You're most likely here because you are an IT administrator and you have a network that deploys Windows Updates via Windows Server Update Services or WSUS. Perhaps you're relatively new to WSUS or you're a veteran that has been using the product since its inception. In either case, you are mostly frustrated because even in the latest release of WSUS that there is no reliable way to force clients to check in and report their status. You know about wuauclt /reportnow and /detectnow. You may even be aware of the .NET method (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow().
But despite having tried everything, you're at at a loss. All you want is for your clients to report their current status into WSUS on demand. Is that really too much to ask? Actually, it might be. If you google "force wsus client to check in to wsus server", you'll see almost 300,000 results. And I swear I've read every single one of them and tried every single suggestion.
I finally decided to take matters into my own hands. I built a lab environment consisting of a domain controller, a WSUS server and a client machine. I then proceeded to deep dive with process monitor and packet analyzers to try and find a way to "trick" the WSUS client into thinking it's time to report in. After many hours at this, I was just about to give up when I accidentally stumbled upon the magic command I was looking for.
Ladies and gentlemen, without further adieu, I present to you, THE command to run on your Windows clients to force them to check in on demand:
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Running this command will "prime" the Windows Update engine to submit its most recent status on the next poll. To trigger that next poll, use:
wuauclt /reportnow
Yes, I know. you've done that a million times and it's never worked. But if you run the command above first, then it works. I've had a nearly 100% rate with this now over probably hundreds of machines.
To use it, open an administrative PowerShell prompt on the client machine and paste that in. It won't return anything but a few moments later you should see the WSUS last contact and last detect time update and more importantly, if all the updates were installed successfully, the computer will instantly change to green in the WSUS console. I've tested it on both Windows 7 and Windows 10 clients successfully.
If you want to run centrally from your WSUS server, I found that you can't use PowerShell remoting because of some kind of permissions thing. There may be a way around that but for now I found that psexec works fine. So below is a function you can add to your profile.ps1 file on your WSUS server to allow you to automatically update any client machines on demand:
This has been a life changer in terms of improving my frustration level with managing WSUS. I hope you find it useful.
Function Force-WSUSCheckin($Computer)
{
Invoke-Command -computername $Computer -scriptblock { Start-Service wuauserv -Verbose }
# Have to use psexec with the -s parameter as otherwise we receive an "Access denied" message loading the comobject
$Cmd = '$updateSession = new-object -com "Microsoft.Update.Session";$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates'
& c:\bin\psexec.exe -s \\$Computer powershell.exe -command $Cmd
Write-host "Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on"
Start-sleep -seconds 10
Invoke-Command -computername $Computer -scriptblock
{
# Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan
}
}
138 comments
Leave a Comment > Cancel >
Kyle
says on February 22, 2019
Worked for me! Thanks! I’ve been looking everywhere for answers
Mats
says on February 7, 2020
I was just about to give up.
Thanks a lot!
Laurenz Duerbeck
says on March 1, 2019
Hi Robbie.
That’s the most promising approach I’ve found on the web. And just like you I tried a lot of Things. #-(
It sometimes works for me but not always. I’m trying to figure out what causes the problem….
I always have to run “Usoclient RefreshSettings” first, since my Win 10 1803 does not reflect all settings although group policies are already applied. Seems to me that this is a problem with Windows’ servicing stack.
One more question: Does your script also work if no one is actually logged on interactively?
Robbie
says on March 7, 2019
I realize I forgot a step in my instructions.
The command above “tricks” WSUS into being able to report its status. But once it’s run you still have to tell it to actually report its status.
Follow up the command above with a wuauclt /reportnow and you should be golden.
Yes, the script works regardless if a user is logged in or not as you are logging in yourself via psexec.
Renzo F.
says on March 18, 2019
Thanks for this, I’ve searching a solution to the report problem for a long time.
Just a note: there’s a typo in the post: it says “wuault /reportnow” annd it shuld be “wuauclt /reportnow”.
The script is correct, but it may cause confusion.
Rudy
says on April 8, 2019
Is there a way to do this for 200 machines without having to log in to each one?
Robbie
says on April 8, 2019
Hi Rudy,
Yes there is. You’ll need some basic PowerShell scripting experience to do so and you’re environment would need to be configured to allow administrative remoting via psexec.
Here is the pseudo code to do that:
$Computers = (Get-ADComputers -Filter *).name
ForEach $Computer in $Computers)
{
Force-WSUSCheckin($Computer)
}
You’d want to add in some error handling and ping tests to speed it up and you’ll need to specify the path where your psexec.exe lives.
But otherwise that’s about it. I’ve refreshed my entire environment lots of times using this technique.
Bill
says on June 3, 2024
Had to change the following lines to correct a typo. Changed to below and now it works.
$Computers = (Get-ADComputer -Filter *).name
ForEach ($Computer in $Computers)
Jonathan B
says on April 30, 2019
How long does it take you to run that command.. For me, it seems to be timing out..
I get a COM Error once it decides it’s enough..
My WSUS assets are not reporting back to wsus, and I get a time out. I opened all firewalls on the windows client/server for testing purpose, I can reach the webpage, but in the error message it says it failed to get a HTTP reply..
I’ve set my IIS to the best practices except that I followed the instruction saying I should leave it at 4GB Ram..
Man .. no idea what to do from here.
Jonathan B
says on April 30, 2019
Exception from HRESULT: 0x80240440
At line:1 char:1
+ $updates=$updateSession.CreateupdateSearcher().Search($criteria).Upda …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
Robbie
says on April 30, 2019
Hi Jonathan,
The command runs instantly in terms of it’s command line execution as it doesn’t return anything. Your issue sounds more fundamental to your WSUS installation. The two big things to check are:
1) Open a command prompt and type “Telnet [IP of your WSUS server] 8530”. If it returns a blank screen that means the port is open and responding and that’s good. If it doesn’t then that’s your issue and your WSUS server is not configured properly
2) Verify your GPO is applying properly and is pointing to the correct server by running this command on one of your clients
reg query “HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate”
3) Copy and paste whatever name is returned there into your telnet command to make sure DNS is resolving properly.
Hope that points you in the right direction.
Lord Glacius
says on July 10, 2019
Thank you for the suggestions. I have tried the command from powershell and get the same error:
Exception from HRESULT: 0x80244022
At line:1 char:62
+ … e.Session”; $updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
I have run through your steps above and they are all indicating correct connection with the WSUS server.
Do you have any suggestions further to help?
Many thanks in advance
Robbie
says on July 10, 2019
I seem to recall getting the 0x80244022 when the account I ran it under either didn’t have admin permissions to the machine or the PowerShell session was not run as an administrator. That’d be the first thing to confirm. If you are running as an admin, I’m not sure what else to suggest beyond trying from a different machine to see if the issue is limited to a specific system.
x86txt
says on August 26, 2019
This PowerShell error is due to the inability to communicate with the WSUS server. In my case, a system proxy was set and the proxy was blocking the communication. Once I allowed the IP of the WSUS server in the proxy server, the PS command executed without the error Lord Glacius notes.
Roman
says on May 2, 2019
One little problem: the scalar variable $criteria is not defined. That could cause some people problems, for example if they are using set-strictmode. So, presumably one can leave that out of the code. This web site seems to explain the Search method and what goes into the criteria area, though I didn’t really understand it or look that hard.
https://docs.microsoft.com/en-us/windows/desktop/api/wuapi/nf-wuapi-iupdatesearcher-search
Jason
says on May 14, 2020
I ran into this issue. I was getting an error calling search with 0 arguments (because $criteria was null). It worked after I set $criteria = ( IsInstalled = 0 and IsHidden = 0 ).
Roman
says on May 3, 2019
Awesome, that works! Thanks!
I didn’t have the problem with getting an error when creating the COM object. Here’s a minimal version assuming that that will work (and only using /reportnow):
Function Force-WSUSCheckin($Computer)
{
invoke-command -computername $Computer -scriptblock {
Start-Service wuauserv -Verbose
$updateSession = new-object -com “Microsoft.Update.Session”;
# More info about the Search method: https://docs.microsoft.com/en-us/windows/desktop/api/wuapi/nf-wuapi-iupdatesearcher-search
$criteria = $null
$updateSession.CreateupdateSearcher().Search($criteria) | out-null
Write-host “Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on”
Start-sleep -seconds 10
Write-host “running wuauclt /reportnow …”
wuauclt /reportnow
}
}
And yes, you do need the null value in the Search($criteria) method.
Ruhel
says on June 27, 2019
typo – missing the c wuault….
dane
says on July 1, 2019
Getting errors from psexec
psexec.exe : Exception from HRESULT: 0x8024401C
At C:\Temp\force-WSUSCheckin-from-list.ps1:9 char:4
+ & c:\temp\psexec.exe -s \\$Computer powershell.exe -ExecutionPolic …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Exception from HRESULT: 0x8024401C:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
At line:1 char:59
+ … ate.Session;$updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
Connecting to MEWROYD01…Starting PSEXESVC service on MEWROYD01…Connecting with PsExec service on MEWROYD01…Starting
powershell.exe on MEWROYD01…
powershell.exe exited on MEWROYD01 with error code 1.
IdolR
says on July 4, 2019
Finally! A lot of people out there plastering them selves as WSUS “experts” none of their advice worked! This works! Thanks for sharing 🙂
Guy Lincoln
says on August 14, 2019
You are a good man Robbie….. Worked a treat.
Neil
says on August 16, 2019
Thanks you for the fix Robbie.
However your command in your comments at the top is missing a ‘c’
wuault /reportnow
should read
wuauclt /reportnow
Dave
says on September 12, 2019
This worked great! Thank you. Have been looking for this fix for many months.
Punithraj
says on September 25, 2019
HI Robbie,
this command in individual works fine . thank you so much for this.. now i want know how can i run this command from server targeting on all computers which not detected or detected old dates ?
JOE-B
says on September 27, 2019
This works for some but i wrote this batch file a couple years ago that works great too.
@echo on
net stop wuauserv
REG DELETE “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v LastWaitTimeout /f
REG DELETE “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v DetectionStartTime /f
Reg Delete “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v NextDetectionTime /f
net start wuauserv
wuauclt /detectnow
Hope this helps
Alexei
says on October 15, 2019
I second that, Chapeau Robbie!
Got a couple of those COM exceptions but after a reboot they were all gone.
Franc
says on November 12, 2019
HelIo,
I try to launch in admin on some Windows 10 the command $updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates but most of the time there is no result no error and it doesnt back to the prompt. Any idea?
Thank you in advance
Edwin
says on December 11, 2023
I see the same behavior on my test server, but after about 60-120 seconds, it finally completes.
Shuey
says on November 22, 2019
Thanks so much Robbie! This freakin’ rocks! I always love when one guy out of thousands finds a way to make something work where no one else before him was able to! 😀
Tim
says on November 26, 2019
You’re a life-saver! Works like a charm! Solved a 2 year old mystery and now my WSUS looks like it’s freaking working again!
Daniel
says on December 17, 2019
Thank you!! it worked for me, now i don’t have to wait for clients to report.
PhilipM
says on January 7, 2020
Great work, thank you for researching and posting!
Dinusha
says on January 14, 2020
Hi Robbie and Others,
Could you please give some advice or more information to edits profile.ps1 ?
Tom
says on January 16, 2020
hours of messing with WSUS and nothing. I run the command you suggested and it was all happy in 30 seconds. I wish i knew about this command earlier.
Andy
says on January 24, 2020
Nice guide, but in the second wuauclt /detecnow you are missing the letter C!
Robbie
says on January 24, 2020
Thanks Andy. I’ve corrected the typo. I threw this HOWTO together pretty quickly once I realized the dang process actually worked. At some point I should go back and revisit it and add some additional detail for what I’ve determined about WHY it works. But it seems to be working for people so that’s all that matters!
Ondrej
says on January 30, 2020
I just love this!!! Finally something which works!
#WSUSisPain
David
says on February 12, 2020
Very good solution, thank you so much!
cirdec
says on February 17, 2020
Hello,
Very good solution but, for me, works only if last report is not older than 8 days.
If the last report is older than 8 days Nothing happens….even if i use a GPO startup script
An idea ?
Thanks
marcus
says on February 17, 2020
!!! Great job Man!!! Thanks
Mike
says on February 17, 2020
This looks great, but I’m having a syntx error in the script. Exactly what is going on with the “&” at the start of line 4?
Mike
says on February 17, 2020
I’m guessing the website is doing some HTML translatinon. My complaint is about “&-a-m-p-;” at the 1st of line 4.
rgd
says on February 19, 2020
Just what a chap needed to fix the final frustration with WSUS
Ian Martin
says on March 12, 2020
All i want to say is:
Thank You Very Very Much 🙂
message ends….
Ha
says on April 15, 2020
Thank a lot!
Mat
says on April 22, 2020
slight amendment, so I didnt have to use psexec.
$creds = Get-Credential
Function Force-WSUSCheckin($Computer)
{
Invoke-Command -computername $Computer -scriptblock { Start-Service wuauserv -Verbose }
$Cmd = ‘$updateSession = new-object -com “Microsoft.Update.Session”;$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates’
Start-Process -Credential $creds powershell -ArgumentList “-Command & $Cmd”
Write-host “Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on”
Start-sleep -seconds 10
Invoke-Command -computername $Computer -scriptblock {
# Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
}
}
Bhuvanjeet
says on June 3, 2020
Thanks a lot ! I was struggling for months over this. !
Gangaatharan
says on June 5, 2020
Hi Robbie,
We have replacing our server, so I have configured the wsus in new server, and changed the GPO as accordingly.
But my client machine are not reporting to my new wsus server. I have done the telnet from client machines and it’s fine.ports are open. As I checked group policy also got updated to client machines.
Can you please help me on this ?
Note : Now client machines are not reporting to old wsus server also.
Homer
says on July 7, 2020
Anyone know what $criteria is referencing?
$updateSession = new-object -com “Microsoft.Update.Session”;
$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
…Search($criteria)…..
do you need that there if we do not assign $criteria anywhere in the function?
Alex B
says on July 9, 2020
Sir, If i could find you in the world I’d probably marry you for this advice.
I have to update 7000 systems across the UK using WSUS, and its a total d*ck. I cannot believe how bad the Microsoft patching system is in terms of reporting and troubleshooting. Especially now on windows ten where it is even more horrific. This has helped massively!
Just in case anyone doesn’t know there are Powershell commands for doing window updates, that allows you to script, target kbs and other things. (though as yet i have still not been able to install a feature pack using them, it goes through the motions but does not actually upgrade the windows build.
look for PSWindowsUpdate module. Really can help if you are managing big networks.
Ubba
says on September 23, 2020
Use batchpatch.exe for updating machines with wsus it is a cheap program that does the job
https://batchpatch.com/
For approval use poshwsus
https://devblogs.microsoft.com/scripting/use-the-free-poshwsus-powershell-module-for-wsus-administrative-work/
For reporting use the scripts described in this article
https://4sysops.com/archives/wsus-reporting-with-powershell/
Panita
says on July 18, 2020
OMG! It works really really good. I have more than 7 years working with IT stuff, and the WSUS always has been a peace of #$%&. HAHAHA.
I’m working now in a new enterprise and I decided to install WSUS because it is eating my whole internet bandwith.
But now, I just reached this page and I have tried and it has been BEATIFULL.
Really my freinds, thanks you so much for share your knowlegde. You deserve a $100k bonus only for this solutions. My thanks from Venezuela. Bye!
Jazz
says on July 22, 2020
I’ve been chasing down a new way to do this since MS altered the UsoClient switches earlier this year.
A rainbow should shoot out the top of this web page every time you open it !!!!!!!!
I made 2 batches I copy into an elevated command prompt (since you have to wait a minute or two between the PS command and the wuauclt command)
Batch 1 consists of
WMIC /node:”workstation” process call create “PowerShell.exe $updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates”
when it’s done – i wait a few seconds and do the same with Batch 2
WMIC /node:”workstation” process call create “cmd.exe /c wuauclt.exe /reportnow”
This is a faster process than PSexec (for me) but it may not work in other environments.
Thank you so much!!!!
girafe
says on August 17, 2020
Heya fantastic website! Does running a blog similar to this require a lot of work?
I have absolutely no understanding of computer programming however I was hoping to start my own blog soon. Anyway, should you have
any ideas or tips for new blog owners please share. I understand this is off subject nevertheless I simply needed to ask.
Cheers!
Rob
says on August 27, 2020
Ok, Im new to wsus and PS so please forgive my ignorance but how does one use the PS function/script above?
Policy WSUS: “Automatically download updates and install them on the schedule specified below” don’t work…!!!?! – Wapnet Blog
says on August 28, 2020
[…] To force a client (source): […]
Lyle
says on September 1, 2020
Hi Robbie
I’m having the same issue with my DC not reporting to WSUS. I’ve run the command above in powershell but nothing happens, its like powershell is hanging, i cant even add the 2nd command.
Any advice?
Steve Mason
says on September 3, 2020
This has been frustrating me for a while. I just finished reading umpteen threads with “wuauclt doesn’t work anymore on Windows 10” I was skeptical of that, as sometimes it does seem to force a report but not reliably.
Decided to try this. WOW! Thanks!
Fouss
says on November 5, 2020
I’ve only test the command, work perfectly, huge tanks !!!
Russ
says on November 17, 2020
Unfortunately, this joins the other 300,000 results in not working. Possibly a change in the WU client since it was written?
Justin Blocksom
says on November 20, 2020
OH…MY…GOSH!! Finally! I have been looking for this since Microsoft released Windows Server 2016.
Works exactly as advertised. I so wish I could buy you lunch…. this is EXACTLY what I needed. Thank you!!!
Colin Coulter
says on November 23, 2020
doesn’t work for me;
& : The term ‘amp’ is not recognized as the name of a cmdlet, function, script file, or operable program
Glenn Pelais
says on November 25, 2020
Thanks, this worked for me on a Windows 2012R2 server. But will the server checkin to WSUS going forward? What is the reason why the server will not checkin on a regular basis?
Breno Carvalho
says on November 26, 2020
Great job man!!!!
JEFF ARRIS
says on December 11, 2020
Is there a similar set of commands to run on suborn servers that won’t check in to WSUS?
The powershell command “$updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates” gives an error!
Exception from HRESULT: 0x80244022
At line:1 char:62
+ … e.Session”; $updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
sergio
says on December 24, 2020
hello Robbie,
J’ai une erreur 0x80244017 🙁
Est-ce que tu as eu le même erreur ?
Exception from HRESULT: 0x80244017
At line:1 char:61
+ … te.Session”;$updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
Cdt,
S
Glenn Pelais
says on December 29, 2020
Thanks the commands work, however they must be manually run each time I want the server to check in to the WSUS server.
The real reason is in the reg key “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v NextDetectionTime /f
My key had an old date in the there.
Delete the key.
Jan
says on January 18, 2021
Wow! Works like Charm. Thank you Robbie for the help!
lio
says on January 22, 2021
don’t know why but nothing is ok for me.
applied this script on multiple computers and the date don’t change on the wsus server.
Who can help me?
thanks
Timbo
says on February 3, 2021
First of all Robbie you are the MAN!
When I grow up I wanna be like you.
For anyone still running into the issue where the script only works ‘sometimes’; and other times you get “Exception from HRESULT: 0x80244022” the following sequence of actions seems to work for me:
(Other variables are that ahead of time I would attempt the script is attempting to run it multiple times followed by the wuauclt.exe /detectnow and /reportnow
1) Refresh the group containing your target client system from the WSUS config console
2) Cycle the IIS Admin service on the WSUS server
3) Refresh and recycle (or in my case ‘start’) the WUS application pool in IIS Manager
4( Reload the WSUS config console
5) On your target machine, run the golden script followed by the wuauclt.exe /detectnow and /reportnow commands (usually at this point the script runs with no red text.
One alternative theory is to ensure that your WSUS console isn’t displaying the group containing the client system. (At this point this might be superstition though).
If someone is able to see a pattern or make sense of how this sequence of actions works; it might help someone else out.
Thanks again Robbie!
HOWTO: Force (really) WSUS Clients to Check in on Demand | Tim's Blog
says on February 5, 2021
[…] Source: http://pleasework.robbievance.net/howto-force-really-wsus-clients-to-check-in-on-demand […]
Francois Vorster
says on February 21, 2021
Thanks a lot, this worked wonders for me 🙂
Kiki
says on March 20, 2021
Thanks, this worked!
Kiki Biancatti http://www.ssw.com.au
Big Bob
says on March 26, 2021
&
Not familiar with why this doesn’t work in Powershell for your remote method, but the simple command using Enter-PSsession works for my clients that have winrm service running.
Damjan Košuta
says on April 9, 2021
Great. Many thx and br. Damjan
Jay
says on April 20, 2021
I am looking for something similar, but not using WSUS. We have a mix of Win10 1709/1809/20H2 machines. These machines are registered in SCCM which then get co-managed through Intune. My group policies force a machine to go to internet for Windows Updates rather than to a WSUS server (this was our old method)
Win10 1709 are particularly troublesome. I can get a user to go Settings -> Updates & Security -> Windows Updates -> Check for Updates but this is a manual process, and our machines are geographically spread. I want a reliable scripted process which i can run remotely to force a Scan/Download/Install – USOClient.exe doesn’t work.
Anas
says on April 30, 2021
I think that did the trick
When I ran the PS and CMD commands.
I was able to trace the WSUS client logs on the Windows 10 machine and I see it reporting to WSUS
In the logs you find:
{E00904E3-3A07-49D4-B9F7-CAFE7611ADCD} 2021-04-30 19:19:59:432-0400 1 147 [AGENT_DETECTION_FINISHED] 101 {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} 0 0 <>: PowerShell_ISE.exe Success Software Synchronization Windows Update Client successfully detected 0 updates. illjIIXwaUiGRlMx.1.0.0.3.0
{1EC82DEE-DF73-48F7-8A46-8053CF85FEB1} 2021-04-30 19:19:59:432-0400 1 156 [AGENT_STATUS_30] 101 {00000000-0000-0000-0000-000000000000} 0 0 <>: PowerShell_ISE.exe Success Pre-Deployment Check Reporting client status.
Location:
C:\Windows\SoftwareDistribution\ReportingEvents.log
Rauno Mägi
says on June 3, 2021
Big thanks once again. It worked like a charm 🙂
Dominika
says on July 16, 2021
Thanks!!
Aaron
says on July 22, 2021
OMG thank you so much!
Anthony LaSorsa
says on August 25, 2021
Many thanks to all involved. This looks to be exactly what I need. That said, maybe I’ve been staring at this article too long and can’t connect all the dots.
Putting that function in your PS profile on the central WSUS server – what does that do by putting that function in there? How is $computer defined? I’d like to try and run this against multiple computer accounts on the domain or in a particular OU. I just don’t know the best way to let this run from: A GPO, the WSUS server, or my personal administrative workstation. I certainly don’t want to log into each workstation and run these two commands.
Wonder if I can have the script reference psexec.exe sitting on a GPO policy script startup folder.
Tim Buck
says on December 11, 2023
Here’s how I’m using it:
I put the function in my Powershell profile on my desktop machine (the one I do all my work from). That way I can always run it against any machine on the domain by simply typing “Force-WSUSCheckin hostname” from a Powershell prompt.
If I want to run it against an entire OU, I export the OU listing from Active Directory (removing the extra columns, of course, so I have only a list of hostnames) – let’s call this file “OULIST.txt”. Then I put a little wrapper script around the function like so:
Force-WSUSCheckin-List.ps1:
Start-Transcript -Path “.\checkin-output.txt” # logging for troubleshooting hosts that fail to check in
foreach ($host in (Get-Content “OULIST.txt”)) {
try {
Write-Host “Trying $host…”
Force-WSUSCheckin $host
} catch {
Write-Host “unable to contact $host”
}
}
Stop-Transcript
Cybertooth
says on August 26, 2021
You’ll get an error with:
$updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
if the server (in my case) has access to the Internet.
Once I disabled access to t’internet in Internet Options, then the above Powershell command ran without issue and when I ran:
wuauclt /reportnow
then it reported in to our WSUS server immediately and is now happily downloading and installing updates as I type this to you.
Cybertooth
says on August 26, 2021
Also, make sure you disable IPv6
illy
says on December 10, 2021
You NEVER remove IPV6 in Windows Server 2008 and above…
Cybertooth
says on August 26, 2021
If you use AD WSUS groups to segregate your servers into update groups, then you may also need to run gpupdate /force a good 4 or 5 times followed by a reboot.
To quote a sys admin I know who has a couple of decades-worth more experience than me: “GPO’s were never intended to be prompt, or, hard and fast rules, so there is always some leeway on their implementation and distribution. Adding too many GPO’s to an object will also have a detrimental effect on their processing”
chad
says on September 23, 2021
works! it really, really works!
thanks so much!!
Todd Goodsite
says on October 20, 2021
You are amazing!
Patrick
says on November 2, 2021
Worked like a charm. Thanks so much!
Mark
says on November 9, 2021
Hi,
How do I add to your profile.ps1 file on your WSUS server to allow you to automatically update any client machines
Thanks
Wookie
says on November 23, 2021
Great article, saved me nicely today with a server which hadnt spoken to the server for a few months, now its all happy – ~THANK YOU!
Ben
says on December 9, 2021
Hey !
Thanks for the work but I don’t understand why the script isn’t working for me. I get the same error as :
“””Colin Coulter on November 23, 2020 at 8:54 am #
doesn’t work for me;
& : The term ‘amp’ is not recognized as the name of a cmdlet, function, script file, or operable program”””
I looked online for the AMP command without any luck.
Tried to install the module amp but it doesn’t find it (do I need another repository ?)
Even installed amps but it obviously did nothing :'(
Any chance someone can help or explain the thing I’m messing up ?
Thx
NonyaBusiness
says on August 9, 2022
Because when you copy/paste the command into Notepad or whatever else, the formatting messes up. Save these as .PS1 files, when you open them in PowerShell ISE you’ll see the errors in the lines. Just replace your copy/paste with the correct lines and you’ll be alright!
david
says on December 22, 2021
Did you figure this out? I think the & is used as a call operator. I am not a power shell expert, I wish I was. I believe the & should just be & used as a call operator: (excerpt from an article: The call operator (&), also known as the “invocation operator”, lets you run commands that are stored in variables and represented by strings or script blocks. The call operator executes in a child scope.
Although running it with just the amp still causes errors.
Jeff
says on January 21, 2022
Genius! Thanks so much
Siegfried
says on February 9, 2022
‘I finally decided to take matters into my own hands.’ –> Big Brain Time!
Seriously though, wuauclt /reportnow not really working has been bothering me for over a decade. Now it is solved. Thanks!
Bostjan Cvelbar
says on February 15, 2022
Hi.
Great article.
I was optimistically launching the first powershell command but I get an error:
Exception from HRESULT: 0x8024401C
At line:1 char:62
+ … e.Session”; $updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
Windows 10 machine. Any ideas why?
Hiro
says on February 16, 2022
Great invention for IT admins!!
Thanks so much!!!
ARIGATO!!
Corey Carmickle
says on March 17, 2022
This IS GOLD!!
Franklin
says on March 22, 2022
Can someone enlighten me how to use this script and add it to your wsus server?
Franck
says on April 5, 2022
Hello,
I’ve been using your magic commands for several months (thank you very much) but since a few days got a nice message:
Exception de HRESULT : 0x80244017
Au caractère Ligne:1 : 62
+ … e.Session”; $updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
If you have any idea, probably a bad update that broke it :'(
Kel
says on August 26, 2022
Just tried this for the first time and got this same error. Was on a Server 2019 machine.
Exception from HRESULT: 0x80244007
At line:1 char:62
+ … e.Session”; $updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
naresh c
says on April 26, 2022
this worked like a charmed!!!
MrJames
says on May 10, 2022
THIS WORKS!!!!!!!!!! THANK YOU SO MUCH!!!!!!!!!
boldfaceal
says on May 15, 2022
If my machines have not yet previously registered, should this cause the machines to register with the WSUS immediately or is there still a delay? I have 5 servers I’ve run this on and only 2 have registered. The others have not. Firewalls are turned off. Group policies are in place on all machines.
Mike
says on June 8, 2022
I have a simple powershell invoke script I use to tell my server clients to check into WSUS. I use it in conjunction with a GPO that has a precise install time and a restart time. It creates a session and reads a CSV file to invoke servers in the file to check in. Here is an excerpt with no error checking, etc:
$serverNames = Get-Content $filepath
$s = $ServerNames | New-PSSession -Credential xxxxxxx
#if the fileame contains mention of Server 2012R2
if($filename -Match “2012R2”){
Write-Host “Talking to Servers 2012 R2.”
Invoke-Command -Session $s -Scriptblock{(wuauclt /detectnow), (wuauclt /reportnow)}
}else{ #Newer servers understand a different WSUS detect command.
Write-Host “Talking to Servers 2016 and Newer.”
Invoke-Command -Session $s -Scriptblock{((New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()), (wuauclt /reportnow)}
}
EXIT
This works perfectly on everything except Servers 2019. I can not figure out why. I tend to run the scripts before the install time of the GPO. Maybe 2019 is sensitive to that. I will work with your research here and see if it helps me come up with a different result.
Thanks
Georgi
says on August 10, 2022
Awesome! Thanks for your help! It works perfect for WSUS clients server editions.
Justin
says on August 31, 2022
Thanks for that command! Can’t believe I’ve been missing this all this time. Forced machines to actually check in immediately!
Going through all these comments though, wow! One of them has a person invoking a command while invoking a command. Yeah, no. Also, no need for PsExec, just format your creds properly:
Run directly on the client
$updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
UsoClient.exe startscan
Once off for a single remote machine:
$computer = ‘COMPUTERNAME’
$username = ‘USERNAME’
$password = ‘PASSWORD’
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Invoke-Command -ComputerName $computer -Credential $cred -Authentication Negotiate -ScriptBlock {
$updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
UsoClient.exe startscan
}
Rip through your entire AD. You’ll have to figure out your own domain security. For me, I use local admin accounts and change that password (another script) every 90 days (K.I.S.S.):
Get-ADComputer | select-object -expandproperty name | foreach {
$username = ‘USERNAME’
$password = ‘PASSWORD’
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Invoke-Command -ComputerName $_ -Credential $cred -Authentication Negotiate -ScriptBlock {
Write-host “Run the UpdateSession”
$updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Write-host “Sleep for 10 Seconds”
Start-sleep -seconds 10
Write-host “Run all the Detect Commands”
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
UsoClient.exe startscan
}}
In addition to this you’ll need any normal remoting services properly running. If you get any errors just work through those errors until you can remote properly. For example I think WinRM is needed for this, not sure so…
Get-ADComputer | Foreach-Object {
Set-Service -ComputerName $_.name WinRM -StartupType Auto
Start-Service -InputObject $(Get-Service -Computer $_.name -Name WinRM)
}
Justin
says on August 31, 2022
You can remove the “Write-host” commands. Not needed.
Mark
says on September 22, 2022
Absolute Legend! Thanks!
Meph
says on September 26, 2022
Been looking for something like this a loooooong time! Finally something that works!
Ikith
says on September 27, 2022
Aye holy heck, I’ve been looking for this miracle since my previous job!!! Around 6 years now and someone figured it out!
BTW You can force this in to a scheduled task easily, no permissions, no user logged in, by doing:
Program/Script: powershell.exe
Add arguments (optional): -command $updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Then make another action that does:
Program/Script: powershell.exe
Add arguments (optional): -command wuauclt /reportnow
And boom you have a fully running force checkin script on whatever schedule you want!
Tom
says on November 3, 2022
Hi,
I ran your commands, didn’t get any error messages, but unfortunately it didn’t help, the “last status report” time remained as it was.
I tried it on 4 windows 2012 servers..
too bad…
Narz
says on November 10, 2022
Works very well for me, good job here
I used this to make it run locally, and push it through pdq inventory
Start-Service wuauserv -Verbose
$updateSession = new-object -com “Microsoft.Update.Session”;$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Write-host “Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on”
Start-sleep -seconds 10
# Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan
Yorick
says on November 25, 2022
YEARS LATER and YOU are my hero! THANK YOU THANK YOU THANK YOU.
Afdhal
says on January 5, 2023
Hi Robbie
Regarding to centralize on WSUS Server, ” So below is a function you can add to your profile.ps1 file on your WSUS server to allow you to automatically update any client machines on demand:”
My I know where you configure the profile.ps1 on WSUS Server, kindly advice on it.
Thanks
Paul
says on April 17, 2023
You’re an ANGEL!!!
Mark By8
says on June 7, 2023
I have improved the original script (thanks to the Author’s hard work about the most difficult part, and to other contributors in the comments ;-))
In my version you could now iterate a loop over all the devices that belong to an AD OU, everything from your domain controller server.
Tested on Win server 2019 as server and Win 10 pro as clients.
here’s the script, along with comments:
# script purpose is to force clients inside specific ad ou to report their updats status to the wsus server
# be sure to copy and paste ou path with right syntax from ad properties of the ou on the domain controller – properties – attribute editor
# if you can’t see attribute edit be sure to go to view menu on ad users and computers and select view – advanced features
# be sure to launch the script from the domain controller server with domain admins credentials so that you could open a remote powershell session on target devices without any password prompt
# to avoid misunderstanding the script should be saved on the domain controller and not executed from a network path, to avoid non-signed scripts blocking error
function Force-WSUSCheckin($Computer) {
Invoke-Command -ComputerName $Computer -ScriptBlock {
Start-Service -Name wuauserv -Verbose
$updateSession = New-Object -ComObject “Microsoft.Update.Session”
$updates = $updateSession.CreateUpdateSearcher().Search($criteria).Updates
Write-Host “Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on”
Start-Sleep -Seconds 10
# Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan
}
}
# Import Powershell AD module
Import-Module ActiveDirectory
# Prompt for the Active Directory OU search base
$searchBase = Read-Host “Enter the Active Directory OU search base in the format ‘OU=pc_dominio_firewall_disable,OU=Utenti e pc,DC=raco,DC=local’:”
# Retrieve the computers from the specified OU
$computers = Get-ADComputer -Filter * -SearchBase $searchBase | Select-Object -ExpandProperty Name
# Check if any computers were found
if ($computers.Count -eq 0) {
Write-Host “No computers found in the specified OU.”
} else {
# Iterate over the computers and call the function
foreach ($computer in $computers) {
Write-Host “Running WSUS check-in for computer: $computer”
Force-WSUSCheckin $computer
}
}
Nick
says on July 10, 2023
What’s the trick?
GUI shows continiously show me 0x8024401c, and your secret command shows the same error, but in PowerShell.
Still have been fighting this problem for weeks already, tried everything
illy
says on August 8, 2023
You have an invalid hostname in your GPO controlling the intranet server location or the host name is not resolvable from the client. In my case, the hostname was correct but the FQDN was wrong, the actual domain. There was no record in DNS for it.
Ahmad
says on July 16, 2023
Man .. I can’t thank you enough for this !! I’ve passed through the same experience , It was so frustrating not finding proper solutions in tens of online forums . THANKS A MILLION!!!!!! MY WSUS IS WORKING PERFECTLY NOW!!
John Philipson
says on October 12, 2023
Ditto above comment – makes the whole WSUS process way more usable
Josh Ulmer
says on November 28, 2023
Still works. Instantly cleaned up my WSUS reports for patching compliance.
THANK YOU!
KLampl
says on January 9, 2024
unning WSUS check-in for computer: WIN10-KARL
VERBOSE: Performing the operation “Start-Service” on target “Windows Update (wuauserv)”.
Exception from HRESULT: 0x8024401F
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
+ PSComputerName : WIN10-*****
when I run this all I get is the above
SOLVED: 7 Windows Update & WSUS Troubleshooting Commands You Need To Know – Up & Running Technologies, Tech How To's
says on February 21, 2024
[…] https://pleasework.robbievance.net/howto-force-really-wsus-clients-to-check-in-on-demand/ […]
BHornet
says on September 20, 2024
You are a life saver – thank you. I am able to get my updates cleaned up. I wish I had found this sooner!!!
Madina Gotova
says on October 27, 2024
Thank you worked as charm!
Jim
says on November 7, 2024
Couple things:
1) Your open brace has to go on the same line as Invoke-Command -Scriptblock { Yeah, it annoys me too.
2) I’d rather have getting the list of computers outside of the function itself, so I make the parameter of the function a string array and put the loop inside the function to save lines in other scripts where I may import the function.
This is what I ended up with:
Function Invoke-WSUSCheckin
{
[CmdletBinding()]
param (
[string[]] $ComputerName
)
ForEach ($Computer in $ComputerName)
{
Invoke-Command -ComputerName $Computer -ScriptBlock { Start-Service wuauserv -Verbose }
# Have to use psexec with the -s parameter as otherwise we receive an “Access denied” message loading the comobject
$Cmd = ‘$updateSession = new-object -com “Microsoft.Update.Session”;$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates’
& psexec.exe -s \\$Computer powershell.exe -command $Cmd
Write-Host ‘Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on’
Start-Sleep -Seconds 10
Invoke-Command -ComputerName $Computer -ScriptBlock {
# Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
wuauclt /detectnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan
}
}
}
$ComputerList = (Get-ADComputer -Filter “Enabled -eq ‘True'”).Name
#or
$ComputerList = Import-Csv -Path ‘Path:\To\ComputerList.csv’
Invoke-WSUSCheckin -ComputerName $ComputerList
Joe
says on November 27, 2024
Robbie,
it was an absolutely fantastic moment to see your little script snippet in action in my specific use case. A game-changing experience. Thank you very much!
Now it is the end of 2024 and Windows Server 2025 is available. As far as I can see now, the reporting mechanism unfortunately no longer works with the November 2024 patch level on Server 2025…
Any clue?
Martin Slepicka
says on December 5, 2024
Hello,
two commands are exellent but unfortunately Microsoft can break everything 🙁
We have to find new magic trick for Windows server 2025 because there is no sucess with these commands.
Best regards.
Martin
Tom A
says on February 5, 2025
Have you tried this on 2025?
powershell -noprofile $updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
usoclient.exe StartScan
wuauclt /reportnow
Joe
says on March 13, 2025
Tried it on patched Windows Server 2025! Sadly, it is not working!
Still searching for a Command on patched Server 2025 that: “Force (really) WSUS Clients to Check in on Demand”
jimmy two servers
says on March 18, 2025
i love you bro. great work
AZee
says on April 9, 2025
When I run this on the client machine, unfortunately I get this error:
Exception from HRESULT: 0x80244007
At line:1 char:62
+ … e.Session”; $updates=$updateSession.CreateupdateSearcher().Search($cr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
Rama
says on April 14, 2025
Robbie,
You are a star! this helped me to get many PC on the network that weren’t reporting to get live on the WSUS within minutes.
You have saved me a lot of trouble through your research and Wisdom.
Thank you,
Al
says on April 29, 2025
You genius!!!
Karlos
says on May 26, 2025
Working as a charm! thanks a lot!
Andy
says on June 25, 2025
Works perfectly with Windows 10, but I can’t get it to work at all with Windows 11 clients.