Wuauclt Switches

Now if you’ve been reading any of my recent posts you’ll have noticed I’ve been hitting the Windows Update Service quite a bit. Well there’s a darn good reason for this – I’ve needed to find a solid solution to some of my minor issues at my professional job (no, not street walking!).

Right, lets start with the easy one: “what the heck is wuauclt and what’s it got to do with me?”

Well, my young friend, it is the process managing automatic updates for Microsoft Windows and continuously checks for the latest updates and uses the Internet to do so. If you hit up the task manager you will most likely see it kicking about on your process list. Don’t be afraid, it’s a good thing. Honest. Look, if you’ve got windows you’ll need to keep it up to date so just get on the update train, ok??! 🙂 lol

Now if you’re the situation when you want to manually kick off the registration with a WSUS server then you may have alreay heard of the /detectnow forces the machine to check if there are any updates available for it. This is useful because waiting for detection to start can be a time-consuming process and a pain in the butt.

Another good one is /resetauthorization. As WSUS uses a cookie on the client computers to store various types of information, including computer group membership when client-side targeting is used this can cause a hic-cup here and there. By default this cookie expires an hour after WSUS creates it but you never know.

You can actually combine the pair of these to not only reset the stored info but check if there’s anything new to apply and have the WSUS server update computer group membership.

What isn’t as widely known are the other switches that are hiding. One of the reasons for this is that “wuauclt.exe /?” does sweet bugger all and is really annoying. However, I recently found a great post outlining the mystery options here.

The highlights of which IMO are:

• /downloadnow – kicks off the download processes regardless of the time schedule
• /TestWSUSServer – test the connection to the server

There’s a fantactic list of these switches over here which is well worth a look. In fact, have a wonder round the whole site as it’s a gold mine for WSUS knowledge.

WSUS in the Workgroup

Sometimes you might be needing an update server in a small company or network where there is no domain or, like me in this case, you’re building a new machine and need to update it without joining it to the domain. Now even if you install the OS using the latest repository from the manufacturer you are going to have to update it further. This updating can take ages when pulled over the inter-web from MS so accessing a WSUS server would be ideal.

Well with a little work, you can get a workgroup machine to use your domain WSUS server ….. and here’s how.

Two main options really (as laid out here by Microsoft) – policy based and registry based. I’m not going to go into the policy based stuff as that’s really well covered in the MS page and very straight forward. The method I’ve just used though is adding to the registry.

After a little searching I ran across a few reg keys that’ll point the machine towards the right WSUS, set download / install options and even drop it into the right WSUS group. In the end I went with this reg settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\]
“WUServer”=”http://192.168.0.100”
“WUStatusServer”=”http://192.168.0.100”

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\]
“AUOptions”=dword:00000002
“NoAutoRebootWithLoggedOnUsers”=dword:00000001
“NoAutoUpdate”=dword:00000000
“RescheduleWaitTime”=dword:00000005
“ScheduledInstallDay”=dword:00000000
“ScheduledInstallTime”=dword:00000000
“UseWUServer”=dword:00000001

The first few keys are pretty self evident as specifying your WSUS server. I’ve seen people suggesting that the server name, FQDN and IP address all work but I could only get the IP address to work and think this is a better solution anyway. In these keys you will also need to specify the port number to use if it is not the default port 80. This is done thus “http://192.168.0.100:8530”.

The AU section is where it gets interesting and allows you to set all the options such as downloading, installing and reboots. The AUOptions dword options go like this:

• 1 – Keep my computer up to date has been disabled in Automatic Updates.
• 2 – Notify of download and installation.
• 3 – Automatically download and notify of installation.
• 4 – Automatically download and scheduled installation.

Personally I’m an option 3 kinda guy when it comes to servers, ie: download it but I’ll give final approval to install it or not manually. Yes, this takes more time but it’ll save a lot more time if something goes wrong IMO.

The other keys are pretty easy to follow so I won’t rewrite the MS article but here’s an overview.

ScheduledInstallDay – which days to install on. 0 = everyday

ScheduledInstallTime -what time you want the install to run using 0 – 23 time format (for the hours if you’re not hip with the military speak)

NoAutoUpdate – enables or disables autoupdate.

NoAutoRebootWithLoggedOnUsers – true or false situation. If set to 1, will not automatically restart a computer while users are logged on.

The Trouble With WSUS

Now I love WSUS 3.0 and think it’s a great service to add to even a small business. In fact, once I’d got a test version going, I couldn’t believe how good it was and quickly rolled it out across the company.

But there is a flaw. The one single issue I have with it ….. is it’s a complete bugger to troubleshoot when it doesn’t work properlly! This is especially annoying as it is so easy to install, configure and get running usually. It’s just when it dies then it’s a nightmare.

Ok, well maybe that’s not entirely true. There is a pretty robust logging side to it so you can see what’s going on and hopefully where it’s failing. However, when you get beyond this then you’re in for an interesting time. And I don’t mean involving 4 rolls of cling film, two midget strippers and a waffle iron!

My most recent run in with a wayward WSUS system was when I was called in to consult on a small business who were having some networking issues as well as WSUS seemed to be playing up. As I knew these systems pretty well already, I wasn’t overly concerned and set about my usual recon to see the lay of the land. Unfortunately I had an internet connection that made Amy Winehouse look stable and well balanced so this took some time. After a while I tracked down a few DNS, DHCP and AD replication issues if not their causes. The WSUS issue was a great one though – for all intents and purposes the whole damn thing had disappeared!

After much searching it was kind of located and I set abut trying to connect to it through the console as per usual but no dice. With some more time searching I decided it was time to reinstall the application (but leave the database and files) and see if I could breath some life into it.

My messiah like skills failed me and the server did not rise live JC on Easter Day.

The situation was now that the application would install but just as the configuraiton wizard was about to kick off it would die with a nice message saying “the console can’t connect to the server” and basically asking to make sure it was even there. Not all that much use but at least I could say the application was installed.

Google proved to highlight that this was not an uncommon situation and that there are numerous causes and solutions to match. After running through the first few and discarding those that don’t apply to this install I was left weaving the finger of blame towards .NET runtime 2 causing some issues with file permissions. A quick reinstall of .NET 2 and resetting the local file permissions and I was feeling good.

Until the console would still not connect!

A palm to the forehead and I realised I’d have to restart the services at the very least. So a few clickety clicks later and the services were reset and the console was firing up….. all the way into a successful connection to the WSUS server.

Simple in hindsight but all the possibilities meant that everything had to be crawled through one step at a time. In the future, just remember anything to do with websites (that’s how the updates are served I believe) then there’s going to be .NET of some kind in there as well as the networking service if it’s permissions based too.

Ok, not sure if any of that made sense but it’s heading towards 1am and I can definitely hear my bed calling me. The rest of it can wait until the morning.