Force a manual check-in with WSUS server
Patch Tuesday rolls around again, and I get asked – how can I make my server check for updates from WSUS right NOW? Or, if you have just set up a new environment and want to manually configure a server to report in to one particular WSUS server to check for updates.
I wrote a small batchfile that will manually configure a server or any other Windows computer to check in with Windows Server Update Services installed within your network, and then immediately download updates for you to manually apply.
Preparing to check in to WSUS server
First, to ensure that your problems with a server are not related to other issues, check the following;
- Normally, you would configure a GPO to apply settings to Windows machines so they get the WSUS settings;
- Check that the machine is a member of the domain
- Check that the machine is in the correct OU to have the GPO applied to it
- Check basic network connectivity to your WSUS server
- Ping your WSUS server name
- Check that the DNS name of the WSUS server can be resolved from the machine you want to get the updates
- Ensure that the domain certificate is trusted by the machine – try to visit https://WSUSservername:8531 and see if you get a certificate error first, before you get a 403 Forbidden error
- Have you run out of disk space on the C drive?
- Look in the error log at c:\Windows\WindowsUpdate.log – read the bottom of the file to try and find an error.
Reconfiguring to use WSUS manually
Once you have ruled out problems with the Windows Update Service on a computer, you can run this batch file to reconfigure – it makes registry changes so you will need to run it as Administrator. I will explain each section, you just need to copy and paste each section into a single text file and save it with a .bat extension.
net stop wuauserv REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /F REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /F REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v BalloonType /F REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v BalloonTime /F REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate /va /f
The first step is to stop the Windows Update service running. Then we are deleting registry keys that relate to past checks. These entries will be recreated when the service starts up again, and as they are blank, it will make updates start immediately.
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /d "http://yourWSUSserver:8530" /f REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /d "http://yourWSUSserver:8530" /f REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer /t REG_DWORD /d 1 /f
You need to edit this to reflect the name of your WSUS server (it can be an IP address), and the port number – this could be port 80 or 8530. These commands will configure the Windows machine to use the WSUS server you are specifying. The /f switch forces the change to be made even if the value already exists.
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v TargetGroup /d "Servers" /f REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v TargetGroupEnabled /t REG_DWORD /d 1 /f
The above two lines are optional. If you have specified target grouping on your WSUS server, they you should specify the name and that the function is enabled. If you don’t know what to do here, leave these two lines out (or REM them out).
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /t REG_DWORD /d 3 /f REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 0 /f REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v ScheduledInstallDay /t REG_DWORD /d 0 /f REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v ScheduledInstallTime /t REG_DWORD /d 03 /f REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUState /t REG_DWORD /d 2 /f REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 3 /f
This section changes settings to not automatically install updates, to instead notify with a balloon. It prevents the embarrassing issue where the default settings for WSUS are to automatically install updates and reboot at 3am – not what you want for a server…
net start wuauserv %windir%\system32\wuauclt.exe /detectnow %windir%\system32\wuapp.exe
This last section above will restart services, and then force an update check, and then open the Windows Update dialog.
I’ve been using the above script for many years, and it really helps on those late night patching chores!