Wsus force clients to search, download and install updates
Posted by Robobob1996@reddit | sysadmin | View on Reddit | 10 comments
Hello there,
currently I am working on integrating WSUS in my company for my 6th semester project. Our current solution will be end of life and WSUS is just a transitional solution for the next system we’ll going to buy.
The actual way how WSUS clients search for updates is just so random. I can’t really get behind how the updateorchestrator tasks paired with GPO settings is satisfactory.
I am fairly good with powershell and trying to work on forcing clientside search, download and install for updates. I use the Windows.Update.Session namespace and classes like CreateUpdateSearcher, CreateUpdateDownloader and CreateUpdateInstall.
Is there anyone here with using these and can share some experience? Is there anything I have to worry about going this way? Wsus is probably not designed to work this way. But I want to try and this is what my colleagues want.
MrYiff@reddit
Any reason you wouldn't use something like PSWindowsUpdate cmdlets for this?
https://www.powershellgallery.com/packages/pswindowsupdate
Pretty sure this can work with whatever you have configured so it can scan against WSUS or MS Update as needed.
Curious201@reddit
if this is for 15k clients, i would be very cautious about building your own force-install logic around windows update components unless the project specifically requires proving that path. wsus is mostly there to approve and stage updates, not to give you a beautiful modern orchestration layer. you can trigger detection/reporting with wuauclt or usoclient depending on the os, and you can watch the windowsupdate and reportingevents logs, but pushing this too hard often turns into brittle scripting that breaks differently across builds. if the current tool is going away and you only need a temporary bridge, i would focus on reliable reporting, sane gpo settings, maintenance windows, and clear reboot handling. for actual enforcement at that scale, wufb/intune/sccm-style management is usually a better fit than trying to make wsus behave like a full patch management product.
fdeyso@reddit
Wuauclt -detectnow -reportnow
Then wait for 10-15 minutes and you should see in wsus that the client reported in.
It’s also worth checking the client logs on c:/windows/softwaredistribution/reportingeventslog.
Robobob1996@reddit (OP)
I figured out that wuauclt/resetauthorization /reportnow paired with Updatesearcher does report almost instantly.
shiranugahotoke@reddit
For all clients or servers also? You can probably get WUfB set up for windows 11 clients a lot more quickly.
Robobob1996@reddit (OP)
Only for clients (roughly 15.000). Wufb should be a no go in my company for security reasons and also it is way to costly since we have to select the best solution in terms of pricing.
IndoorsWithoutGeoff@reddit
How is WUfB more costly than WSUS? It's built into the OS and you don't need any additional licensing to utilise it. In its most basic form it is cheaper than WSUS as you do not require a server & Server OS licence & CALS.
I would love to know the 'security reasons' your devices can't receive Windows updates directly from Microsoft servers but can receive the same updates from Microsoft via your WSUS server? I get wanting to have more control over updates but I can't think of any security reason why WSUS over wufb
Robobob1996@reddit (OP)
We dont use intune that wufb could work as intended. Our clients must not report on their own to Microsoft services. They don’t have internet access in that kind. We have policies to strictly work on premise as far as possible.
And answering your second paragraph, at the moment we use 2 WSUS servers, one upstream connected to MS servers and one downstream connected to upstream. But I don’t want to debate on what’s easiest and best I asked for experience in working what I mentioned above.
MuffinThin9542@reddit
This is a school project yet they gave it you for 15K endpoints?
Are you even working here or is this an internship?
Robobob1996@reddit (OP)
I am working there for over 10 years now and have a decent amount of experience in working with a professional patch management tool which is as mentioned end of life and we need a temporary solution until we get a new one.