Using an Alternate WSUS Server for BatchPatch Windows Update Actions – Part 2

I recently wrote about how to use an alternate WSUS server with BatchPatch. That posting is long and contains a lot of information about the process. I recommend that you read through it to learn about how everything fits together with BatchPatch, WSUS, and Group Policy. However, today I’d like to just get straight into a tutorial so that you can see step by step what to do without sorting through so much information.

Quick explanation of how a target computer knows which WSUS to use:

The WSUS server that any computer uses is controlled by Group Policy. When Group Policy settings are applied to a computer, it’s generally in the form of registry entries. So, in this case with WSUS server, a Group Policy is set for a group of computers that sets some registry values on those computers. The registry values tell those computers the address of the WSUS server. You can modify these registry entries directly, but note that when Group Policy refreshes, your direct edits to any registry values that are controlled by Group Policy will revert to the Group Policy settings. If you want to tell a target computer to look for updates on a different WSUS server than your Group Policy is currently set to, then you can modify the registry of the target computer, check for updates, and then modify the registry once again to put back the original settings (or just leave it until Group Policy refreshes on its own and resets the values automatically). Below I’ll show you how you can do that in BatchPatch.

How to use BatchPatch on target computers, specifying an alternate WSUS server:

  1. Create a remote command to check to see which WSUS server address is currently in use by target computers: In BatchPatch create a ‘Remote command (logged output)‘ with ‘Actions > Execute remote process/command > Create/modify remote commands (logged output)‘. Create a command with the following syntax:
    REG QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"

    You can execute that command in BatchPatch by highlighting the desired rows/computers in the grid, and then select ‘Actions > Execute remote process/command > Execute saved remote commands (logged output)

    In the result, take note of the WUServer and WUStatusServer values. If these values are not present, then the computer is not configured to get updates from a WSUS server. In the screenshot below you can see my test computer is configured to get updates from a server called MYWSUS with URL http://mywsus:8530

  2. Create remote commands for changing the WUServer and WUStatusServer registry values on target computers to point to your alternate WSUS server:

    WUServer:

    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t REG_SZ /d http://myalternatewsus:8530 /f

    WUStatusServer:

    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t REG_SZ /d http://myalternatewsus:8530 /f

  3. Create remote commands for changing the appropriate registry values on target computers to point back to your original WSUS server:

    WUServer:

    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t REG_SZ /d http://mywsus:8530 /f

    WUStatusServer:

    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t REG_SZ /d http://mywsus:8530 /f
  4. Finally, put it all together for use. We’ll create a job queue that updates the WUServer and WUStatusServer registry values, and then performs a download/install/reboot operation. In this case it’s not necessary to reset the WUServer and WUStatusServer back to their original values because upon reboot, Windows will automatically refresh the Group Policy settings for us, so there is no need. However, depending on what you are doing, you may want to execute the remote commands to reset those values, if you are concerned that Group Policy refresh won’t occur soon enough for your needs. Note, Microsoft says “Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes.

    Use ‘Actions > Job Queue > Create/modify job queue‘, and set the job queue to contain the following steps:

    1. Execute remote command to update WUServer
    2. Execute remote command to update WUStatusServer
    3. Execute ‘Download and install updates + reboot always’

    You can optionally save the above job queue for future execution by adding a title to the ‘Title’ field, and then clicking the double-right-arrow button. Then it’s ready any time you want to download/install Windows Updates from a different WSUS server. To execute a saved job queue, select the desired rows in the grid, and then click ‘Actions > Job Queue > Execute saved job queues

This entry was posted in Blog, General, Tutorials and tagged , , . Bookmark the permalink. Both comments and trackbacks are currently closed.