Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Actions: Forcing windows update and installation

A while ago I came across a VB script from Rob Dunn. I am using it successfully for years now. With PDQ Deploy you can "upload" and run the script on all machines connected to your WSUS server and this way force them to download and install all the patches/fixes from WSUS server and send a final report to your e-mail address.

The script (version 2.6a), including documentation, can be found at

I highly recommend it.





Date Votes
  • Thanks for posting this, Servis. I'll check this out in my environment. 

  • Can anyone please elaborate on this procedure? I cannot figure out how the original poster was able to "upload" and run the script. I am in a similar situation trying to run the WSUS script on numerous computers in my domain.

    Thank you,


  • First of all you have to configure the script. Everything is documented within the file.

    'Install updates silently, email you a logfile, then restart the computer ->
    'updatehf.vbs action:install mode:silent restart:1


    'You need to edit the following variables:
    'sExePath - this is the location of the WindowsUpdateAgent20-x86.exe. Download
    ' it from
    'strMailFrom - arbitrary reply-to address
    'strMailto - email address you want the report to mail to (this is for manual
    ' mode
    ' - or if the command-line switch isn't specified).
    'strSMTPServer - the IP address of the email server you are sending the reports
    ' through.
    'Optional variables:
    'Silent - 0 = verbose, 1 = silent (no windows or visible information)
    'Intdebug - 0 = off, 1 = 1 (see some variables that are being passed)
    'strAction - prompt|install|detect. Prompt gives users opportunity to install
    ' updates or not, install just installs them, detect updates the WU collection
    ' and downloads the updates (but does not install them) - useful if you want to
    ' have the computer refresh its stats to the stat server but not install the
    ' updates.
    'blnEmail - 0 = off|1 = on. If set to 0, the script will not email a log file.
    ' If you specify an email address in the command-line, this will force the
    ' script to switch blnEmail to '1'.
    'strRestart - 0 = Do nothing|1 = restart|2 = shutdown. Command-switch 'restart:'
    ' supercedes this variable.
    'Command line switches:
    'action: prompt|install|detect
    'mode: silent|verbose
    'restart: 0 (do nothing)| 1 (restart) | 2 (shutdown)
    'force: 0 (do not enforce restart action - this is optional, by default it is
    ' set to 0) | 1 (enforce restart action).
    'SMTPServer: x.x.x.x or hostname; overrides strSMTPServer above.
    'emailsubject: "this is a subject" Overrides default subject. Server name is appended to this text. Use quotes if spaces exist.
    'emailifallok: 0|1, where 0 = dont send email if server up to date and no
    ' reboot pending, and 1 = always send email
    'fulldnsname: 0|1, where 0 = use server name only in subject, and 1 = use full
    ' dns name in email subject
    'Finally, rename the file with .vbs

    Don't forget to set the strSMTPServer variable.

    Deployment is easy. Create a new Installer.

    Set name,
    Set installer file (choose wuforce.vbs or UpdateHF.vbs one which you are using),
    Set aditional parameters I.E.: action:install mode:silent restart:0

    (final line should look like: cscript.exe //b "wuforce.vbs" action:install mode:silent restart:0)

    Click OK and deploy.

    Remember the file MUST BE accessible over the network and WSUS MUST BE Already configured.

  • Hi SelfMan

    Thanks for posting!! I guess I've found myself in a situation of counting my chickens before there even hatched. I am having the "usual" problems of getting all my machines checked into WSUS in the first place. I've been using the following script for that...


    net stop bits

    net stop wuauserv

    regsvr32 /u wuaueng.dll /s
    del /f /s /q %windir%\SoftwareDistribution\*.*
    del /f /s /q %windir%\windowsupdate.log
    regsvr32 wuaueng.dll /s
    regsvr32.exe %windir%\system32\wups2.dll /s
    regsvr32.exe %windir%\system32\wuaueng1.dll /s
    regsvr32.exe %windir%\system32\wuaueng.dll /s
    regsvr32.exe %windir%\system32\wuapi.dll /s
    %windir%\system32\regsvr32.exe /s %windir%\system32\atl.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\jscript.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\msxml3.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\softpub.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\wuapi.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\wuaueng.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\wuaueng1.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\wucltui.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\wups.dll
    %windir%\system32\regsvr32.exe /s %windir%\system32\wuweb.dll

    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f

    net start bits




    ...I suppose once I get my machines all in the WSUS console, I can move onto using the above script.

    Thanks again,


  • Right, I have all that in place. It's just that I am not getting 100% compliance with all of my workstations checking into WSUS. Once the machines get into WSUS, I'm golden.

    Thanks again!


  • It takes time before all the computers connect to the server properly.  You can allways use gpupdate /force + reboot. Then wuforce.vbs and you are done.

  • Yup, that too. Sometimes they just refuse to check in. This script has usually worked best for me...



  • Yeah, I know about the WSUS ID reset. That is usually necessary after you deploy computers using harddrive image.

    I am using a batch (found on net) for this purpose:

    rem Fixes problem with client machines not showing up on the server due to imaging method

    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
    @echo Triggering detection after resetting WSUS client identity
    net stop "Automatic Updates"
    net start "Automatic Updates"
    wuauclt /resetauthorization /detectnow
    gpupdate /force /boot

  • You might find this tool to be very usefull:

    I quote:

    Download this tool, which has been designed to aid the WSUS administrator in troubleshooting client machines that are failing to report back to the WSUS Server. The tool will conduct preliminary checks and test the communication between the WSUS Server and the client machine. Once the tool has completed the tests it will display the results in the console window. The Windows Server Update Services Client Diagnostic tool is provided AS IS. No product support is available for this tool

    For more information check the readme file

  • There is also a free program called WUInstall that can perform WSUS updates with more flexibility than the current MS updates commands. The program works well with PDQ Deploy too.

  • WSUS is not very friendly and you can run some scripts to force check-in but what about the problem with the shutdown command?

    All my machines get updated but they NEVER get updated, why? Because a user has to select "Install Updates and Shutdown" and NO, there is no option to do RESTART and NO, there is no option to GPO this option and NO, there is no script to do this other than forcing a check-in with WSUS and manually doing this check-in through some script magic. 

    AA probably never heard of them but I will post the link here so you can all see what CAN be done:


    Once again, AA has the interface and the ability, so now it is just about building the WSUS functionality to do things like "Install Updates and Shutdown" and look at the screenshots. BatchPatch even has a scheduler and "reboot if required" option, so they probably incorporate all these other "hack and slash" options that SelfMan describes because I would rather have a Swiss Army Tool like AA versus paying for 10-20 programs or fiddling with my own scripts.


  • @Don Chino

    it is not necessary to cross post the same info in multiple threads, thanks.

  • I have similar issues with WSUS. Workstations get updates, but they get applied late as the computers are frequently left on ( I work in a High School) Forced reboots for updates from a policy seldom work at better than 80%. I'd loved to be able to shutdown remotely in a way that "Installs Updates and Shutdown" or better yet check for updates from WSUS then do the prior. 

  • working for me!

    Run as Logged on User

    check attached jpg.


  • I have a WSUS server.  My updates are already downloaded to my clients.  How do I kick off the install on machines that are not logged in?

    Is there a script or command to tell Windows 7 clients to install whether a user is logged in or not?


  • EDIT -

    I have a WSUS server.  My updates are already downloaded to my clients and scheduled to install on a specific day every week.  I would like the option to kick off updates on demand.

    How do I kick off the install on machines that are not logged in?

    Is there a script or command to tell Windows 7 clients to install whether a user is logged in or not?

  • Hi Joe,

    Please try WUInstall and ABC Deploy creator has a similar app (I forgot the name). Both have free versions that can perform your tasks remotely or via scripts.

  • It's called ABC Update.

  • Thanks for the info. I tried ABC Update, but it only works half the time. Pretty sure I finally got the script right. I've spent the last 6 hours trying to get one of my locations updated...and it's still not 100%. LoL I am getting a weird error in the abc log on some of the machines. WUInstall isn't free anymore. :(
  • Unfortunately, I no longer work in a company where I do the Windows' updates anymore and cannot test either program. Have you also tried BatchPatch? I have one of the last free versions of WUinstall if you would like to try that (setup a Dropbox-or some other public access) and I will send it to you. The AA guys did help me perfect the WUInstall package.

  • That would be great.  I have looked at batch patch and used the trial.  It's awesome, but I am having a a difficult time getting support for purchasing another deployment software. 

  • What, you are having a difficult time as well purchasing software that an admin should never be without to perform his or her duties efficiently? Do not even get me started down that road. I tried to purchase the PDQ Suites at my new company along with WUinstall and was resoundingly rejected. Heck, I tried to implement a free tool (WDS) and they had a conniption about that!

    I do not want to post any free tools here. Create a bogus email (one you do not need to use again) or temporary Dropbox (or similar) online storage of your choosing and I will email or upload it.

  • Hi Terrence,

    I found the free version 1.1 of WuInstall.  I think we had actually downloaded it years ago.  I have solved my Windows Update problem.  I convinced my organization to purchase another third party solution.

    Thanks for the help!

  • Glad you got them all patched. I have some later versions of WUinstall if you would like them. They are free too.

    What was the other third party solution you convinced your company to purchase?

  • Same here, I've got over 30 machines running automated tests and I need to update them "bulk mode".

    Downloaded WuInstall 1.1 and I'm doing tests with it now, would be great if Admin Arsenal added such functionality to PDQ Deploy so we wouldn't have to use 3rd party software for that...

  • We went with BatchPatch.  The real time monitoring of downloads and installs was the kicker.  I can see everything.

  • FYI, WuInstall 1.1 works with Windows 7 well I deploy it as "Install" step with "/install" parameter, success codes "0,1,2,3,10,11", second step "CMD" with simple "shutdown /r /t 0"

  • I'd like to throw in here for adding Windows Update functions to PDQ! BatchPatch looks like it does all of what I'd like to do with Windows Updates on remote computers, but I feel like PDQ should include functions like this too. 

  • I Second Bryant. I would also love to have some WSUS functions in PDQ.
    I love PDQ more and more everyday, but Windows updates are still a pain.

    So ability to run WSUS/WU functions from PDQ are top of my list.
    Could be to force WU runs ad hoc. Run WU and boot now
    Could be to scan for missing patches and force deploy of those.

    But mostly some kind on reporting or inventory collection in PDQ inventory.  if I could overview what is patched properly and whats missing. WSUS suck on this.

    Shawn mentioned some considerations was done in the thread linked below, I wonder if there are any progress? Please, pretty please :-)


    Reason for my comment is that I'm in the market for a patch now to patch 100servers/400clients based on WSUS and GPOs, and looks like batch patch is the best way for us to go unless AA bring something to the table.