Handy Windows Server Update Services Commands (WAUACLT, PowerShell and USOClient)

Working with WSUS is not a relatively easy task, for ease of troubleshooting and fixing updates erroros, there is a needed to know a bunch of useful commands such as the WAUACLT, PowerShell and USOClient.

WUAUCLT refers to Windows Update Automatic Update Client.  This command has been replaced in the most recent versions of Windows OS with the USOclient. Note: (WUAUCLT tool still works very well to date on Windows 2016. I tested and they worked great.

Please find below a list of commands that can be used alongside WUACLT and their explanations below. The first three (3) are probably the most usedcommands of WUAUCLT.

WUACLT /detectnow: Detect and download updates that are available
WUACLT /ReportNow: Tell the client to report its status back to the WSUS server
WUACLT /UpdateNow  : Install updates now
WUACLT /ShowSettingsDialog :  Show Windows Update settings dialog
WUACLT /ShowWindowsUpdate: Shows the windows update dialog box or web page
WUACLT /ResetAuthorization : when an update check occurs a cookie is stored that prevents a new update or check for 1 hour. So, you should use this to delete this cookie
WUACLT /ResetEulas : Resets the accepted EULA
WUACLT /SelfUpdateManaged : Scan for windows updates using WSUS
WUACLT / SelfUpdateUnmanaged : Triggers a windows update scan using the windows update website
WUACLT /ShowOptions : Open the windows update settings window
WUACLT /ShowFeaturedOptInDialog : Show Opt-In dialog for featured updates
WUACLT /DemoUI : Show the icons for windows update
WUACLT / ShowFeaturedUpdates : Open windows update dialog and shows the featured updates

Administering Windows Update Via PowerShell

Powershell will give you the most flexibility in installing windows updates. The other methods are fine for simply downloading and installing all updates. However, with the powershell cmdlets you can do things like get a list of updates, search for updates with a specific word in them, then only install those updates. https://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc

Step 1: Install the module from the gallery by running

Install-module PSWindowsUpdate

Step 2: Import the windows update module

Import-Module PSWindowsUpdate

Step 3: install the Microsoft Update service.
– Note can also be done via the command

Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18

Step 4: To get a list of the available cmdlets in the PSWindowsUpdate module with the following command:

Get-command -module PSWindowsUpdate

Examples on how to use this tool

1: Download and install updates from Microsoft Update, then reboot:

Get-WUInstall –MicrosoftUpdate –AcceptAll –AutoReboot

2: Check if a reboot is required

Get-wurebootstatus

3:  To view available Updates from Microsoft catalog

Get-WUInstall-MicrosoftUpdate – ListOnly

Administering Windows Update Via  USOClient

USO stands for Update Session Orchestrator. The usoclient.exe file or the Windows 10 Update Orchestrator, is located in the System32 folder. This tool was introduced in Windows 10 and Server 2016 and it replaces the deprecated WUACLT tool.

Ensure to run these commands with the Admin rights (elevated command prompt)

usoclient.exe StartScan
usoclient.exe StartDownload
usoclient.exe StartInstall
usoclient.exe RefreshSettings
usoclient.exe ResumeUpdate
usoclient.exe ScanInstallWait
usoclient.exe StartInteractiveScan
usoclient.exe RestartDevice

For links to all documentation on WSUS by myself on where some of these commands have been used previously, take a look at the following links.
– WSUS clients appear then disappear in console https://techdirectarchive.com/2018/05/17/wsus-clients-appear-then-disappear-in-console/
– How to Start, Stop and Restart Windows Server Update Services (WSUS) via PowerShell and CMD https://techdirectarchive.com/2020/02/04/how-to-start-stop-and-restart-windows-server-update-services-wsus-via-powershell-and-cmd/
– Windows 2016 Servers does not show up on WSUS console https://techdirectarchive.com/2018/12/13/windows-2016-servers-does-not-show-up-on-wsus-console/
– Applying Updates Deployed by WSUS to Workstations using AWS RunCommand https://techdirectarchive.com/2018/05/17/applying-updates-deployed-by-wsus-to-workstations-using-runcommand/
– Important Areas to Master on WSUS https://techdirectarchive.com/2018/05/17/important-areas-to-master-on-wsus/
– Configuring WSUS Email Notification to Work With Office365 https://techdirectarchive.com/2018/03/10/configuring-wsus-emails-notification-to-work-with-office365/
– Configuring WSUS Email Notification to Work With Office365 – IIS SMTP Relay Server https://techdirectarchive.com/2018/03/10/configuring-wsus-emails-notification-to-work-with-office365-2/
– Configuring SSL between WSUS servers (Upstream and Downstream Servers) https://techdirectarchive.com/2018/03/10/configuring-ssl-between-wsus-servers-upstream-and-downstream-servers/

Scheduling and running update via Windows Admin Center

Let’s throw more light on Windows Admin Center installation types in order to have a smooth installation.

  • On Windows 10, it uses port 6516 by default, but the option to use a different port is possible. You can have a shortcut created and let Windows Admin Center manage your Trusted Hosts.
  • Windows Server, Windows Admin Center is installed as a network service. You must specify the port that the service listens on, and it requires a certificate for HTTPS. Here I am using the default https port (443).

See links for more info on how to install Windows Admin Center (WAC).
– Windows Admin Center (WAC) Deployment https://techdirectarchive.com/2020/01/05/windows-admin-center-wac-deployment-setup/
Certificate Error: Unable to access Windows Admin Center (WAC) from the Web https://techdirectarchive.com/2020/01/05/certificate-error-unable-to-access-windows-admin-center-wac-from-the-web/
– How to Test Network Connection to the Windows Admin Center (WAC) Gateway https://techdirectarchive.com/2019/12/18/how-to-test-network-connection-to-the-windows-admin-center-wac-gateway/
– How to install Windows Admin Center (WAC) in an unattended mode using a self-signed certificate https://techdirectarchive.com/2020/01/09/how-to-install-windows-admin-center-unattended-using-self-signed-certificate/

To use the update functionality, access the WAC via the url or locally,
– Click on the Server and Under Tools
– Select Updates

Here you have two (2) restart options which are

  • Restart immediately and
  • Schedule Restart.

Testing the capabilities of schedule restart
– You can search the update catalog for more info on this update your are trying to install http://www.catalog.update.microsoft.com/Search.aspx?q=KB4534273

Click on install update to continue. After successful restart, notifications will pop-up showing updates were successfully installed. This will start the searching for updates and when found, it will install.
From the Admin Center (You can see the progress bar).

Note: On the desktop where the updates are installed unto, you will get a push notification displayed on the screen showing updates are being installed.

Also from the settings windows, this change can also be view as shown below.

This update will also be shown via the settings window after completion on the Server as shown below. Here you can see the updates have been installed and pending restart based on the time I have scheduled.

When this completes, it will prompt you with with the notification that *You are up to date*.

From the WAC console, you can also see the notification displayed.

Note: If you have updates applied already from WSUS or pulled directly from Microsoft, One way you can test this install update function is to uninstall updates and re-install to test this functionality. For known issues, see https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/support/known-issues

Why is Group Policy (GP) not the best solution for managing updates?

There are a lot of enterprise management packages that help manage windows updates in a very good manner. Also with Configuration and Management tools, this can be managed as well. Example of this solution is Microsoft System Center Systems (SCCM).

Without solutions like SCCM etc, we find it difficult to centrally manage updates for server and client operating systems in Active Directory correctly. Group Policy can provide a limited way of achieving this functionality but not enough as it can often lead to other organizational problems. With Group Policy, here is it is configured and most times not sufficient for your organization’s need.

Launch the GPEditor via searching for gpedit.msc
- Navigate through Computer Configuration 
- Administrative Templates 
- Windows Components 
- Windows Update  
Locate the Configure automatic update. Here you will see that the date is missing and with this, GPO is not regarded as an optimal solution for installing Windows Updates.

Group Policy Draw Back
– Because GPO does not have a scheduled installation date rather than days of the week and the monthly categorization, as shown above, this solution does not make it very effective for managing Windows Updates.
– If you are not using WSUS but directly pulling updates from the Microsoft Update Catalog https://www.catalog.update.microsoft.com/Home.aspx
The biggest challenge here is, you cannot be explicitly withheld or push out updates immediately.
– The other strategy for system updates is to stick to maintenance times, and the best way to do that is to assign this setting at the Organisational Unit (OU) level. In this configuration, an OU would be created for a category of like servers. These OUs would all undergo their Windows Updates at the same time that is configured in the GPO for that OU.

If you do not have SCCM or any 3rd party application capable of performing this, the good news is that Windows Admin Center (WAC) is capable of performing this task.

Follow the following link to see the steps on how this is performed https://techdirectarchive.com/2020/02/05/scheduling-and-running-update-via-windows-admin-center/

Setup System Insights on Windows Admin Center (WAC)

System Insights is a new feature available the Windows Server 2019 and it brings local predictive analytics capabilities natively to Windows Server. These predictive capabilities are leveraged by the machine-learning model which locally analyses Windows Server system data, such as performance counters and events, providing high-accuracy predictions.

This helps reduces the operational expenses associated with reactively managing your Windows Server instances. Because each of these capabilities runs locally, all your data is collected, stored, and analyzed directly on your Windows Server instance, allowing you to use predictive analytics capabilities without any cloud connectivity.

In Windows Server 2019, System Insights introduces a set of capabilities focused on capacity forecasting, predicting future usage for computing, networking, and storage. To work with System Insights, you need currently Windows Server 2019. When the OS is installed, you can enable System Insights in two different ways:

  • Through PowerShell
  • With Windows Admin Center

I will be demonstrating how this is done effortlessly via Windows Admin Center below. When the Windows Admin Center is successfully installed, you will see System Insights added to the Tools section of the server that has it installed.

It comes predefined with 4 settings it will check up on:
– CPU capacity forecasting
– Network capacity forecasting
– Total storage consumption forecasting
– Volume consumption forecasting

You can simply select one and click on Invoke to actually generate the data required for the forecast. Unfortunately, if you run this on a fairly new machine [<2 hours], there’s a big chance you’ll run into this ‘notification.

Under tools
select System insights

This will launch the system Insight Window, where the tool can be installed that will give the forecasting capabilities.

Click on install and this will begin the install process as shown below.

When successfully installed, it prompts the various capabilities possible

Click on any of the capability name as shown below

Example: Let’s click on the Network Capacity Forecasting

Click on invoke on the top left under system Insights

Now under the status description, there will be entry as against the first image above.

To view the result, click on the Network Capacity Forecasting, here you should see the metrics if available.

Note: You can create a schedule on when it will run, without you having to invoke it

When you are done, click on close. See the image below for the result after successful mining of information (This usually take a while to populate as shown in the Status description).

Click on the capability name to view more details (output). Let’s take a look at the Network capacity/reporting, by clicking on this, it will display the overview of the Network capacity forecast (result). With these results, you can support and maintain your devices better.

How to set the PowerShell Execution Policy via the registry settings

PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems by default. In order to run commands, one of the following systems must be taken into consideration. See how this is done via PowerShell https://techdirectarchive.com/2020/02/04/how-to-set-execution-policy/

To do this, open the Registry editor. 
– To change the execution policy for the current user, go to 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell 

Set the string value ExecutionPolicy to one of the following values:.

  • Restricted
  • AllSigned
  • RemoteSigned
  • Unrestricted,
  • Undefined. 

To change the execution policy for the LocalMachine scope, Navigate to the path as shown below.

Currently, no value is set and none is currently available. To set the string value ExecutionPolicy to one of the following values: Create a new string and enter any ExecutionPolicy value you desire as below. Restricted, AllSigned, RemoteSigned, Unrestricted, Undefined. 

Create a new string and name it ExecutionPolicy

Now enter the desired value.

Press okay afterwards and that is all 😉

How to Set Execution Policy via PowerShell

PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems by default. The PowerShell execution policy is a safety feature implemented to controls the various conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts. In order to run and execute scripts, one of the following values must be taken into consideration. To see how this is done via the registry, see https://techdirectarchive.com/2020/02/04/how-to-set-the-powershell-execution-policy-via-the-registry-settings/

Below are the various values of policies that exist. 

  • AllSigned: This runs the only script that is signed by a trusted publisher only. 
  • ByPass: Configured to permit a certain script to run
  • Default: By default, the Execution Policy is set to restricted for Windows devices and for server, it is RemoteSigned. 
  • RemoteSgned: The script must be signed by a trusted publisher before they are permitted to run.  Scripts that you run from the local computer don’t need to be signed. There are no prompts when you attempt to run a script. 
  • Restricted: In this mode, no PowerShell script is allowed to run on the device.  
  • Unrestricted: In this mode, regardless of where they are created or downloaded from, these scripts are run on the devices. 
  • Undefined (No execution policy): This value does not have the execution policy set. The effective execution policy is Restricted, which is the default execution policy.   

Scope: This specifies the scope that the execution policy is run on. The execution Policy can be run and set in various scopes as shown below. The effective execution policy is determined by the order of precedence as follows. See the screenshot below for more information.

  • MachinePolicy 
  • LocalMachine 
  • Process
  • UserPolicy
  • CurrentUser 

Open PowerShell (This is usually advisable to be run in Admin mode) 

Type the following command and press the Enter key
- Get-ExecutionPolicy -List 
To view the currrent policy 
- use "Get-ExecutionPolicy" 

The Set-ExecutionPolicy cmdlet changes PowerShell execution policies for Windows computers. Here is how to see the PowerShell Execution Policy.

Type the following command and press the Enter key
- Set-ExecutionPolicy Unrestricted

Note: When you hit enter after the prompt, you can selected any of the options as follow; by selecting yes, or Yes to All or No. When you hit enter without choosing a value, the No (Nien switch) is selected automatically and the script will not run. Pay close attention to the script below as the position was taken by default and this was set to unrestricted.

Note: Set-ExecutionPolicy doesn’t change the MachinePolicy and UserPolicy scopes because they are set by Group Policies. The Set-ExecutionPolicy doesn’t override a Group Policy, even if the user preference is more restrictive than the policy.

Here is an example on how to set an execution policy to unrestricted and this will permit all scripts to be run on the device.

An example here which also a best practice measure, is to allow the script testwsus.ps1 to run only in order not to set the global execution policy to unrestricted as shown below.  

Set-ExecutionPolicy Bypass -File .\testwsus.ps1 

If you don´t want to set this parameter for the entire system you are able to start a powesehll session in unrestricted mode. 

set-executionpolicy unrestricted -command .\testwsus.ps1

How to create a contact in Active Directory

Active Directory contacts include information about a person or business, such as phone numbers, email addresses, and fax numbers. Creating and managing AD contacts is vital for organizations, as contacts can be listed in a Global Address List (GAL) or another address list, allowing users to access contact information and send messages

Why would you want to create a contact in Active Directory (AD)?
– Contact is most times needed in AD when you have a member that is not a regular user in your organization, such as an external (3rd party contractor). This will ensure a user account is not created for the user.
– Contact accounts will also help maintain a high level of security in your organization.
– Lastly, it will help save contact and help email software access the contact details.

Note: Contact only contains details about a person and does not contain the SID enabled on the user
Noe: This is similar to contacts in O365

Create a contact in Active Directory
– Under Tools,
– Launch Active Directory Users and Computers

Right-click on the OU, where you want the contact to be created.
– Click on New
– Click on Contact

And follow the dialog box displayed to perform the tasks.

When you have it created here, there is no need creating it again an Exchange Server as the exchange server will be able to access the details.

– To configure additional properties
– Right-click on the contact and select properties

Note: You can add the contact to the group etc., despite not having a SID.
Because it does not have the SID enabled, they are not granted access to the group they belong to but only on getting emails sent to the group they belong to.

Difference between contact and user object