The quickest way to identify WSUS client settings is to create a simple script file that can be used to query the registry keys you are interested in, and pipe them to the console for quick review. This can be used for troubleshooting purposes or for random audits of your WSUS clients, to make sure that you are not having GPO inheritance, blocking, or conflict problems. To remotely query your WSUS computer's registry, you need the reg.exe command-line utility, which is part of the Windows Server 2003 and Windows XP source codeof. It is also part of the Windows 2000 Resource Kit Supplement 1 for Windows 2000 machines. The version included in Windows Server 2003 and XP can be used on Windows 2000 machines. The following code quickly enumerates the values of the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate registry key and its AU subkey and values. From a command prompt window, type the following (note that WSUSClient is the Network Basic Input/Output System (NetBIOS) name of your WSUS client host).
The /s switch at the end of the command signifies that you want to retrieve all of the subkeys. The results of this query are as follows:
C:\>reg query \\WSUSClient\
! REG.EXE VERSION 3.0
ElevateNonAdmins REG_DWORD 0x0
UseWUServer REG_DWORD 0x1
NoAutoRebootWithLoggedOnUsers REG_DWORD 0x1
AutoInstallMinorUpdates REG_DWORD 0x1
DetectionFrequencyEnabled REG_DWORD 0x1
DetectionFrequency REG_DWORD 0x6
RescheduleWaitTimeEnabled REG_DWORD 0x1
RescheduleWaitTime REG_DWORD 0xf
NoAutoUpdate REG_DWORD 0x0
AUOptions REG_DWORD 0x4
ScheduledInstallDay REG_DWORD 0x6
ScheduledInstallTime REG_DWORD 0x3
To simplify the command, program the keys that you want to randomly query as permanent environment variables on your workstation, so you do not have to retype them every time. For example, from the command line type the following:
Reg.exe query \\WSUSClient\%WU% /s
Use reg.exe with the /v switch followed byy the value name if you just want to query a particular value. For example, if you want to query for the DetectionFrequency of a particular client, type the following:
Reg.exe query \\WSUSClient\%WU%\AU /v DetectionFrequency
Determining the client WSUS settings is easy once you are familiar with each of the value codes. You must be an administrator of the machines you are querying. If you are running these scripts from an Active Directory workstation against machines in a DMZ, make sure you authenticate with those machines first. You can use the net use command to authenticate to \\machinename\ipc$:
Net use \\machinename\ipc$ /user:username password
If you want to audit all of your machines, use the following script to pipe everything to a text file. All you need to do is populate the machines.txt file with a list of the clients you want to audit and use the internal Windows FOR command.
If exist c:\wsusaudit.log del c:\wsusaudit.log for /F %I in (c:\machines.txt) do @echo WSUS Results for %I >>_
Continued c:\wsusaudit.log & reg.exe query \\%I\%WU%\AU /s >> c:\wsusaudit.log & @echo. >> c:\wsusaudit.log
View the wsusaudit.log on the c:\ root for the results. These examples give you the basis for quick and easy registry query information for your WSUS clients. In addition, for any machines that you need to configure using the registry, consider using the reg.exe command with the ADD or DELETE parameters to add, modify, or delete WSUS client registry keys in single or bulk fashion.
The registry seems like a very complex set of codes; however, once you learn its structure, maneuvering about and searching for keys and values becomes second nature. It cannot be stressed enough that the registry must be taken seriously. Misconfigurations and possible key and value deletions can quickly result in a non-working system.
Some Independent Advice_
Remember, using the registry to configure WSUS clients is primarily for non-Active Directory machines. The power of Group Policy in both a management and a security perspective is far superior to using the local registry to make global settings.
Was this article helpful?