Remotely Install Windows Updates – A How To Guide
Trying to remotely install windows updates can prove to be a real challenge.
WSUS is a great tool for deploying MS updates throughout your environment, but the default GPO settings for WSUS only permits downloading of the updates to the device, they will not install. The user is relied upon to initiate an install.Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
There are typically two methods the user can use to accomplish the install:
- The user interacts with the pending updates tray icon and initiates an express or custom install
- The user selects the Install Updates and Shutdown option from the shutdown menu
Of course, the user will likely not do either of these, and you’re left in a predicament where many devices have available updates that are forever waiting to be installed.
This situation can be changed for future WSUS deployments by altering the WSUS updates policy:Go to your GPO and just change the settings for “WSUS updates policy” right click on the policy, click edit and browse through “Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update”
While this will change the method in which future updates are handled, you still need a way to resolve the hundreds of pending updates that are currently residing on devices in your environment. You could of course visit each PC individually and initiate the install through a manual process. If you have a small environment, that might be feasible. For those of us in an enterprise environment though, a remote solution is not only preferred, but often required.
Why is it challenging to remotely install windows updates?
There is no set command you can send to your devices that specifically instructs them to begin installing pending updates.
Additionally, (and in my opinion – a huge oversight by Microsoft) there is no way to trigger the Install Updates and Shutdown function remotely either.
You’ve probably Googled around already and likely stumbled upon complex scripts like this:
Force installation of WSUS or Windows Updates
I experimented around with several of these, and while I was able to get some to work, they are cumbersome to use and often difficult to customize.
So, how can you remotely install windows updates?
A third party utility called WuInstall – WuInstall is a command line tool that makes it possible to install Windows Updates on demand.
I know what you’re thinking… you don’t really want a third party solution.
The fact of the matter is, WuInstall just works. It’s simple, effective, and highly customizable. If you are aware of an even simpler solution to force pending updates to install, please post it in the comments; I’d love to know about it.
WuInstall has a lot of excellent documentation on their website, so I’m not going to get into the details of how it operates, or the hundreds of customization options.
Instead, I’d like to provide you with a working example of how you would use this tool in your environment to resolve the pending updates issue.
You will require the use of the psexec utility to deploy WuInstall. psexec is part of the PSTools Suite.
If you aren’t already utilizing PSTools in your environment, I highly encourage that you begin to do so. It is an invaluable set of tools for all administrators.
Four items are required to remotely install windows updates using WuInstall:
- A batch file containing all the necessary commands and switches for the deployment (WUInstall.bat)
- A text file containing the names of the PC’s that you’d like to remotely install updates on (PCList.txt)
All of these items should be placed inside a folder on a network share accessible by all the devices you will be forcing update installations on.
Here is the entirety of the code you will need in the batch file:
\\share\share_path\psexec.exe @\\share\share_path\PCNames_List.txt -u domain\user -p P@ssw0rd -c -s -d \\share\share_path\wuInstall.exe /install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3 pause
The first part of the code gives the full path to the psexec executable.
The second part of the code provides the path to the list of PC’s. This list should contain the names of the PC’s you’d like to remotely install updates on.
The third section of code contains psexec switches that provide:
- Domain credentials that have admin privileges on the devices in your PC list
- -c (Copies the wuInstall.exe to the local device to run)
- -s (runs they wuInstall.exe as System)
- -d (psexec won’t wait for each PC to complete – you should definitely utilize this switch otherwise psexec will wait for updates to complete on EACH PC before proceeding to the next one)
-u domain\user -p P@ssw0rd -c -s -d
The fourth section of code provides the path to the wuInstall.exe
The remaining code are all custom switches applied to wuInstall that instruct it how to interact with the device.
- /install – instructs the PC to check with WSUS for additional updates and download any that are missing. Once complete, install of all pending updates begins
- /autoaccepteula – Some updates require user interaction to accept aggrements, this switch takes care of that
- /reboot_if_needed – not all updates require an update. This switch ensures the PC only updates if it needs to
- /rebootcycle 3 – Sometimes updates can’t be installed all at once. This switch permits the PC to reboot after the first round of updates, and then wuInstall will start back up again, and continue installing the next round of updates. You can control how many times this is permitted to happen. In this example, the PC is permitted to reboot a maximum of 3 times.
/install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
In short, running the batch file in this example would tell all the devices in the PCNames_List to begin installing all pending updates in the background. The user could continue to work while updates are applied. When completed, if a reboot is required, the user receives a brief warning and the PC will reboot to complete the install. This process will continue until all updates are applied, or until the reboot limit of three is reached.
wuInstall contains many more customization options that are not highlighted in this example. You should be able to configure it appropriately to suit the unique factors of your organization.
I hope this article helps you address the pending updates issue in your environment.
If you’d like to share another method you know of to remotely install windows updates, feel free to post it in the comments.
FYI – There’s an app called BatchPatch, which is as easy or easier than WuInstall. It has a GUI instead of command line, and the free evaluation is fully functional and NOT time-limited. It only limits the number of hosts that can be handled simultaneously. Definitely worth taking a look at.
Thanks for sharing Jon. I’ll definitely be playing around with this next week.
I do not have internet connetion on my list of servers. I need to download the updates on one server, copy the installers to all the servers and run them remotely. can this be achieved?
The process outlined above does not require an internet connection on your end servers.
Your servers will require only a network connection to your WSUS server.
The WSUS will have the updates available and your servers will download them from WSUS.
Only the WSUS server in this scenario would require an active internet connection.
You may want to review the GPO settings. You really do not need to run a script. As long as you get all of your servers up to date the total updates needed per update cycle will be manageable with just one reboot. If you look at some of the setting especially the one on the screenshot for Auto Update, you should select option 4 and it will pull and install the patches automatically. There is also an option for retries if it fails so you really do not have to do this manually. For servers, you really shouldn’t be touching it like the method above so much as they’re critical to business.
I agree with RSSD, you simply need to set the GPO settings correctly and the updates will be processed by the client machine at the designated time.
Hello there, script works fine, but as soon as I replace the \\computername with the computerlist run file it says “system cannot find the file specified”. Any ideas? Cheers, Marcus
You need to preface the computer list with and @ symbol.
So I’m getting a Could not start PSEXESVC service on “computer name”:
Access is denied.
Is there any fix for this? Thank you for all your help!
You need to be running with an account (-u domain\user -p P@ssw0rd -c -s -d) that has local admin privileges to the devices that you are interacting with.
I use Wsus Package Publisher, it is primarily a tool to package your own updates for non microsoft apps but I only use it for the ability it has to send a command for Install pending updates (it also has detect now and report now). It doesnt need anything applied to the remote PC and it works well.
Its also free.