Sometimes there just isn’t enough time or patience to wait for Group Policy to push updates. Luckily we have small commands that nudge things along. Here are a few things that get WSUS (Windows Server Update Services) moving in the right direction so you aren’t sitting around waiting for Group Policy to update. I’ll give you some examples and how to check to make sure forcing worked.
Forcing Group Policy
We should all be familiar with forcing group policy. Run this command in an elevated command line:
Testing with RSoP
How can you check to make sure your group policy has updated after the force? Odds are you are changing group policy for something specific and you’ll notice a difference, but the best tool for the job is Resultant Set of Policies. RSoP is an executable that will run and show you exactly what policies are being used by your server.
Go to Start > Run and type “rsop.msc”
A small script with a UI will run, which will compile a display of all of the current policies in place on the server. A screenshot below shows the RSoP running. Notice the “Windows Vista…” remarks in the paragraph at the top. This was run from a Windows 2008 R2 Server!
When the snap-in runs and completes you’ll be able to see what policies are applied.
WSUS works closely with the Windows Update Agent on your server or client. For instance, reporting to your WSUS server is done via the update agent. Sometimes the client reaching out to the WSUS Server takes time. It first needs to detect the server, then connect to the WSUS Server, and finally report to it. Rather than waiting, you can force all of this using WUAUCLT Commands.
Here’s an example of how to connect, detect, and report to the WSUS from a client:
Head to your client and confirm the server policy is correct. Go to gpedit.msc > Computer Configuration > Windows Components > Windows Update > Specify intranet Microsoft update service location. This should be enabled and your address should point to your WSUS Server (example: http://wsus01).
From an elevated command prompt and run the following:
This will let the client find the server. If you head back to your WSUS Server you’ll see that the client will be listed under Update Services > [Server Name] > Computers > All Computers. If you catch it fast enough you’ll notice the server may have a status of “Not yet reported” (example picture below).
We can fix that by running the following comand:
The above command will force the client to report to the WSUS Server appropriately. Refresh your list in WSUS and you’ll be all set. The client will be ready to accept updates at whatever time you scheduled them.
Let me know if I left anything out, and let me know how things go.