Saturday, February 13, 2016

Windows Update Agent Utility (WUAUclt.exe)

Just some sysadmin notes…nothing to see here.

  • Windows Update Agent Utility (wuauclt.exe) - pauby.com
  • wuauclt - Windows Update - Windows CMD | SS64.com
  • Appendix H: The wuauclt Utility – Windows Server TechNet page
  • wuauclt commands to force reporting of status? – Windows Server TechNet page
    • The /reportnow function is a very tricky beast, and it somewhat requires an understanding of the natural behaviors of the WUAgent.

      When the WUAgent performs activities, it queues up all of those completed activities as 'events'. When the WUAgent quits working, an idle timer is engaged, and when the WUAgent has been idle for ~20 minutes, it invokes a call to the ReportingWebService. You can see these calls in the WindowsUpdate.log and compare their timestamps with the entries just previous.

      If the /reportnow action is invoked after the WUAgent becomes idle and before the regular call to the ReportingWebService, an immediate call to the ReportingWebService will be invoked. You can also see this in the WindowsUpdate.log.

      However, the call to the ReportingWebService is not the end of the line. Those events reported in that call are loaded into a buffer, and the WSUS server then processes those events asynchronously. If the WSUS server is also busy doing other things or other clients are also reporting at the same time, there will be an additional delay until the results are visible in the WSUS console.

      The real thing to remember is that, at best, the /reportnow task isn't going to save you much more than 20-30 minutes, so usually just waiting is the more efficient approach to the whole thing.

      as commented by Lawrence Garvin

  • wuauclt and other questions about WSUS – Windows Server TechNet page
  • When run from the command prompt on a client in the form of "wuauclt.exe /resetauthorization /detectnow", this command will kick off a manual check in with the configured WSUS server (or WindowsUpdate website, if you're using that instead of WSUS).  You can verify this occurs by opening the windowsupdate.log file located in the Windows directory.

    If you manually run wuauclt.exe with the above listed switches, it will check in with WSUS, and then behave based on your update configuration, either configured locally on each client, or through Group Policy.  So, if you have your clients configured to download any available updates, it will do so.  Or, if you have your clients configured to just check in and inform you there are updates without downloading, it will do that also.

    The windowsupdate.log file, located on the individual clients, will have all the information pertaining to how wuauclt runs on their individual systems.

    as commented by John

    and…

    To expand on John's answer...

    There are three functional uses for the WUAUCLT.EXE command.

    1. wuauclt /detectnow  -- initiates a detection event to the assigned update services resource (AU or WSUS).

    2. wuauclt /resetauthorization /detectnow -- this is actually a special case version of the previous command. The /resetauthorization parameter forces the targeting cookie to be immediately expired. Normally the cookie has an ~60 minute expiration. Typically this form of the command is used when server-side targeting is being used, and a client system has just been reassigned to new group(s) via the WSUS console. Use of this command forces the WUAgent to discard any previously known group memberships and to requery the WSUS server for the current memberships. This command should also be used when the SusClientID has been deleted and a detection was performed within the previous hour to ensure the WUAgent does not use the SusClientID that is cached in the targeting cookie. Also note that the order of these parameters is critical -- the /resetauthorization flag must be the first of these flags on the command line.

    3. wuauclt /reportnow -- IF a recent event has completed and there are PENDING EVENTS to be reported to the WSUS server, this command will force the immediate flushing of that reporting event queue. If there are no pending events to be reported, this command does nothing.

    No other parameters are supported or documented -- although many are defined in the source code and have been extracted via reflection. Some of them have experimental functionality, but should not be used in a production environment.

    as commented by Lawrence Garvin

And the commands for copy-paste.

  • wuauclt /ResetAuthorization /DetectNow
    • wuauclt /a /d
  • wuauclt /ReportNow
    • wuauclt /r

moving on…

--Claus Valca

No comments: