WSUS: brute force patching

Introduction

When a server has checked for patches (and found patches to install) at Microsoft instead of the internal WSUS server, it is hard to make it forget about the patches from the “outside world”.

This is a brute force way of doing it. The timing is crucial, as some of these services just restart after you shut them down. Just run this a few times, until you don’t get an error when renaming the directories.

In an elevated terminal window, started as Administrator.

net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 Catroot2.old

From a remote host, per ansible:

ansible -i inventory windows -m win_shell -a 'net stop wuauserv ; net stop cryptSvc ; net stop bits ; net stop msiserver ; net stop wuauserv ; net stop cryptSvc ; net stop bits ; net stop msiserver ; ren C:\Windows\SoftwareDistribution SoftwareDistribution.old ; ren C:\Windows\System32\catroot2 Catroot2.old' -l my-server-name

To start the services again:

ansible -i inventory windows -m win_shell -a 'net start wuauserv ; net start cryptSvc ; net start bits ; net start msiserver' -l my-server-name