Microsoft Intune - AutoPatch: Using Notify Download with Installation Trigger


UsoClient Deep Dive: Undocumented Commands and Enterprise Applications

This technical deep dive presents an analysis and reverse engineering of UsoClient.exe and its supporting libraries (notably UsoClientImpl.dll), uncovering both documented and undocumented command-line switches used internally by the Windows Update orchestration engine. The objective is to better understand hidden update behaviors and how they may be invoked in enterprise environments such as Intune, ConfigMgr, or scripts running under SYSTEM context.

This started as an exploration into using notify download in Intune without a deadline and then triggering the installation of updates and reboot. Windows Update settings you can manage with Intune Update Ring policies for Windows 10/11 devices. | Microsoft Learn

  • Notify download - Notify the user before downloading the update. Users choose to download and install updates.

     Important

    If the user takes no action, the update will not install until the deadline you have configured is reached.

Why UsoClient Matters

Windows 10 and 11 rely on UsoClient to orchestrate update tasks like scanning, downloading, installing, reporting, and reboots. Though Microsoft does not publicly document its usage, the operating system frequently invokes it through scheduled tasks with specific switches. Most switches are either undocumented or only referenced within DLLs.

Discovery Methodology

This research builds on previous internal testing and analysis sessions, where a combination of binary introspection tools and static analysis techniques was used to understand UsoClient's behavior.

Tools Used:

  • Ghidra: Reverse engineering UsoClientImpl.dll helped reveal switch references and control flow logic behind update orchestration behavior. Some functions were deeply buried in the Undocked Update Stack implementation. Ghidra was essential to unpack the layers of abstraction Microsoft added in later Windows builds.

  • strings: Running strings UsoClientImpl.dll | find /I "start" revealed hidden command switches not exposed in Microsoft documentation or public Task Scheduler tasks. This command surfaced a list of strings like:

StartScan
StartBypassOobeScan
StartBypassScan
StartModelUpdates
StartWork
StartMaintenanceWork
StartOobeScan
StartOobeAppsScanAfterUpdate
StartOobeAppsScan
Universal Orchestrator Start
RestartUsoSvc
StartStoreUpdates
StartStoreBizCritUpdates
StartLXPBizCritUpdates
StartMedic
StartUWork
StartUWorkIdle
StartInteractiveScan
UpdateAndRestartDevice

Only StartInteractiveScan and StartBypassScan were empirically tested, and only on Windows 11. These tests confirmed their silent execution behavior and reliability when run in SYSTEM context via script or Intune remediation.

Confirmed Command Switches

Commonly Used Commands

  • StartScan: Performs a basic update scan. Often fails when used from a SYSTEM context on modern Windows.

  • StartDownload: Begins downloading available updates.

  • StartInstall: Triggers installation of downloaded updates.

  • ScanInstallWait: One-liner for scan → download → (deferred) install. No longer reliable past 1909.

  • RefreshSettings: Forces immediate refresh of WU settings (e.g., WSUS URL changes).

  • ResumeUpdate: Resumes paused update installations (rarely needed).

  • RestartDevice: Was used to restart after updates but deprecated in Win10 1803+.

  • EvaluateUpdate: Forces re-evaluation of update applicability—handy for patch supersedence checks.

Powerful and Undocumented Commands

  • StartInteractiveScan: Most reliable in scripts. Despite the name, it runs silently and works well from SYSTEM context. Preferred for Intune Remediations.

  • StartBypassScan: Bypasses active hours, deferrals, metered connections. Likely used internally for expedited patching.

  • StartMaintenanceWork: Tied to scheduled update work during automatic maintenance windows (e.g., 2 AM idle tasks).

  • StartWork: Executes update tasks due now—often related to policy enforcement, e.g., past deadline.

  • StartOobeScan: Invoked during Out-of-Box Experience (OOBE) to force initial patch scans.

  • StartOobeAppsScan: Updates Store apps provisioned during OOBE. Sometimes re-installs removed inbox apps like Teams.

  • StartOobeAppsScanAfterUpdate: Post-feature update variant of the above.

  • StartModelUpdates: Likely fetches or applies update stack metadata/ML models.

  • ReportPolicies: Forces immediate policy/status reporting (e.g., WSUS check-in).

Less Understood / Speculative

  • RestartUsoSvc: Restarts the Update Session Orchestrator Service.

  • StartStoreUpdates, StartStoreBizCritUpdates: Trigger Store-related update checks.

  • StartLXPBizCritUpdates: Triggers Language Experience Pack updates.

  • StartMedic: Triggers WU Medic Service to heal update components.

  • StartUWork, StartUWorkIdle: Possibly related to enforcing update work when idle.

  • UpdateAndRestartDevice: Likely performs install + auto-reboot if allowed.

  • Universal Orchestrator Start / Idle Start: Suggest orchestration framework triggers.

  • StartServiceW: May invoke or resume specific WU-related services.

Special Cases and Contextual Behavior

  • StartOobeScanIgnoredSinceEulaWillBeShown: Indicates EULA blocks scan.

  • Start Oobe Expedite Work: Expedites update steps post-OOBE (new in 11+).

Task Scheduler Mappings

The following scheduled tasks confirm real-world use of these commands:

  • Schedule Scanusoclient.exe StartScan

  • Schedule Maintenance WorkStartMaintenanceWork

  • Schedule Work / Wake to WorkStartWork

  • Start OOBE Expedite WorkStartWork

  • UpdateModelTaskStartModelUpdates

  • Report PoliciesReportPolicies

  • StartOobeAppsScanAfterUpdateStartOobeAppsScan

Intune Remediation Script Example

# Trigger silent update scan suitable for SYSTEM context
Start-Process -FilePath "$env:SystemRoot\System32\UsoClient.exe" -ArgumentList "StartInteractiveScan" -NoNewWindow -Wait

# Optionally bypass deferrals and throttles
Start-Process -FilePath "$env:SystemRoot\System32\UsoClient.exe" -ArgumentList "StartBypassScan" -NoNewWindow

Recommendations

  • Prefer StartInteractiveScan over StartScan for reliable remote/script execution.

  • Use StartBypassScan when you need to override WUfB deferrals.

  • Avoid using RestartDevice in modern builds—it's ignored.

  • Avoid depending on ScanInstallWait unless targeting legacy OS (pre-1909).

Final Thoughts

These switches provide valuable insight into the internal workings of Windows Update. While Microsoft continues to deprecate direct control via command line, these commands offer targeted ways to kick off update processes in emergencies, non-compliance scenarios, or during troubleshooting. They should supplement—not replace—your broader update policy strategy (Autopatch (WUfB), ConfigMgr, WSUS, etc.).

This investigation is the result of sustained, hands-on analysis using both Ghidra and strings-based inspection. StartInteractiveScan and StartBypassScan were verified through testing on Windows 11 in SYSTEM context scenarios, while the remainder are presented based on static analysis and behavior inference.

Always validate on a test device before deploying these in production scripts.

This research was conducted through static analysis and limited empirical testing, and is intended for educational and enterprise administrative use only.

Comments

Post a Comment