Remotely Trigger WSUS Downloaded update Installation

update windows-server-2003 wsus

I finally figured it out. There is a (barely) documented windows update API that you can use to trigger these types of things. I used a modified form of the script found here which is about as close to documentation as you can get.

I modified it as below, taking out the downloading pieces - because i control the download with GPO and WSUS, as well as all of the prompts. Then I inserted some code to reboot the box if needed by the updates.

Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
WScript.Echo "Searching for updates..." & vbCRLF

Set searchResult = updateSearcher.Search("IsInstalled=0 and Type='Software'")


WScript.Echo "List of applicable items on the machine:"

For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> " & update.Title
Next

If searchResult.Updates.Count = 0 Then
    WScript.Echo "There are no applicable updates."
    WScript.Quit
End If


Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")

WScript.Echo  vbCRLF & _
"Creating collection of downloaded updates to install:" 

For I = 0 To searchResult.Updates.Count-1
    set update = searchResult.Updates.Item(I)
    If update.IsDownloaded = true Then
       WScript.Echo I + 1 & "> adding:  " & update.Title 
       updatesToInstall.Add(update) 
    End If
Next

'WScript.Echo  vbCRLF & "Would you like to install updates now? (Y/N)"
'strInput = WScript.StdIn.Readline
'WScript.Echo 

'If (strInput = "N" or strInput = "n") Then 
'   WScript.Quit
'ElseIf (strInput = "Y" or strInput = "y") Then
    WScript.Echo "Installing updates..."
    Set installer = updateSession.CreateUpdateInstaller()
    installer.Updates = updatesToInstall
    Set installationResult = installer.Install()

    'Output results of install
    WScript.Echo "Installation Result: " & _
    installationResult.ResultCode 
    If (installationResult.RebootRequired = True) Then
        Set RebootShell = WScript.CreateObject("Wscript.Shell")
        RebootShell.Run "shutdown.exe -r -t 0"
    End If

    WScript.Echo "Reboot Required: " & _ 
    installationResult.RebootRequired & vbCRLF 
    WScript.Echo "Listing of updates installed " & _
     "and individual installation results:" 

    For I = 0 to updatesToInstall.Count - 1
        WScript.Echo I + 1 & "> " & _
        updatesToInstall.Item(i).Title & _
        ": " & installationResult.GetUpdateResult(i).ResultCode         
    Next
'End If

The next step was to glue this together with psExec - which doesn't like running VBScripts remotely. I put together the following batch file to copy the script locally to the server, then kick off the install with psExec running as a System user: 

for /f %%i in (%1) do copy installUpdates.vbs \\%%i\c$
psexec @%1 -s cscript C:\installUpdates.vbs

All you need at this point is to pass the batch script a text file with the names of your computers in it - one per line, and you are good to go. No more logging into every server to kick off windows update installs!

The one issue that is a little annoying, is that this is very much a serial execution, so if you have alot of updates it could take a while. I couldn't find a good way around this, besides breaking up your list of machines and running multiple copies of the batch file. Not the end of the world.

Little bit of an update. I found out that there are some installations that you just need to be interactively logged on with the proper permissions to install. basically if wsus says it failed to install you gotta get on the box. Although this is a nice step up from having to log into EVERY box.


Use a GPO to set them to all install automatically at a timeframe that's in your window, and then just don't approve any updates until a few hours before your bi-monthly windows roll around?

You could still approve them for your test-bench machines to see if they're going to cause the world to implode, this ensures that they all get downloaded prior to the window, and approving them for all servers before you leave the office for the day during your update window (I assume it's at some ungodly hour of the morning you don't want to be up for), they should all be done by the time you come in the next day.

Related

How to set i/o priority for nfs client processes?
How do I fix the metainformation on the first commit in git?
SSH apparently not reading keys inside ~/.ssh
Poor load balancer performance on rackspace and centos
Apache ProxyPass Missing Images
Mapping printers using Group Policy Preferences; works on Windows XP, not on Windows 7 x64
Reject incoming emails that use your own domain as sender
How to exit Assembler back to Applesoft Basic on Apple II GS
How to selectively enable autocorrect based on language?
Download Xcode from developer site vs install from app store
Can I remove or hide the VIP Folder in Mail on iOS 6?
Utility to warn when process takes 100% CPU for x minutes?