WSUS will not provide HOT FIXES

Many-a-times WSUS Admins, wonder if they can automatically deploy hot fixes which are not supported by WSUS or which are not available on The simple answer is NO and you have to use SMS or some script to install them.

Alternately, If the computers are in an Active Directory Domain, then you might want to take a look at this excellent script posted by Torgeir Bakken (MVP).

Notes from Torgeir Bakken (MVP):

  • You should do it in a computer startup script (with a GPO that is applied to you computers) instead of a logon script. A computer startup script runs as part of the boot up process (before the user logs in). It runs under the system context and has local admin rights.
  • As you need to access a file over the network from the computer startup script, you need to put the file on a network share and grant read access for the AD group “Domain Computers” to the share.
  • Note that the script creates a registry marker when the update is installed, so the next time the script is run, it sees this marker, and skips the installation of the update (to avoid repeating installations).
  • You will need to change the path to the exe file (I have used a dummy path in the script), and maybe the command line switches for the update.
  • I have added the command line switches /u /q /z to the command line in the script, it should work on all MS updates that uses update.exe to install (most do). 

    • /u: Unattended mode.
    • /q: Quiet mode (no user interaction).
    • /z: Do not restart when installation is complete.

  • If you want the computer to automatically reboot after the install (if the update needs it), remove the /z switch.

Below is a VBScript you can put in a computer startup script that will install a MS update.

Script code:


sExePath = “\\server\share\folder\something.exe”
sSwitches = “/u /q /z”

Set oShell = CreateObject(“WScript.Shell”)

sRegKey = “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate”

‘ suppress error in case values does not exist
On Error Resume Next

‘ check for marker
sRegMarkerValue = “”  ‘ init value
sRegMarkerValue = oShell.RegRead( sRegKey & “\Hotfix1Installed”)
On Error Goto 0

‘ to be sure update is installed only once, test on marker
If sRegMarkerValue <> “yes” Then

   oShell.Run Chr(34) & sExePath & Chr(34) & ” ” & sSwitches, 1, True

   ‘ create marker
   oShell.RegWrite sRegKey & “\Hotfix1Installed”, “yes”
End If


WSH 5.6 documentation (local help file) can be downloaded from here if you haven’t got it already:

UPDATE (5/7/2006):

Access to drivers and hotfixes via the Microsoft Update (MU) Catalog site is tightly integrated with WSUS 3.0 to enable easy drivers and hotfix access.

One thought on “WSUS will not provide HOT FIXES

Leave a Reply

Your email address will not be published. Required fields are marked *