WuInstall: Windows Updates with a command

WuInstall: Windows Updates with a command

   

WuInstall

Contents of this article

The
best practice for updating anything—whether it’s a Windows system or a
line-of-business application—is to perform the update in a test or
pre-production environment first. After an evaluation period, in which
you should confirm everything works well, you can apply the update to a
production environment.

This
is especially important on servers. On clients, it is more common to
give a small group of users the updates first and raise a support
request if anything does not work as expected. The whole process can be
quite cumbersome and time consuming, especially in larger environments.
Many third-party products are available to deploy Windows updates, but
most of them usually require separate servers deployed and configured.

WuInstall
is a simple command-line tool you can use right away to deploy patches
in minutes. In this review, I will demonstrate how easy it is to work
with the tool.

Installing WuInstall ^

The only thing you need to do is to download WuInstall from their website and extract WuInstall.exe from the zip archive. Yes, it’s that simple.

WuInstall
is a command-line tool only. If you execute it without any parameters
or start it via double-click, you will get a simple UI with a few
buttons that lead to online sources. The Usage button opens up a graphical version of help with all parameters explained.

WUInstall GUI

WUInstall GUI

Note:
There is also a WuInstallAMD64.exe available, but WuInstall.exe worked
just fine on Windows Server 2019. Throughout this post, I will use
WuInstall.exe.

Working with WuInstall ^

The tool has several basic options and dozens of advanced parameters. Use WuInstall.exe /help
to get a list of parameters and brief descriptions. You can also refer
to the PDF document found in the downloaded zip archive for even more
detailed information.

WUInstall help

WUInstall help

To use WuInstall, you always need to specify a single basic option followed by optional advanced parameters. For example:

1 WuInstall.exe /download_to “D:WuInstall” /logfile “D:myLog.txt”

This
will scan the computer for missing updates, download them to the
Windows Update cache folder (C:WindowsSoftwareDistributionDownload by
default), copy them to D:WuInstall, and create an additional log file.
The log is a simple text transcript of messages with timestamps shown
from the command prompt.

Note: When using WuInstall interactively on a local computer, always run it from a command line with elevated permissions.

Windows Update vs. WSUS ^

WuInstall
is written in C++ and uses native Windows Update application
programming interfaces (APIs). Therefore, if the target system is
configured to download updates from a Windows Server Update Services
(WSUS) server, WuInstall will search and download from a WSUS server by
default. If there’s no WSUS server configured, it will use the standard
Windows Update server. You can change this behavior via the optional
parameter /UseUpdateService with the options MicrosoftUpdate, WindowsUpdate, WSUS, or Default. For example:

1 WuInstall.exe /download /UseUpdateService MicrosoftUpdate

This will search and download all patches available for the target system on the Microsoft Update services server.

Skipping the WSUS server and using Microsoft Update services

Skipping the WSUS server and using Microsoft Update services

Note:
Windows Update only offers updates for the Windows operating system
itself, while Microsoft Update also covers other products like Office.

Saving bandwidth usage with cache options ^

Another
cool WuInstall feature is the possibility to create an update cache
from any network share available. This might be especially handy for
branch offices with slower WAN connections where downloading updates
from multiple computers might take a long time or cause issues with
other services. You can create the cache and download updates without
applying them first via the following command:

1 WuInstall.exe /download_cache \sharecache

Or you can create the cache and install the patches right away:

1 WuInstall.exe /install_cache \sharecache /nocachedel /autoaccepteula /silent /reboot_if_needed /rebootcycle 3

Now
when you run the command on any other computer, it will first check
whether the patch is available in the cache folder before trying to
download it from the internet.

Installing updates ^

I was surprised how easy it is to search, download, and install updates with a single command:

1 WuInstall.exe /install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3

The /reboot_if_needed
parameter is needed because by default, WuInstall will not restart the
computer. In some cases, one reboot is not enough to apply all patches.
You can solve this by adding the /rebootcycle parameter, which will start another round of updates after the reboot.

Updating remote computers ^

So
far, I have worked with WuInstall interactively. But its main benefit
is the ability to update remote computers. There are several options to
achieve this. The first is the built-in option /remote, which uses the PAExec tool (similar to PSExec). To update remote computers, use the following command:

1 WuInstall.exe /install /remote “\mgmt,dc -u labadministrator -p Passw0rd” /autoaccepteula /silent /reboot_if_needed /rebootcycle 3

Another option is to create a text file with one computer name per line and let the command read the file:

1 WuInstall.exe /install /remote “@computers.txt -u labadministrator -p Passw0rd” /autoaccepteula /silent /reboot_if_needed /rebootcycle 3

What will actually happen is that PAExec will copy WuInstall.exe to the remote computer ADMIN$ share and call it from there.

WUInstall remote functionality

WUInstall remote functionality

Another
possibility is to use PSExec from Sysinternals. For this, you should
have WuInstall.exe available on a network share accessible by the remote
computer. In this example, I will run the updates from a cache folder:

1 psexec.exe \mgmt -u labadministrator -p Passw0rd -c -s \sharewuInstall.exe /install_cache \sharecache /autoaccepteula /silent /reboot_if_needed /rebootcycle 3

If you run this command on multiple computers, add the -d parameter to PSExec.exe so it does not wait for each computer to finish.

However,
both methods require you to enter the password in some way; otherwise,
the command would fail. In the first case of PAExec (WuInstall.exe /remote),
it would fail right away with an access denied error. In the second
case with PSExec, this would fail on the access denied to the remote
share.

A simple way of applying updates to remote computers
without specifying the username and password is to copy WuInstall.exe to
the remote computers (in my case C:temp) in advance and then run the
following command:

1 psexec.exe \mgmt -s C:tempWuInstall.exe /install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3

Unfortunately,
it is not possible to use the cache folder here because accessing a
remote share without credentials would fail with an access denied error.

As
you may correctly assume, you have to run this command (or script)
under a user account that has administrative privileges on the target
computers. Also remember that both options require Server Message Block
(SMB) ports 137 and 445 open on the target computers.

Conclusion ^

As
you have seen, using WuInstall to manage Windows updates is a fast,
straightforward process. It only takes a few minutes to get the tool and
start updating. There are many advanced options available that I was
unable to cover in this review. To get more information about specific
options and pricing, visit the WuInstall website.