HOWTO: Force (really) WSUS Clients to Check in on Demand

You're most likely here because you are an IT administrator and you have a network that deploys Windows Updates via Windows Server Update Services or WSUS.  Perhaps you're relatively new to WSUS or you're a veteran that has been using the product since its inception.  In either case, you are mostly frustrated because even in the latest release of WSUS that there is no reliable way to force clients to check in and report their status.  You know about wuauclt /reportnow and /detectnow.  You may even be aware of the .NET method  (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow().

But despite having tried everything, you're at at a loss.  All you want is for your clients to report their current status into WSUS on demand.  Is that really too much to ask?  Actually, it might be.  If you google "force wsus client to check in to wsus server", you'll see almost 300,000 results.  And I swear I've read every single one of them and tried every single suggestion.  

I finally decided to take matters into my own hands. I built a lab environment consisting of a domain controller, a WSUS server and a client machine.  I then proceeded to deep dive with process monitor and packet analyzers to try and find a way to "trick" the WSUS client into thinking it's time to report in.  After many hours at this, I was just about to give up when I accidentally stumbled upon the magic command I was looking for.

Ladies and gentlemen, without further adieu, I present to you, THE command to run on your Windows clients to force them to check in on demand:

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

Running this command will "prime" the Windows Update engine to submit its most recent status on the next poll.  To trigger that next poll, use:

wuauclt /reportnow

Yes, I know.  you've done that a million times and it's never worked.  But if you run the command above first, then it works.  I've had a nearly 100% rate with this now over probably hundreds of machines.

To use it, open an administrative PowerShell prompt on the client machine and paste that in.  It won't return anything but a few moments later you should see the WSUS last contact and last detect time update and more importantly, if all the updates were installed successfully, the computer will instantly change to green in the WSUS console.  I've tested it on both Windows 7 and Windows 10 clients successfully.

If you want to run centrally from your WSUS server, I found that you can't use PowerShell remoting because of some kind of permissions thing.  There may be a way around that but for now I found that psexec works fine.  So below is a function you can add to your profile.ps1 file on your WSUS server to allow you to automatically update any client machines on demand:

This has been a life changer in terms of improving my frustration level with managing WSUS.  I hope you find it useful.

Function Force-WSUSCheckin($Computer)
{
   Invoke-Command -computername $Computer -scriptblock { Start-Service wuauserv -Verbose }
   # Have to use psexec with the -s parameter as otherwise we receive an "Access denied" message loading the comobject
   $Cmd = '$updateSession = new-object -com "Microsoft.Update.Session";$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates'
   & c:\bin\psexec.exe -s \\$Computer powershell.exe -command $Cmd
   Write-host "Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on"
   Start-sleep -seconds 10
   Invoke-Command -computername $Computer -scriptblock
   {
      # Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
      wuauclt /detectnow
      (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
      wuauclt /reportnow
      c:\windows\system32\UsoClient.exe startscan
   }
}

54 comments

1 ping

Skip to comment form

    • Kyle on February 22, 2019 at 3:05 pm
    • Reply

    Worked for me! Thanks! I’ve been looking everywhere for answers

      • Mats on February 7, 2020 at 3:44 pm
      • Reply

      I was just about to give up.
      Thanks a lot!

    • Laurenz Duerbeck on March 1, 2019 at 8:19 am
    • Reply

    Hi Robbie.
    That’s the most promising approach I’ve found on the web. And just like you I tried a lot of Things. #-(
    It sometimes works for me but not always. I’m trying to figure out what causes the problem….
    I always have to run “Usoclient RefreshSettings” first, since my Win 10 1803 does not reflect all settings although group policies are already applied. Seems to me that this is a problem with Windows’ servicing stack.
    One more question: Does your script also work if no one is actually logged on interactively?

  1. I realize I forgot a step in my instructions.

    The command above “tricks” WSUS into being able to report its status. But once it’s run you still have to tell it to actually report its status.

    Follow up the command above with a wuauclt /reportnow and you should be golden.

    Yes, the script works regardless if a user is logged in or not as you are logging in yourself via psexec.

    • Renzo F. on March 18, 2019 at 8:01 pm
    • Reply

    Thanks for this, I’ve searching a solution to the report problem for a long time.
    Just a note: there’s a typo in the post: it says “wuault /reportnow” annd it shuld be “wuauclt /reportnow”.

    The script is correct, but it may cause confusion.

    • Rudy on April 8, 2019 at 3:04 pm
    • Reply

    Is there a way to do this for 200 machines without having to log in to each one?

    1. Hi Rudy,

      Yes there is. You’ll need some basic PowerShell scripting experience to do so and you’re environment would need to be configured to allow administrative remoting via psexec.

      Here is the pseudo code to do that:

      $Computers = (Get-ADComputers -Filter *).name

      ForEach $Computer in $Computers)
      {
      Force-WSUSCheckin($Computer)
      }

      You’d want to add in some error handling and ping tests to speed it up and you’ll need to specify the path where your psexec.exe lives.

      But otherwise that’s about it. I’ve refreshed my entire environment lots of times using this technique.

    • Jonathan B on April 30, 2019 at 5:28 pm
    • Reply

    How long does it take you to run that command.. For me, it seems to be timing out..

    I get a COM Error once it decides it’s enough..

    My WSUS assets are not reporting back to wsus, and I get a time out. I opened all firewalls on the windows client/server for testing purpose, I can reach the webpage, but in the error message it says it failed to get a HTTP reply..
    I’ve set my IIS to the best practices except that I followed the instruction saying I should leave it at 4GB Ram..

    Man .. no idea what to do from here.

      • Jonathan B on April 30, 2019 at 5:33 pm
      • Reply

      Exception from HRESULT: 0x80240440
      At line:1 char:1
      + $updates=$updateSession.CreateupdateSearcher().Search($criteria).Upda …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : OperationStopped: (:) [], COMException
      + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException

      1. Hi Jonathan,

        The command runs instantly in terms of it’s command line execution as it doesn’t return anything. Your issue sounds more fundamental to your WSUS installation. The two big things to check are:

        1) Open a command prompt and type “Telnet [IP of your WSUS server] 8530”. If it returns a blank screen that means the port is open and responding and that’s good. If it doesn’t then that’s your issue and your WSUS server is not configured properly

        2) Verify your GPO is applying properly and is pointing to the correct server by running this command on one of your clients
        reg query “HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate”

        3) Copy and paste whatever name is returned there into your telnet command to make sure DNS is resolving properly.

        Hope that points you in the right direction.

          • Lord Glacius on July 10, 2019 at 7:58 am
          • Reply

          Thank you for the suggestions. I have tried the command from powershell and get the same error:

          Exception from HRESULT: 0x80244022
          At line:1 char:62
          + … e.Session”; $updates=$updateSession.CreateupdateSearcher().Search($cr …
          + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo : OperationStopped: (:) [], COMException
          + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException

          I have run through your steps above and they are all indicating correct connection with the WSUS server.

          Do you have any suggestions further to help?

          Many thanks in advance

            • Robbie on July 10, 2019 at 9:42 am
              Author

            I seem to recall getting the 0x80244022 when the account I ran it under either didn’t have admin permissions to the machine or the PowerShell session was not run as an administrator. That’d be the first thing to confirm. If you are running as an admin, I’m not sure what else to suggest beyond trying from a different machine to see if the issue is limited to a specific system.

            • x86txt on August 26, 2019 at 3:52 pm

            This PowerShell error is due to the inability to communicate with the WSUS server. In my case, a system proxy was set and the proxy was blocking the communication. Once I allowed the IP of the WSUS server in the proxy server, the PS command executed without the error Lord Glacius notes.

    • Roman on May 2, 2019 at 10:50 pm
    • Reply

    One little problem: the scalar variable $criteria is not defined. That could cause some people problems, for example if they are using set-strictmode. So, presumably one can leave that out of the code. This web site seems to explain the Search method and what goes into the criteria area, though I didn’t really understand it or look that hard.
    https://docs.microsoft.com/en-us/windows/desktop/api/wuapi/nf-wuapi-iupdatesearcher-search

      • Jason on May 14, 2020 at 7:32 pm
      • Reply

      I ran into this issue. I was getting an error calling search with 0 arguments (because $criteria was null). It worked after I set $criteria = ( IsInstalled = 0 and IsHidden = 0 ).

    • Roman on May 3, 2019 at 1:17 am
    • Reply

    Awesome, that works! Thanks!
    I didn’t have the problem with getting an error when creating the COM object. Here’s a minimal version assuming that that will work (and only using /reportnow):
    Function Force-WSUSCheckin($Computer)
    {
    invoke-command -computername $Computer -scriptblock {
    Start-Service wuauserv -Verbose
    $updateSession = new-object -com “Microsoft.Update.Session”;
    # More info about the Search method: https://docs.microsoft.com/en-us/windows/desktop/api/wuapi/nf-wuapi-iupdatesearcher-search
    $criteria = $null
    $updateSession.CreateupdateSearcher().Search($criteria) | out-null
    Write-host “Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on”
    Start-sleep -seconds 10
    Write-host “running wuauclt /reportnow …”
    wuauclt /reportnow
    }
    }
    And yes, you do need the null value in the Search($criteria) method.

    • Ruhel on June 27, 2019 at 8:38 am
    • Reply

    typo – missing the c wuault….

    • dane on July 1, 2019 at 5:22 pm
    • Reply

    Getting errors from psexec

    psexec.exe : Exception from HRESULT: 0x8024401C
    At C:\Temp\force-WSUSCheckin-from-list.ps1:9 char:4
    + & c:\temp\psexec.exe -s \\$Computer powershell.exe -ExecutionPolic …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (Exception from HRESULT: 0x8024401C:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

    At line:1 char:59
    + … ate.Session;$updates=$updateSession.CreateupdateSearcher().Search($cr …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException

    Connecting to MEWROYD01…Starting PSEXESVC service on MEWROYD01…Connecting with PsExec service on MEWROYD01…Starting
    powershell.exe on MEWROYD01…
    powershell.exe exited on MEWROYD01 with error code 1.

    • IdolR on July 4, 2019 at 12:16 pm
    • Reply

    Finally! A lot of people out there plastering them selves as WSUS “experts” none of their advice worked! This works! Thanks for sharing 🙂

    • Guy Lincoln on August 14, 2019 at 11:45 pm
    • Reply

    You are a good man Robbie….. Worked a treat.

    • Neil on August 16, 2019 at 5:00 pm
    • Reply

    Thanks you for the fix Robbie.

    However your command in your comments at the top is missing a ‘c’

    wuault /reportnow

    should read

    wuauclt /reportnow

    • Dave on September 12, 2019 at 7:08 pm
    • Reply

    This worked great! Thank you. Have been looking for this fix for many months.

    • Punithraj on September 25, 2019 at 10:19 am
    • Reply

    HI Robbie,

    this command in individual works fine . thank you so much for this.. now i want know how can i run this command from server targeting on all computers which not detected or detected old dates ?

    • JOE-B on September 27, 2019 at 9:23 pm
    • Reply

    This works for some but i wrote this batch file a couple years ago that works great too.

    @echo on
    net stop wuauserv
    REG DELETE “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v LastWaitTimeout /f
    REG DELETE “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v DetectionStartTime /f
    Reg Delete “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v NextDetectionTime /f
    net start wuauserv
    wuauclt /detectnow

    Hope this helps

    • Alexei on October 15, 2019 at 9:48 pm
    • Reply

    I second that, Chapeau Robbie!
    Got a couple of those COM exceptions but after a reboot they were all gone.

    • Franc on November 12, 2019 at 3:18 pm
    • Reply

    HelIo,
    I try to launch in admin on some Windows 10 the command $updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates but most of the time there is no result no error and it doesnt back to the prompt. Any idea?
    Thank you in advance

  2. Thanks so much Robbie! This freakin’ rocks! I always love when one guy out of thousands finds a way to make something work where no one else before him was able to! 😀

    • Tim on November 26, 2019 at 12:13 am
    • Reply

    You’re a life-saver! Works like a charm! Solved a 2 year old mystery and now my WSUS looks like it’s freaking working again!

    • Daniel on December 17, 2019 at 8:06 pm
    • Reply

    Thank you!! it worked for me, now i don’t have to wait for clients to report.

    • PhilipM on January 7, 2020 at 8:48 pm
    • Reply

    Great work, thank you for researching and posting!

    • Dinusha on January 14, 2020 at 11:44 pm
    • Reply

    Hi Robbie and Others,

    Could you please give some advice or more information to edits profile.ps1 ?

    • Tom on January 16, 2020 at 3:16 am
    • Reply

    hours of messing with WSUS and nothing. I run the command you suggested and it was all happy in 30 seconds. I wish i knew about this command earlier.

    • Andy on January 24, 2020 at 12:51 pm
    • Reply

    Nice guide, but in the second wuauclt /detecnow you are missing the letter C!

    1. Thanks Andy. I’ve corrected the typo. I threw this HOWTO together pretty quickly once I realized the dang process actually worked. At some point I should go back and revisit it and add some additional detail for what I’ve determined about WHY it works. But it seems to be working for people so that’s all that matters!

    • Ondrej on January 30, 2020 at 2:33 pm
    • Reply

    I just love this!!! Finally something which works!
    #WSUSisPain

    • David on February 12, 2020 at 5:41 pm
    • Reply

    Very good solution, thank you so much!

    • cirdec on February 17, 2020 at 11:34 am
    • Reply

    Hello,

    Very good solution but, for me, works only if last report is not older than 8 days.
    If the last report is older than 8 days Nothing happens….even if i use a GPO startup script

    An idea ?
    Thanks

    • marcus on February 17, 2020 at 2:11 pm
    • Reply

    !!! Great job Man!!! Thanks

    • Mike on February 17, 2020 at 3:51 pm
    • Reply

    This looks great, but I’m having a syntx error in the script. Exactly what is going on with the “&” at the start of line 4?

      • Mike on February 17, 2020 at 3:52 pm
      • Reply

      I’m guessing the website is doing some HTML translatinon. My complaint is about “&-a-m-p-;” at the 1st of line 4.

    • rgd on February 19, 2020 at 1:49 pm
    • Reply

    Just what a chap needed to fix the final frustration with WSUS

    • Ian Martin on March 12, 2020 at 10:03 am
    • Reply

    All i want to say is:

    Thank You Very Very Much 🙂

    message ends….

    • Ha on April 15, 2020 at 3:27 am
    • Reply

    Thank a lot!

    • Mat on April 22, 2020 at 6:20 pm
    • Reply

    slight amendment, so I didnt have to use psexec.

    $creds = Get-Credential

    Function Force-WSUSCheckin($Computer)
    {
    Invoke-Command -computername $Computer -scriptblock { Start-Service wuauserv -Verbose }

    $Cmd = ‘$updateSession = new-object -com “Microsoft.Update.Session”;$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates’

    Start-Process -Credential $creds powershell -ArgumentList “-Command & $Cmd”

    Write-host “Waiting 10 seconds for SyncUpdates webservice to complete to add to the wuauserv queue so that it can be reported on”
    Start-sleep -seconds 10
    Invoke-Command -computername $Computer -scriptblock {
    # Now that the system is told it CAN report in, run every permutation of commands to actually trigger the report in operation
    wuauclt /detectnow
    (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
    wuauclt /reportnow
    }
    }

    • Bhuvanjeet on June 3, 2020 at 11:52 am
    • Reply

    Thanks a lot ! I was struggling for months over this. !

    • Gangaatharan on June 5, 2020 at 6:34 am
    • Reply

    Hi Robbie,

    We have replacing our server, so I have configured the wsus in new server, and changed the GPO as accordingly.
    But my client machine are not reporting to my new wsus server. I have done the telnet from client machines and it’s fine.ports are open. As I checked group policy also got updated to client machines.
    Can you please help me on this ?
    Note : Now client machines are not reporting to old wsus server also.

    • Homer on July 7, 2020 at 9:00 pm
    • Reply

    Anyone know what $criteria is referencing?

    $updateSession = new-object -com “Microsoft.Update.Session”;
    $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

    …Search($criteria)…..
    do you need that there if we do not assign $criteria anywhere in the function?

    • Alex B on July 9, 2020 at 12:38 pm
    • Reply

    Sir, If i could find you in the world I’d probably marry you for this advice.

    I have to update 7000 systems across the UK using WSUS, and its a total d*ck. I cannot believe how bad the Microsoft patching system is in terms of reporting and troubleshooting. Especially now on windows ten where it is even more horrific. This has helped massively!

    Just in case anyone doesn’t know there are Powershell commands for doing window updates, that allows you to script, target kbs and other things. (though as yet i have still not been able to install a feature pack using them, it goes through the motions but does not actually upgrade the windows build.

    look for PSWindowsUpdate module. Really can help if you are managing big networks.

    • Panita on July 18, 2020 at 12:01 am
    • Reply

    OMG! It works really really good. I have more than 7 years working with IT stuff, and the WSUS always has been a peace of #$%&. HAHAHA.

    I’m working now in a new enterprise and I decided to install WSUS because it is eating my whole internet bandwith.

    But now, I just reached this page and I have tried and it has been BEATIFULL.

    Really my freinds, thanks you so much for share your knowlegde. You deserve a $100k bonus only for this solutions. My thanks from Venezuela. Bye!

    • Jazz on July 22, 2020 at 4:10 pm
    • Reply

    I’ve been chasing down a new way to do this since MS altered the UsoClient switches earlier this year.
    A rainbow should shoot out the top of this web page every time you open it !!!!!!!!

    I made 2 batches I copy into an elevated command prompt (since you have to wait a minute or two between the PS command and the wuauclt command)

    Batch 1 consists of
    WMIC /node:”workstation” process call create “PowerShell.exe $updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates”

    when it’s done – i wait a few seconds and do the same with Batch 2
    WMIC /node:”workstation” process call create “cmd.exe /c wuauclt.exe /reportnow”

    This is a faster process than PSexec (for me) but it may not work in other environments.

    Thank you so much!!!!

  3. Heya fantastic website! Does running a blog similar to this require a lot of work?
    I have absolutely no understanding of computer programming however I was hoping to start my own blog soon. Anyway, should you have
    any ideas or tips for new blog owners please share. I understand this is off subject nevertheless I simply needed to ask.
    Cheers!

    • Rob on August 27, 2020 at 11:36 am
    • Reply

    Ok, Im new to wsus and PS so please forgive my ignorance but how does one use the PS function/script above?

    • Lyle on September 1, 2020 at 1:45 pm
    • Reply

    Hi Robbie

    I’m having the same issue with my DC not reporting to WSUS. I’ve run the command above in powershell but nothing happens, its like powershell is hanging, i cant even add the 2nd command.
    Any advice?

    • Steve Mason on September 3, 2020 at 3:46 pm
    • Reply

    This has been frustrating me for a while. I just finished reading umpteen threads with “wuauclt doesn’t work anymore on Windows 10” I was skeptical of that, as sometimes it does seem to force a report but not reliably.
    Decided to try this. WOW! Thanks!

Leave a Reply to Bhuvanjeet Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.