In my opinion the absolute best alternative to windows native WUAUCLT commands
wuauclt.exe /resetauthorization /detectnow
would be the WuInstall (Freeware) Tool. below is a download link and Basic how to on the usage of the Windows Update Install Tool. it gives you more control over your updates.
1. Basic functions
There are three basic switches. Exactly one of them must be specified in order for wuInstall to do something. It makes no sense to specify more than one of those switches (e.g. wuInstall /search /install), because download automatically includes a search and install automatically includes search and download.
1.1. Searching for updates
The simplest command in WuInstall is just searching for updates:
It lists all update which are available. It either searches on the Windows Update Server in the Internet, or, if configured, on your WSUS. It has no impact on your system at all, it just does a search ans lists what was found.
1.2. Downloading updates
You can download updates with WuInstall with
It does the same search as WuInstall /search and then downloads the updates which were found. WuInstall itself does not download anything, but it triggers the Microsoft Windwos Update Engine, which downloads the updates.
1.2.1. Downloading updates to a certain directory
The download option can be extended, in order to also copy the installation packages included in the download to a certain directory (e.g. for manual installation and distribution)
WuInstall /download_to "c:updates_download"
Does exactly the same as WuInstall /download, but afterwards it copies the contents of the downloaded updates (usually .exe or .msi-files) for example to c:updates_download, from where they can be installed manually or copied and used for patching other machines
1.3. Installing updates
To install the updates, you use:
It again searches the updates, downloads them (if they have not already been downloaded by a previous wuInstall /download command) and then installs them.
2. Selecting updates
With various switches, you can narrow the results of the search for updates and therefore also the updates which are downloaded and installed. You can use criteria queries, search updates which match certain names, severities, products or classifications.
Tip: In subsequent examples, we only use the /search option to illustrate how to select updates. This option is ideal to test certain switches, because it just lists the updates and has no further impact on the system. Of course, also the /download or /install switch can be used with all follwing the examples.
2.1. Specifying criterias
With /criteria you can specifiy a query string, in order to change the search. The default criteria (when no /criteria is specified) is “IsInstalled=0 and Type=’Software'”.
Tip: For how the query string can be built see MSDN
You can, for example search for updates which are already installed:
wuInstall /search /criteria "IsInstalled=1"
(here, obviously, a /download or /install makes no sense)
Furthermore you can also just select Drivers:
wuInstall /search /criteria "IsInstalled=0 and Type='Driver'"
or Drivers and Software:
wuInstall /search /criteria "IsInstalled=0 and Type='Driver'
2.2. Matching specific search strings
With the /match option, you can get updates of which the title matches a specific search string.
Tip: You can test the /match option for example with /criteria “IsInstalled=1”, because then you (usually) have a very long list of updates in your search.
For example, you can search for a specific update:
wuInstall /search /match "KB956844"
only lists the “Security Update for Windows XP (KB956844)” In the WuInstall Pro Version /match also supports regular expressions, for example find all updates which have the terms “Language” OR “KB93” OR “Live” in their title:
WuInstall /search /match "(Language|KB93|Live)"
2.3. Not Matching specific search strings
In the WuInstall Pro Version, there is, corresponding to the /match-switch also a /nomatch-switch For example, search all Updates which do NOT match “SQL” OR “Windows” OR “KB”
WuInstall /search /nomatch "(SQL|Windows|KB)"
/match and /nomatch can, of course, also be used in combination, for example search all Updates which match “SQL” OR “Office” but do not Match “KB” or “Microsoft”
WuInstall /search /match "(SQL|Office)" /nomatch "(KB|Microsoft)"
2.4. Search string in files
It is also possible to put search strings in a file. For example, you create a file match.txt with the following search string (seperated by a newline): c:Datamatch.txt
KB93 KB94 KB95 Office Internet Explorer 8
If you execute
wuInstall /search /matchfile c:Datamatch.txt
Your will get all updates matching KB93, KB94, KB95, Office or Internet Explorer 8. There is also a /nomatchfile switch which does the opposite, which excludes updates matching one of the search terms in the file.
wuInstall /search /nomatchfile c:Datamatch.txt
Regular expressions are also possible as search expressions in the files.
Each security update has a certain severity. There are five possible severities:
- Critical (C): A security issue whose exploitation could allow the propagation of an Internet worm without user action
- Important (I): A security issue whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.
- Moderate (M): Exploitation is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
- Low (L): A security issue whose exploitation is extremely difficult, or whose impact is minimal.
- Unknown (U): No information about the severity is available
In letter the brackets is the code for the /severity – option. Just put the letters together to select multiple severities. For example, all critical and important updates:
WuInstall /search /severity CI
Tip: The severity is only filled for security updats, so it is not really suitable for finding high priority updates as security updates usually ARE high prioritoy updates. Classification is better for that purpose.
Each update belongs to one of those classifications:
- Critical Updates (C)
- Security Updates (S)
- Updates (U)
- Update Rollups (R)
- Services Packs (E)
- Feature Packs (F)
- Definition Updates (D)
Just put the letters in the bracket together to select multiple severities. For example, select all security updates, critical updates and Updates:
WuInstall /search /classification SCU
Tip: High priority updates can best be found with the classification CRS (Critical, Security and Update Rollups), however sometimes also U (Updates) can be high priority. Generally speaking, selecting which updates are high priority and which are not is up to the administrator, there is no general rule how to automatically match the high priority catgorization on the microsuft update website
Each update belongs to a Microsoft product, for example Office 2003, Windows XP, Visual Studio 2008, Silverlight, … The /product switch enables to search by one product. For example, find all Updates for Visual Studio 2008:
Tip: The product name has to match exactly, so just specifying “Visual Studio” here would produce no results.
WuInstall /search /product "Visual Studio 2008"
Tip: All update selection options (/match /nomatch /matchfile /nomatchfile /severity /classification /product) can be used in combination with each other!
3. Additional options
There are some additional options with which you can control the behavior WuInstall and the installation of updates. For example rebooting the system, bypassing the wsus or accepting EULAs without user interaction.
The reboot-option just reboots the system n seconds after WuInstall has finished. It can be used together with seach, download or install and it can also be used standalone. For example, reboot in 30 seconds:
WuInstall /reboot 30
If no time interval is specified, 10 seconds is the default delay. Reboot 10 seconds after the updates have been installed:
WuInstall /install /reboot
Tip: The /reboot option reboots the system after executing WuInstall unconditionally after the specified number of seconds. The result of WuInstall has no influence whether if there is a reboot or not.
3.2. Bypassing the WSUS
If you have a WSUS, but want to go for the Windows Update Site instead of WSUS for some reason, you can use the option /bypass_wsus to bypass the WSUS server for the time WuInstall is executed. For example, bypass wsus and install update KB956844 from the Windows Update Site:
WuInstall /install /bypass_wsus /match "KB956844"
After execution of WuInstall, WSUS is re-activated for your system. This option automatically executes the Sc stop wuauserv and Sc start wuauserv commands in order for the bypass to take effect.
Tip: If WuInstall fails for some reason or is aborted before it finishes, the registry key HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU, Value UseWuServer is still set to 0. You have to set it to 1 manually, in order to tell your system to use WSUS again.
3.2. Selecting another WSUS
Quite the opposite of the bypass_wsus option is the /use_wsus option. If you want to choose another WSUS or if you have no WSUS configured at the machine and want to get updates from a certain WSUS, the use_wsus option can force WuInstall to use a certain WSUS For example, install your updates from the server wsus2 instead of wsus1:
WuInstall /install /use_wsus http://wsus2
WuInstall writes something like this:
You are using WSUS Server http://wsus1 use_wsus specified .... WUServer and WUStatusServer successfully set to http://wsus2
After execution of WuInstall, the initial state is restored (e.g. wsus1 is re-activated or WSUS is switched off again if it was off)
use_wsus specified, reactivating WUServer http://wsus1, WUStatusServer http://wsus1 ... successful!
Tip: If WuInstall fails for some reason or is aborted before it finishes, the registry keys HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAUUseWuServer, HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateWUServer, HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateWUStatusServer have to be reset manually to the initial state
3.3. Accepting EULAs
Some updates require the user to accept an EULA in order to install. To automate this, the /autoaccepteula option automatically accepts all EULAs for updates which require this, without any user interaction or interruption. Example:
WuInstall /install /autoaccepteula