A few things come to mind. First -- why do it at all for machines that are experiencing no problems? If it aint broke ... Besides, you're just making much needless work for yourself. How many machines mess up in any given month? Out of the 100 or so I look after I get one or two I have to get brutal on. The rest just work.
I do pretty much exactly what you are doing, but only if a machine has available patches approved for installation in a group to which the computer belongs, but not downloaded for over 24 hours, yet server is seeing detections. If that happens, I first delete the machine from wsus. I then do all that you do, and the following besides: Before I mess w/ the registry or the softwaredistribution folder, I stop the wuauserv service on the target computer. You cannot delete softwaredistribution or rename the windowsupdate log unless you do. I also delete the "NextDetectionTime" from HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\windowsupdate\auto update. I then rename c:\windows\windowsupdate.log so when the service restarts it is easier to find the new stuff. Following all that, I restart the wuauserv service. So far the above has worked very very well. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
