WSUS – Remotely Trigger Downloaded Update Installation

updatewindows-server-2003wsus

This has been bugging me for a while. We have our Servers set to download only windows updates to stage them to be installed during one of our bi-monthly patch windows. I have looked high and low for a way to trigger the installation remotely on the servers during this time so that I don't have to log into a hundred or more servers and click on the "Install Updates Now" balloon.

Anyone know of a way to trigger the update installations remotely?

Best Answer

I finally figured it out. There is a (barely) documented windows update API that you can use to trigger these types of things. I used a modified form of the script found here which is about as close to documentation as you can get.

I modified it as below, taking out the downloading pieces - because i control the download with GPO and WSUS, as well as all of the prompts. Then I inserted some code to reboot the box if needed by the updates.

Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
WScript.Echo "Searching for updates..." & vbCRLF

Set searchResult = updateSearcher.Search("IsInstalled=0 and Type='Software'")


WScript.Echo "List of applicable items on the machine:"

For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> " & update.Title
Next

If searchResult.Updates.Count = 0 Then
    WScript.Echo "There are no applicable updates."
    WScript.Quit
End If


Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")

WScript.Echo  vbCRLF & _
"Creating collection of downloaded updates to install:" 

For I = 0 To searchResult.Updates.Count-1
    set update = searchResult.Updates.Item(I)
    If update.IsDownloaded = true Then
       WScript.Echo I + 1 & "> adding:  " & update.Title 
       updatesToInstall.Add(update) 
    End If
Next

'WScript.Echo  vbCRLF & "Would you like to install updates now? (Y/N)"
'strInput = WScript.StdIn.Readline
'WScript.Echo 

'If (strInput = "N" or strInput = "n") Then 
'   WScript.Quit
'ElseIf (strInput = "Y" or strInput = "y") Then
    WScript.Echo "Installing updates..."
    Set installer = updateSession.CreateUpdateInstaller()
    installer.Updates = updatesToInstall
    Set installationResult = installer.Install()

    'Output results of install
    WScript.Echo "Installation Result: " & _
    installationResult.ResultCode 
    If (installationResult.RebootRequired = True) Then
        Set RebootShell = WScript.CreateObject("Wscript.Shell")
        RebootShell.Run "shutdown.exe -r -t 0"
    End If

    WScript.Echo "Reboot Required: " & _ 
    installationResult.RebootRequired & vbCRLF 
    WScript.Echo "Listing of updates installed " & _
     "and individual installation results:" 

    For I = 0 to updatesToInstall.Count - 1
        WScript.Echo I + 1 & "> " & _
        updatesToInstall.Item(i).Title & _
        ": " & installationResult.GetUpdateResult(i).ResultCode         
    Next
'End If

The next step was to glue this together with psExec - which doesn't like running VBScripts remotely. I put together the following batch file to copy the script locally to the server, then kick off the install with psExec running as a System user: 

for /f %%i in (%1) do copy installUpdates.vbs \\%%i\c$
psexec @%1 -s cscript C:\installUpdates.vbs

All you need at this point is to pass the batch script a text file with the names of your computers in it - one per line, and you are good to go. No more logging into every server to kick off windows update installs!

The one issue that is a little annoying, is that this is very much a serial execution, so if you have alot of updates it could take a while. I couldn't find a good way around this, besides breaking up your list of machines and running multiple copies of the batch file. Not the end of the world.

Little bit of an update. I found out that there are some installations that you just need to be interactively logged on with the proper permissions to install. basically if wsus says it failed to install you gotta get on the box. Although this is a nice step up from having to log into EVERY box.

Related Topic