Home / server / Questions / 99374
Accepted
Zypher
Asked: 2010-01-05 13:49:54 +0800 CST

Remotely Trigger WSUS Downloaded update Installation

  • 772

This has been bugging me for a while. We have our Servers set to download only windows updates to stage them to be installed during one of our bi-monthly patch windows. I have looked high and low for a way to trigger the installation remotely on the servers during this time so that I don't have to log into a hundred or more servers and click on the "Install Updates Now" balloon.

Anyone know of a way to trigger the update installations remotely?

windows-server-2003

4 Answers

  1. Best Answer

    I finally figured it out. There is a (barely) documented windows update API that you can use to trigger these types of things. I used a modified form of the script found here which is about as close to documentation as you can get.

    I modified it as below, taking out the downloading pieces - because i control the download with GPO and WSUS, as well as all of the prompts. Then I inserted some code to reboot the box if needed by the updates.

    Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
WScript.Echo "Searching for updates..." & vbCRLF

Set searchResult = updateSearcher.Search("IsInstalled=0 and Type='Software'")


WScript.Echo "List of applicable items on the machine:"

For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> " & update.Title
Next

If searchResult.Updates.Count = 0 Then
    WScript.Echo "There are no applicable updates."
    WScript.Quit
End If


Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")

WScript.Echo  vbCRLF & _
"Creating collection of downloaded updates to install:" 

For I = 0 To searchResult.Updates.Count-1
    set update = searchResult.Updates.Item(I)
    If update.IsDownloaded = true Then
       WScript.Echo I + 1 & "> adding:  " & update.Title 
       updatesToInstall.Add(update) 
    End If
Next

'WScript.Echo  vbCRLF & "Would you like to install updates now? (Y/N)"
'strInput = WScript.StdIn.Readline
'WScript.Echo 

'If (strInput = "N" or strInput = "n") Then 
'   WScript.Quit
'ElseIf (strInput = "Y" or strInput = "y") Then
    WScript.Echo "Installing updates..."
    Set installer = updateSession.CreateUpdateInstaller()
    installer.Updates = updatesToInstall
    Set installationResult = installer.Install()

    'Output results of install
    WScript.Echo "Installation Result: " & _
    installationResult.ResultCode 
    If (installationResult.RebootRequired = True) Then
        Set RebootShell = WScript.CreateObject("Wscript.Shell")
        RebootShell.Run "shutdown.exe -r -t 0"
    End If

    WScript.Echo "Reboot Required: " & _ 
    installationResult.RebootRequired & vbCRLF 
    WScript.Echo "Listing of updates installed " & _
     "and individual installation results:" 

    For I = 0 to updatesToInstall.Count - 1
        WScript.Echo I + 1 & "> " & _
        updatesToInstall.Item(i).Title & _
        ": " & installationResult.GetUpdateResult(i).ResultCode         
    Next
'End If

    The next step was to glue this together with psExec - which doesn't like running VBScripts remotely. I put together the following batch file to copy the script locally to the server, then kick off the install with psExec running as a System user: 

    for /f %%i in (%1) do copy installUpdates.vbs \\%%i\c$
psexec @%1 -s cscript C:\installUpdates.vbs

    All you need at this point is to pass the batch script a text file with the names of your computers in it - one per line, and you are good to go. No more logging into every server to kick off windows update installs!

    The one issue that is a little annoying, is that this is very much a serial execution, so if you have alot of updates it could take a while. I couldn't find a good way around this, besides breaking up your list of machines and running multiple copies of the batch file. Not the end of the world.

    Little bit of an update. I found out that there are some installations that you just need to be interactively logged on with the proper permissions to install. basically if wsus says it failed to install you gotta get on the box. Although this is a nice step up from having to log into EVERY box.

    • 6

  2. Use a GPO to set them to all install automatically at a timeframe that's in your window, and then just don't approve any updates until a few hours before your bi-monthly windows roll around?

    You could still approve them for your test-bench machines to see if they're going to cause the world to implode, this ensures that they all get downloaded prior to the window, and approving them for all servers before you leave the office for the day during your update window (I assume it's at some ungodly hour of the morning you don't want to be up for), they should all be done by the time you come in the next day.

    • 3

  3. If you want to run non-sequentially, just add -d to the PSEXEC command line. It will then run the installupdates.vbs non-interactively.

    • 0

  4. There's also WuInstall. The free version seems no better than the WUA API script you've put together but the pro version has an option to automatically accept the eula, which I would imagine is what causes most of the interactive updates necessary.

    • 0