Trying to remotely install windows updates can prove to be a real challenge.
WSUS is a great tool for deploying MS updates throughout your environment, but the default GPO settings for WSUS only permits downloading of the updates to the device, they will not install. The user is relied upon to initiate an install.Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
There are typically two methods the user can use to accomplish the install:
- The user interacts with the pending updates tray icon and initiates an express or custom install
- The user selects the Install Updates and Shutdown option from the shutdown menu
Of course, the user will likely not do either of these, and you’re left in a predicament where many devices have available updates that are forever waiting to be installed.
This situation can be changed for future WSUS deployments by altering the WSUS updates policy:Go to your GPO and just change the settings for “WSUS updates policy” right click on the policy, click edit and browse through “Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update”
While this will change the method in which future updates are handled, you still need a way to resolve the hundreds of pending updates that are currently residing on devices in your environment. You could of course visit each PC individually and initiate the install through a manual process. If you have a small environment, that might be feasible. For those of us in an enterprise environment though, a remote solution is not only preferred, but often required.
Why is it challenging to remotely install windows updates?
There is no set command you can send to your devices that specifically instructs them to begin installing pending updates.
Additionally, (and in my opinion – a huge oversight by Microsoft) there is no way to trigger the Install Updates and Shutdown function remotely either.
You’ve probably Googled around already and likely stumbled upon complex scripts like this:
Force installation of WSUS or Windows Updates
I experimented around with several of these, and while I was able to get some to work, they are cumbersome to use and often difficult to customize.
So, how can you remotely install windows updates?
A third party utility called WuInstall – WuInstall is a command line tool that makes it possible to install Windows Updates on demand.
I know what you’re thinking… you don’t really want a third party solution.
The fact of the matter is, WuInstall just works. It’s simple, effective, and highly customizable. If you are aware of an even simpler solution to force pending updates to install, please post it in the comments; I’d love to know about it.
Instead, I’d like to provide you with a working example of how you would use this tool in your environment to resolve the pending updates issue.
You will require the use of the psexec utility to deploy WuInstall. psexec is part of the PSTools Suite.
If you aren’t already utilizing PSTools in your environment, I highly encourage that you begin to do so. It is an invaluable set of tools for all administrators.
Four items are required to remotely install windows updates using WuInstall:
- A batch file containing all the necessary commands and switches for the deployment (WUInstall.bat)
- A text file containing the names of the PC’s that you’d like to remotely install updates on (PCList.txt)
All of these items should be placed inside a folder on a network share accessible by all the devices you will be forcing update installations on.
Here is the entirety of the code you will need in the batch file:
\\share\share_path\psexec.exe @\\share\share_path\PCNames_List.txt -u domain\user -p P@ssw0rd -c -s -d \\share\share_path\wuInstall.exe /install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3 pause
The first part of the code gives the full path to the psexec executable.
The second part of the code provides the path to the list of PC’s. This list should contain the names of the PC’s you’d like to remotely install updates on.
The third section of code contains psexec switches that provide:
- Domain credentials that have admin privileges on the devices in your PC list
- -c (Copies the wuInstall.exe to the local device to run)
- -s (runs they wuInstall.exe as System)
- -d (psexec won’t wait for each PC to complete – you should definitely utilize this switch otherwise psexec will wait for updates to complete on EACH PC before proceeding to the next one)
-u domain\user -p P@ssw0rd -c -s -d
The fourth section of code provides the path to the wuInstall.exe
The remaining code are all custom switches applied to wuInstall that instruct it how to interact with the device.
- /install – instructs the PC to check with WSUS for additional updates and download any that are missing. Once complete, install of all pending updates begins
- /autoaccepteula – Some updates require user interaction to accept aggrements, this switch takes care of that
- /reboot_if_needed – not all updates require an update. This switch ensures the PC only updates if it needs to
- /rebootcycle 3 – Sometimes updates can’t be installed all at once. This switch permits the PC to reboot after the first round of updates, and then wuInstall will start back up again, and continue installing the next round of updates. You can control how many times this is permitted to happen. In this example, the PC is permitted to reboot a maximum of 3 times.
/install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
In short, running the batch file in this example would tell all the devices in the PCNames_List to begin installing all pending updates in the background. The user could continue to work while updates are applied. When completed, if a reboot is required, the user receives a brief warning and the PC will reboot to complete the install. This process will continue until all updates are applied, or until the reboot limit of three is reached.
wuInstall contains many more customization options that are not highlighted in this example. You should be able to configure it appropriately to suit the unique factors of your organization.
I hope this article helps you address the pending updates issue in your environment.
If you’d like to share another method you know of to remotely install windows updates, feel free to post it in the comments.