviewed the GPs the main problem is many of the newer ones are Win10 and above, and as mentioned we're currently 8.1.  

    Also none provide a controlling mechanism of immediate install , i.e. we need an app to trigger the install process, rather than WSUS, so a CMD line tool would have helped, but none exist.

    Guessing we're out of luck!

    Plan 2

    I wonder if we can keep an eye on the C:\Windows\SoftwareDistribution\Download folder for msi's etc and trigger our own install somehow?

     

    Tuesday, April 17, 2018 10:42 AM