Archive for the ‘WSUS’ Category

I am back here after long time  , and this time again I am up with one more interesting PowerShell script.

Script description :

  This Script will trigger installation of Microsoft WSUS patch updates on remote system. Script has multiple functions , each takes care of different tasks.

  The servers which needs to be patched remotely should be placed in servers.txt . Script will read the servers.txt and uses psexec.exe to initiate the patch installation.

 Update.vbs is a part of the script , and it has to be pushed to the remote computer where scripts triggers the installation of patches. PowerShell utlises this Update.vbs and installs the updates. Once updates are installed , this updates.vbs will be removed from the remote system.

Additionally , Script will prompt for restart option of remote system , ‘Y’ or ‘y’ will trigger the restart on remote machine , also it checks for server online (RDP Status) post reboot.

Below is the script 🙂


Set objSession = CreateObject(“Microsoft.Update.Session”)
Set AutoUpdate = CreateObject(“Microsoft.Update.AutoUpdate”)

WScript.Echo “Searching for updates…”

Set UpdateSearcher = objSession.CreateUpdateSearcher
Set SearchResult = UpdateSearcher.Search(” IsAssigned=1 and IsHidden=0 and IsInstalled=0 and Type=’Software'”)


If searchResult.Updates.Count = 0 Then
End If

Set updatesToDownload = CreateObject(“Microsoft.Update.UpdateColl”)
For i = 0 To SearchResult.Updates.Count-1
    Set update = SearchResult.Updates.Item(I)
    If Not update.EulaAccepted Then update.AcceptEula

WScript.Echo “Downloading the Updates”

Set downloader = objSession.CreateUpdateDownloader()
downloader.Updates = updatesToDownload

Set UpdatesToInstall = CreateObject(“Microsoft.Update.UpdateColl”)
For I = 0 To searchResult.Updates.Count-1
    set update = searchResult.Updates.Item(I)
    If update.IsDownloaded = true Then
    End If
WScript.Echo “Installating the Updates…..”
Set installer = objSession.CreateUpdateInstaller()
installer.Updates = updatesToInstall


PowerShell Script

# Name : Install-Patches on remote system
#Author : Prashant Girennavar.
#DateCreated : 4th Sept 2013.

# Function to create a Temp folder on remote machine if it does not exist
Function TempFolderCheck($Server)
 If(!(Test-Path \\$Server\c$\temp))
   New-Item -type directory -path \\$Server\c$\Temp

#Function to copy Update.vbs script on remote machine
Function BatchVBCopy($Server)
Write-host “VB Script is being copied on $Server”
Copy-Item -Path \\$SourceServer\C$\update.vbs -destination \\$Server\c$\Temp

#Function to trigger the patch installation on remote machine
Function InstallPatch($Server)
 .\psexec.exe -accepteula -s -i \\$Server cscript.exe C:\temp\update.vbs
 if($LASTEXITCODE -eq 0) #Check if PSEXEC executed successfully
 Write-Host “$Server” Patched Successfully
 Remove-Item \\$Server\C$\Temp\Update.vbs #Remove the update.vbs from remote system
 $Reboot =  Read-Host “Do you wish to Reboot the system now? say Y to reboot / N to decline”
 if(($Reboot -eq “Y”)-or($Reboot -eq “y”))
  Write-Host “Now Rebooting the $Server , Please wait ….”
  Restart-Computer -ComputerName $Server -Force #Restarting remote computer post patch installation
 Write-Host “$Server” Unable to patch the server please check
Write-Host “$Server” Encountered an exception

$Servers = Get-Content C:\Servers.txt # Get the server list which needs to be patched
Foreach($Server in $Servers)
TempFolderCheck($Server) #Call TempFolderCheck Function
BatchVBCopy($Server) #Call BatchVBCopy Function
InstallPatch($Server) #Call InstallPatch Function

Start-Sleep -Seconds 300 #Sleep for 5 mins

#Checking for server online status
Write-Host “Now Checking if all the servers are online post patch installation”
$Servers = Get-Content C:\Servers.txt
Foreach($Server in $Servers)
 $Connection = New-Object Net.Sockets.TcpClient # Add RDP Port .NET class
 $Connection.Connect($Server,’3389′) #Check for RDP Port 3389 status
 if ($Connection.Connected) #Check connection has been established
  Write-Host “$Server is online after patching” -ForegroundColor Green
 Write-Host ” $Server seems to have some problem , Please check it manually” -ForegroundColor Red

$SourceServer = > where Update.VBS is stored

I Hope this script will help



I work in a enviorment , where we patch our servers on Monthly basis . Post patching it is important for us to know about the server status , How many servers got patched , How many servers are still have the downloaded patches , How many serveers have failed to install the patches Etc.

I came up with an IDEA to write a PowerShell Script to get an overall Overview about this.

Below is the script which one can use to Accomplish the above task ,

Note – Before Running the script make sure you have created a C:\Names.txt file (List of servers goes here) against which you will query WSUS server to get the details.

$global:wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer(‘wsus ServerName Goes here’,$False,Port Number goes here of your WSUS)
$computerscope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$s = Get-Content C:\Names.txt
$a = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$b = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$c =  $wsus.getcomputertargets($a)
$id = @()
Foreach($Server in $s)
 $id += @($c | ? {$_.FulldomainName -like “$Server*”} | Select-Object -ExpandProperty ID)

$k = $wsus.GetSummariesPerComputerTarget($b,$a)
$k | Where-Object{$id -contains $_.ComputerTargetID} | ForEach {New-Object PSobject -Property @{
ComputerTarget = ($wsus.GetComputerTarget([guid]$_.ComputerTargetId)).FullDomainName
DownloadedCount = $_.DownloadedCount
FaliedCount = $_.FailedCount
}} | Export-Csv C:\PatchResult.csv -NoClobber -Force

Note –

$global:wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer(‘wsus ServerName Goes here’,$False,Port Number goes here of your WSUS)

You need to put WSUSServerName , If you are using SSL then Please put $TRUE , and If you are using any other port otherthan 80 , then put the appropriate port ,. If you are using Default port please let it blank

script will produce C:\PatchResult.csv which contains all the required information.

Hope this will help when it comes to patching 🙂

Happy Scripting.



Reference –

Hello All, Prashant here again,

Since from few days I am getting my hands dirty with Microsoft update services. I am working in an environment where patching play’s very important and vital role . So , I built my lab to understand the process in depth and found some useful stuff which I want to share here.

Today , I will describe ,

  1.  Why WSUS over Microsoft Update site (Manual stuff )?
  2. Known Issues with WSUS 3.0 SP2 3.2.7600.226
  3. Can I download the updates from microsoft even my client systems are pointing to the internal WSUS server?

Question 1 : Why WSUS over Microsoft Update site (Manual stuff )?

Answer –  We all know WSUS is the central database software which distribute the updates which an administrator approves for all the server/client machines . WSUS Knocks down manual task of installing updates on all the computers ( I can not imagine , if I have 300 systems , I can not go to the systems one by one and check for updates manually every month) . Hence WSUS .

If any one what to know about this in deeper , I would suggest them to go through the below links ( Which even I did to understand the concepts)

Above link has everything if you are looking to learn WSUS  ,Specially deployment guide and installation and operations guide.

Question 2.Known Issues with WSUS 3.0 SP2 3.2.7600.226?

One of the most encountered error with WSUS 3.2.7600.226 is 800B0001 . If you see this error code in your windowsupdate.log file then it is WUAgent Compatibility issue . The Reason behind this error code is WUAgent version , Basically If any one of your client (Where this error code is popping up) has this error then first you need to check its WUAgent Version ( How to check WUAgent Version is Here ) If the WUAgent version is 7.6.7600.256 (which is the latest ) then you need to download the agent to 7.4.76000.226.

WUAgent 7.6.7600.256 will not go well with the WSUS 3.0 SP2 3.2.7600.226 , This will cause the Agent to stop searching for updates from WSUS server . Below is the link which explains it better

Downgrade procedure of WUAgent from 7.6.7600.256 to 7.4.76000.226

  • Download the WUAgent 7.4.76000.226 from here and store in it C:\Temp folder
  • Open command prompt and go to C:\Temp directroy
  • Run WindowsUpdateAgent30-<platform>.exe /quiet /norestart /wuforce . This is open up a dialog box and force the installation of WUAgent 7.4.7600.226
  • Again go to command prompt and run C:\wuauclt.exe /resetauthorization /detectnow . This is detect/reports the client to WSUS

Question 3 – Can I download the updates from microsoft even my client systems are pointing to the internal WSUS server?

Answer – Yes . You can download the udpates directly from microsoft , even if your client systems are pointing to the WSUS (Check Regsitry key on client system to know whether it is pointing to WSUS Server , Registry : HKLM/Software/Policies/Microsoft/Windows/WindowsUpdate/AU Key UseWUServer set to 1 it is using WSUS , if set to 0 then not using the WSUS).

One Can go to control panel , Automatic updates and click on install updates from “Windows Update Web Site”

Note – when you click on this , client system directly contacts and the windows update web site and  it will list out the appropriate updates . One can select the update and discard updates depending one the OS and the needs.

When you are carrying out this procedures you might see some error messages in windowupdate.log file , you can ignore them. Basically these are generated due to your client registry setting are made to contact your internal WSUS server for updates.


Hope this helps . This is what I have learnt in a month of my research 🙂 .



Windows Update Agent Shortly know as WUA , is responsible for generating the WSUS Client ID (Which is Unique).

 Recently I had to do a testing on one of our Client , which was having problem with reporting to WSUS. I thought of checking the WUA version on the client.

One method is to check the windows update manager log file , which I hate the most.

So, I though I will try to dig if there are some other method available for this. I got one from the internet.

Basically the WUA will be stored in c:\windows\system32 with the name wuaueng.dll file. Just we need to go to that location and right click on the wuaueng.dll file and need to go to the details. You will find the File version.

Hope this helps.