We’re using WSUS 3.0 to update our environment with the latest Windows Updates. Overall usage is fairly simple… however…
I found that sometimes when a lot of updates had to be installed on a server, not all approved updates were downloaded to the server. The majority was downloaded and after rebooting the server when these updates were installed, windows update failed to detect and download the rest of the required updates within a reasonable amount of time. Restarting Windows update services didn’t help, and neither did the command ‘wuauclt /detectnow’.
When using WSUS there are a few thing you need to take into account. Consider the process:
- A computer reports it’s status to the WSUS server
- WSUS checks this status against the updates available since the last synchronization (once a day)
- Required updates are marked as ‘needed‘ in the WSUS console
- Needed updates are approved and downloaded(*) to the WSUS server
- The computer checks for updates and downloads them as needed
- Updates are installed
WSUS uses SSL to communicate with the services, to check in, to request updates, - to control the session. But once it gets a response that an update is needed and available to download, it downloads the update through HTTP. 1 found this helpful. The utility will automatically check for Microsoft software updates, hotfixes, and patches and then distribute them to all the computers on the network. Although the WSUS server is a free automatic update service, it is a little rudimentary as a patch management solution. The system produces logs, but these can be difficult to comb through. Forgive the pun, couldn't resist. I haven't found any good way of actually forcing a client to update from a WSUS server. That is short of changing and re-changing the update settings to a 'near.
- I have client-side targeting setup to handle some remote workstations on our network. They VPN in from time to time - so they can hit the internal WSUS server when they are connected. I essentially want to set their Windows Update configuration via GPO to use internal WSUS, but to download the updates from the internet (Microsoft).
- WSUS – Force immediate update installation on clients February 10, 2013 Leave a comment I’ve seen heaps of guides about this topic, but all seem to miss a key point which makes the client download and install update immediately without any intervention on the client.
Force Wsus Client To Install Updates
There is a difference between ‘reporting status‘ and ‘detection‘ of new updates.
In the first step the computer reports it’s status to the WSUS server. By default this is being done every 22 hours unless you change the setting in group policy. After reporting status to the WSUS-server the computer stores the information in a cookie and will not report it’s status untill these 22 hours have passed. This means that if your server has reported status and detected 13 updates that it can install in a first run, while you have approved 22 updates for this server in WSUS, the server will download and install these first 13 updates and probably ask you to reboot afterward.
When you check the logfile (C:WindowsWindowsUpdate.log) after the reboot you will find that the other 9 updates are not detected after the reboot. Furthermore, when you open a command prompt and execute the command ‘wuauclt /detectnow’ you will probably find the log to state ‘0 updates detected’. The reason for this is that the server has not reported status back to the WSUS-server(as mentioned in step 1 above) between detection and installation of the first 13 updates (step 6) and the last detection after the reboot and since this is the case, the WSUS server will think these 13 updates have not been installed yet and will not offer the last 9 updates. The server will not report status untill 22 hours later unless the cached cookie is deleted and the server is forced to report status to the WSUS-server…
Force Wsus Client To Download Updates
Very, very annoying…
So can we do this?… Yes we can…
Open up a command prompt and execute the following command:
- wuauclt /detectnow /resetauthorization
The commandline option resetauthorization tells windows update to get rid of the cached cookie. The log will still tell you ‘0 updates detected’ because this command does not tell windows update to report status.
After having performed this command open up services.msc and restart Windows Update Service.
After restarting the service open up C:WindowsWindowsUpdate.log and wait untill you see something like this in the log:
2009-10-28 11:05:50:358 820 13b8 Report Uploading 2 events using cached cookie, reporting URL = http://wsus.server.fqdn/ReportingWebService/ReportingWebService.asmx
2009-10-28 11:05:50:358 820 13b8 Report Reporter successfully uploaded 2 events.
This means the server has contacted WSUS and reported its status back. It can take up to 10-15 minutes for the server to report these entries in the log and unfortunately does not always succeed. If after 10 -15 minutes these entries are not logged, repeat these steps one more time.
No unusual to get the occasional moody WSUS managed-device that will not report and/or update using a correctly configured WSUS server. The link below is the one I like to use to test the connection from the WSUS managed device to the WSUS web site.
Note: The test URL below uses my-wsus-box as the server name and 8530 as the configured port for the WSUS web site – change as appropriate.
Note: If the connection to the WSUS web site is good then a prompt to download wuident.cab should be presented.