Many of you probably use Windows Server Update Services (WSUS) for patch management in your domains. WSUS, along with Group Policy, gives you the ability to:
- Download Windows Updates to a central repository on your LAN
- Selectively approve or reject updates
- Schedule deployment to your server and workstation nodes
The WSUS approach, whether deployed on its own or orchestrated through System Center Configuration Manager, is a tried-and-true formula that suffers from one fatal flaw: a lack of agility.
Think of the recent WannaCry ransomware attack, for example. Microsoft released a fix to the underlying Windows operating system vulnerability in March for current Windows Server and Client versions, and they even released an out-of-band special update for legacy Windows versions.
In a case like this, you need the ability to download and patch systems as quickly as possible. This agility is one feature you get with HS2N WuInstall, a command-line client that gives Windows systems administrators lightning-fast control over the Windows Update cycle.
Basic operation ^
Go ahead and download a 30-day free trial at the WuInstall web site. Don't be shocked when you open the ZIP archive and see only executables. There is no installation because this is simply a monolithic command-line tool! There are three binaries:
- exe: 32-bit digitally signed executable
- exe: 32-bit, no digital signature
- exe: 64-bit digitally signed executable
For convenience, I suggest that you:
- Rename exe to wuinstall.exe for convenience.
- Modify your administrative workstation's PATH environment variable to include the path to the exe binary. This way you can call wuinstall from anywhere in the file system at a command prompt; I show this in the next screenshot.
Now open an administrative PowerShell console and type wuinstall. As shown in the following screenshot, you'll see the WUInstall splash screen. Now press Usage and take note: that's the command's full syntax. Of course, you can always hit the documentation.
Run the following command to dump the help contents to a text file for easier study:
wuinstall --help > .\wuinstallhelp.txt
Finding and installing updates ^
Before we go any further, let me be clear: WuInstall works either with or without WSUS. You'll want to make sure you have clearance in your IT department before you use WuInstall to override WSUS, however.
Okay, that said, let's run a search for available Windows updates:
The above command will query the local host's configured WSUS server. If it detects no WSUS server, the output will say "You have no WSUS Server configured" and will query Microsoft Update.
If you want to bypass WSUS, run this command:
wuinstall --search --bypass_wsus
Note that the bypass remains in effect only for the duration of the current command.
Here is partial output from when I ran a search on a Windows Server 2016 domain member server:
Searching for updates ... Criteria: IsInstalled=0 and Type='Software'
Result Code: Succeeded
1 Update found in total, filtering ...
1. Microsoft .NET Framework 4.7 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB3186568)
UpdateClassification - Feature Packs
Product - Windows Server 2016
Size (MB): 67.05
Eula Accepted: true
only /search was specified, stopping here!
That final output line is significant; the --search switch only queries the update source but does not download anything.
Check the documentation, because you can add criteria for closer matches. For example, the following command searches WSUS or Microsoft Update for driver updates not already installed:
wuinstall /search /criteria "Type='Driver' and IsInstalled=0"
NOTE: You'll notice in the documentation that WUInstall parameters can use either a Linux-style double-dash (--) or the Windows-style slash (/).
Or we can target a specific Microsoft Knowledge Base (KB) number:
wuinstall /search /match "KB3186568"
We can download updates to a local or network share directory by invoking the /download_to parameter:
wuinstall.exe /search /match "KB3186568" /download_to "C:\temp"
And then we can install one or more updates; if you don't specify a download location, WUInstall simply downloads the file and runs it.
wuinstall.exe /search /match "KB3186568" /install
Think of how useful WUInstall would be to deploy KB fixes quickly to address terrible malware outbreaks like WannaCry!
Centralized cache ^
WUInstall works fundamentally differently from WSUS and Group Policy because the latter uses a client pull model. By contrast, you can script WUInstall to push Windows Updates to clients whenever you need to do so.
The WUInstall central cache feature gives non-WSUS businesses some of the bandwidth-saving goodness of WSUS by storing Windows Updates in a central location.
Here I define my E:\updates (shared as \\dc1\updates) as a central cache and download/populate any updates within it:
wuinstall /download_cache \\dc1\updates
If you want another client to install its updates from the cache, run the following command:
wuinstall /install_cache \\dc1\updates
By the way, if this second client needs updates that the initial station did not, then the second node will populate the shared cache with those new updates. Very cool!
Control over reboot cycle ^
One of the major annoyances that both end users and systems administrators share is Windows' tendency to restart automatically after applying certain Windows Updates. WUInstall gives you control over the update/restart cycle.
For example, if you know in advance that a restart is required, you can force the post-installation action with a 10-second default delay. Of course, the value is customizable:
wuinstall /install /reboot 30
You can also specify that the system restart only if necessary and set a limit as to how many restarts can happen in sequence. For instance:
wuinstall /install /logfile_append c:\loginst.txt /reboot_if_needed /rebootcycle 2
I hope you're thinking to yourself, "Wow! I can leverage administrative scripting and PowerShell remoting to take full control over Windows Updates!" Yes…yes you can. WUInstall is pretty darned cool.
Read the WUInstall v2.x license agreement for details on pricing. The software has several license editions based on the number of computers you want to manage.