WuInstall – Command-line control over Windows updates

• Author
• Recent Posts

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

• Azure PowerShell vs. Azure CLI - Wed, Mar 15 2023
• Use Azure Storage for backup - Thu, Feb 23 2023
• Azure Data Studio vs. SQL Server Management (SSMS) - Wed, Feb 8 2023

Many of you probably use Windows Server Update Services (WSUS) for patch management in your domains. WSUS, along with Group Policy, gives you the ability to:

• Download Windows Updates to a central repository on your LAN
• Selectively approve or reject updates
• Schedule deployment to your server and workstation nodes

The WSUS approach, whether deployed on its own or orchestrated through System Center Configuration Manager, is a tried-and-true formula that suffers from one fatal flaw: a lack of agility.

Think of the recent WannaCry ransomware attack, for example. Microsoft released a fix to the underlying Windows operating system vulnerability in March for current Windows Server and Client versions, and they even released an out-of-band special update for legacy Windows versions.

In a case like this, you need the ability to download and patch systems as quickly as possible. This agility is one feature you get with HS2N WuInstall, a command-line client that gives Windows systems administrators lightning-fast control over the Windows Update cycle.

Basic operation

Go ahead and download a 30-day free trial at the WuInstall web site. Don't be shocked when you open the ZIP archive and see only executables. There is no installation because this is simply a monolithic command-line tool! There are three binaries:

• exe: 32-bit digitally signed executable
• exe: 32-bit, no digital signature
• exe: 64-bit digitally signed executable

For convenience, I suggest that you:

• Rename exe to wuinstall.exe for convenience.
• Modify your administrative workstation's PATH environment variable to include the path to the exe binary. This way you can call wuinstall from anywhere in the file system at a command prompt; I show this in the next screenshot.

Add wuinstall.exe to your system PATH

Now open an administrative PowerShell console and type wuinstall. As shown in the following screenshot, you'll see the WUInstall splash screen. Now press Usage and take note: that's the command's full syntax. Of course, you can always hit the documentation.

Viewing WUInstall command syntax

Run the following command to dump the help contents to a text file for easier study:

wuinstall --help > .\wuinstallhelp.txt

Finding and installing updates

Before we go any further, let me be clear: WuInstall works either with or without WSUS. You'll want to make sure you have clearance in your IT department before you use WuInstall to override WSUS, however.

Okay, that said, let's run a search for available Windows updates:

wuinstall --search

The above command will query the local host's configured WSUS server. If it detects no WSUS server, the output will say "You have no WSUS Server configured" and will query Microsoft Update.

If you want to bypass WSUS, run this command:

wuinstall --search --bypass_wsus

Note that the bypass remains in effect only for the duration of the current command.

Searching Windows updates with WuInstall

Here is partial output from when I ran a search on a Windows Server 2016 domain member server:

Searching for updates ... Criteria: IsInstalled=0 and Type='Software'
Result Code: Succeeded
1 Update found in total, filtering ...
1. Microsoft .NET Framework 4.7 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB3186568)
 Severity: Unknown
 UpdateClassification - Feature Packs
 Product - Windows Server 2016
 ID: ac3ad46a-f129-4ee7-bd4d-360385e87a1a
 Releasedate: 2017-06-22
 Size (MB): 67.05
 Eula Accepted: true
only /search was specified, stopping here!

That final output line is significant; the --search switch only queries the update source but does not download anything.

Check the documentation, because you can add criteria for closer matches. For example, the following command searches WSUS or Microsoft Update for driver updates not already installed:

wuinstall /search /criteria "Type='Driver' and IsInstalled=0"

NOTE: You'll notice in the documentation that WUInstall parameters can use either a Linux-style double-dash (--) or the Windows-style slash (/).

Or we can target a specific Microsoft Knowledge Base (KB) number:

wuinstall /search /match "KB3186568"

We can download updates to a local or network share directory by invoking the /download_to parameter:

wuinstall.exe /search /match "KB3186568" /download_to "C:\temp"

And then we can install one or more updates; if you don't specify a download location, WUInstall simply downloads the file and runs it.

wuinstall.exe /search /match "KB3186568" /install

Think of how useful WUInstall would be to deploy KB fixes quickly to address terrible malware outbreaks like WannaCry!

Installing updates

Centralized cache

WUInstall works fundamentally differently from WSUS and Group Policy because the latter uses a client pull model. By contrast, you can script WUInstall to push Windows Updates to clients whenever you need to do so.

The WUInstall central cache feature gives non-WSUS businesses some of the bandwidth-saving goodness of WSUS by storing Windows Updates in a central location.

Here I define my E:\updates (shared as \\dc1\updates) as a central cache and download/populate any updates within it:

wuinstall /download_cache \\dc1\updates

If you want another client to install its updates from the cache, run the following command:

wuinstall /install_cache \\dc1\updates

By the way, if this second client needs updates that the initial station did not, then the second node will populate the shared cache with those new updates. Very cool!

Control over reboot cycle

One of the major annoyances that both end users and systems administrators share is Windows' tendency to restart automatically after applying certain Windows Updates. WUInstall gives you control over the update/restart cycle.

For example, if you know in advance that a restart is required, you can force the post-installation action with a 10-second default delay. Of course, the value is customizable:

wuinstall /install /reboot 30

You can also specify that the system restart only if necessary and set a limit as to how many restarts can happen in sequence. For instance:

wuinstall /install /logfile_append c:\loginst.txt /reboot_if_needed /rebootcycle 2

Wrap-up

I hope you're thinking to yourself, "Wow! I can leverage administrative scripting and PowerShell remoting to take full control over Windows Updates!" Yes…yes you can. WUInstall is pretty darned cool.

Read the WUInstall v2.x license agreement for details on pricing. The software has several license editions based on the number of computers you want to manage.