HOWTO: Force (really) WSUS Clients to Check in on Demand

You're most likely here because you are an IT administrator and you have a network that deploys Windows Updates via Windows Server Update Services or WSUS.  Perhaps you're relatively new to WSUS or you're a veteran that has been using the product since its inception.  In either case, you are mostly frustrated because even in the latest release of WSUS that there is no reliable way to force clients to check in and report their status.  You know about wuauclt /reportnow and /detectnow.  You may even be aware of the .NET method  (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow().

But despite having tried everything, you're at at a loss.  All you want is for your clients to report their current status into WSUS on demand.  Is that really too much to ask?  Actually, it might be.  If you google "force wsus client to check in to wsus server", you'll see almost 300,000 results.  And I swear I've read every single one of them and tried every single suggestion.  

I finally decided to take matters into my own hands. I built a lab environment consisting of a domain controller, a WSUS server and a client machine.  I then proceeded to deep dive with process monitor and packet analyzers to try and find a way to "trick" the WSUS client into thinking it's time to report in.  After many hours at this, I was just about to give up when I accidentally stumbled upon the magic command I was looking for.

Ladies and gentlemen, without further adieu, I present to you, THE command to run on your Windows clients to force them to check in on demand:

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

Running this command will "prime" the Windows Update engine to submit its most recent status on the next poll.  To trigger that next poll, use:

wuauclt /reportnow

Yes, I know.  you've done that a million times and it's never worked.  But if you run the command above first, then it works.  I've had a nearly 100% rate with this now over probably hundreds of machines.

To use it, open an administrative PowerShell prompt on the client machine and paste that in.  It won't return anything but a few moments later you should see the WSUS last contact and last detect time update and more importantly, if all the updates were installed successfully, the computer will instantly change to green in the WSUS console.  I've tested it on both Windows 7 and Windows 10 clients successfully.

If you want to run centrally from your WSUS server, I found that you can't use PowerShell remoting because of some kind of permissions thing.  There may be a way around that but for now I found that psexec works fine.  So below is a function you can add to your profile.ps1 file on your WSUS server to allow you to automatically update any client machines on demand:

This has been a life changer in terms of improving my frustration level with managing WSUS.  I hope you find it useful.

Function Force-WSUSCheckin($Computer)
{
   Invoke-Command -computername $Computer -scriptblock { Start-Service wuauserv -Verbose }
   # Have to use psexec with the -s parameter as otherwise we receive an "Access denied" message loading the comobject
   $Cmd = '$updateSession = new-object -com "Microsoft.Update.Session";$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates'
   & c:\bin\psexec.exe -s \\$Computer powershell.exe -command $Cmd
   Write-host "Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on"
   Start-sleep -seconds 10
   Invoke-Command -computername $Computer -scriptblock
   {
      # Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
      wuauclt /detectnow
      (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
      wuauclt /reportnow
      c:\windows\system32\UsoClient.exe startscan
   }
}

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.