Active Directory/Documentation/WSUS Update Agent Script

From WolfTech
Jump to navigation Jump to search

[I came across this at and wanted to share it with the rest of you... may be useful for forcing WSUS patches on the fly, or to require the first time a computer is joined to the domain. --Dan]

[3/20/09 -- most of this functionality has been placed in to SpecOps GPUpdate; but we'll keep this information for technical information. (djgreen)]

This script (the core was pulled from Microsoft's website, and the WindowsUpdate agent install was borrowed from Torgeir Bakken - thank you!) will tell the WU Automatic Update Client (wuaclt.exe) to 'detectnow', download and install missing windows updates as compared to it's update server. Works for WSUS and regular Windows Update site.

You can force a client to restart after the updates have been applied (if a reboot is pending, or if you plain just want to restart for the heck of it).

The script is highly configurable, and should fit most applications where users/admins need to force a download and installation of approved updates.

NOTE: If there are a LOT of downloads to pull, the status window (or log) will say "Downloading" for that entire time. I'm not sure how to get a download progress of each update...maybe someone can help me with that.

Note on command-line switches: If you don't specify a switch (for example, 'email:') the corresponding variable defined in the script will provide the needed information (command-line switches take precedence).

Why use this script?

Our desktop deployment technicians needed a script that would pull updates immediately and install.

We have some computers that are sometimes logged on or not (but they run services that must be running almost constantly), and are never rebooted.

The user ignores the 'you have new updates available' message, so updates are never installed. This script will let you install the updates, and then it tells the WUA to present the 'restart' message - which more users are apt to respond to.

If the client running the script doesn't have the 2.0 WUA installed, Torgeir's portion of the script will automatically install it (please contact me if this doesn't work - I modified his script slightly to plug into mine!).

After the script runs, it will email a recipient the resulting logfile that is produced.

You need to edit the following variables

  • sExePath - this is the location of the WindowsUpdateAgent20-x86.exe. Download it from
  • strMailFrom - arbitrary reply-to address
  • strMailto - email address you want the report to mail to (this is for manual mode - or if the command-line switch isn't specified).
  • strSMTPServer - the IP address of the email server you are sending the reports through.

Optional variables

  • Silent - 0 = verbose, 1 = silent (no windows or visible information)
  • Intdebug - 0 = off, 1 = 1 (see some variables that are being passed)
  • strAction - prompt|install|detect. Prompt gives users opportunity to install updates or not, install just installs them, detect updates the WU collection and downloads the updates (but does not install them) - useful if you want to have the computer refresh its stats to the stat server but not install the updates.
  • blnEmail - 0 = off|1 = on. If set to 0, the script will not email a log file. If you specify an email address in the command-line, this will force the script to switch blnEmail to '1'.
  • strRestart - 0 = Do nothing|1 = restart|2 = shutdown. Command-switch 'restart:' supercedes this variable. \

Command line switches

  • action: prompt|install|detect
  • mode: silent|verbose
  • email:
  • restart: 0 (do nothing)| 1 (restart) | 2 (shutdown)
  • force: 0 (do not enforce restart action - this is optional, by default it is set to 0) | 1 (enforce restart action)
  • emailsubject: - Text for custom subject enclosed in quotations (i.e. "This is a custom subject" - (v2.2 and newer)
  • fulldnsname: 0 (use non-qualified server name) | 1 (use fully qualified DNS name of the server that the script ran on) - (v2.2 and newer)
  • emailifallok: 0 (don't email a report if there are no problems with the update process) | 1 (email report whether there are errors or not) - (v2.2 and newer)
  • smtpserver: x.x.x.x or smtp mail hostname (define an alternate SMTP server) - (v2.2 and newer)
  • logfile:"x:\path\log.txt" - (v2.3 and newer)
  • authtype: cdoAnonymous|cdoNTLM|cdoBasic (SMTP authentication type)
  • authID: userid (SMTP authentication ID)
  • authPassword: password (SMTP authentication password) - (v2.6 and newer)

Finally, rename the file with .vbs extension

Example of usage

Install updates silently, email you a logfile, then restart the computer -> updatehf.vbs action:install mode:silent restart:1

Detect missing updates, email you a logfile, then do nothing (no restart) -> updatehf.vbs action:detect mode:verbose restart:0

Prompt user to let them decide whether or not to install updates, email you a logfile, prompt user for restart -> updatehf.vbs action:prompt mode:verbose restart:1

Install updates silently, email you a logfile, then shutdown the computer if a reboot is pending-> updatehf.vbs action:install mode:silent restart:2

Install updates silently, email you a logfile, then shutdown the computer no matter if a reboot is pending or not-> updatehf.vbs action:install mode:silent restart:2 force:1

Detect missing updates or pending reboot silently, email you a logfile, then restart if there is a pending reboot -> updatehf.vbs action:detect mode:silent restart:1

Detect missing updates or pending reboot silently, email you a logfile, then restart no matter if there is a pending reboot -> updatehf.vbs action:detect mode:silent restart:1 force:1