Windows Software Update Services (WSUS) has been around for a long time and has provided IT professionals a free tool to manage Windows and some third party updates across all of their Windows systems.
It eases the task of inventoring, installing and maintaining patches across Windows.
WSUS relies on a server and a policy on each computer it's managing. Managing WSUS typically consists of working with two types of objects: the WSUS server(s) and the Windows clients. There's not a single tool out there that helps with each of these. This is where PowerShell can help out.
Because PowerShell can interact with each object, we can use PowerShell to do some different activities related to installing updates with WSUS. First of all, when first rolling out a new WSUS server, download all of the required updates from Microsoft Update. When WSUS is installed, it also installs various PowerShell cmdlets to manage it, so we can remotely do many WSUS server activities.
1. Sync your WSUS server with Microsoft Update
One way to remotely connect to a WSUS server is to use PowerShell remoting so be sure that your WSUS server has this enabled by following this guide. Once PowerShell remoting has been enabled, we can make a connection to our WSUS server by using the PowerShell cmdlet Enter-PSSession.
PS> Enter-PSSession -ComputerName WSUSSERVER
[WSUSSERVER]: PS>
Note: We're entering an interactive remoting session just to demonstrate some commands. You may also choose to use the Invoke-Command command to automate many of these commands in a larger script.
First, determine how to query all of the updates currently on our WSUS server. To do that, we can use the Get-WsusUpdate command. When ran on a new WSUS server, you'll see that nothing is returned. This is because no updates have been synchronized yet. We can initiate a sync from PowerShell using the Get-WsusServer cmdlet.
(Get-WsusServer).GetSubscription().StartSynchronization()
Once complete, all of the updates that were configured to sync should be downloaded locally. Once you've ensured all patches are synced with Microsoft Update, let's take a look at all of the clients this server is currently managing updates on.
Query all of the computers that this WSUS server is managing
[WSUSSERVER]: PS C:> Get-WsusComputer
| Computer | IP Address | Operating System | Last Status Report |
| client1.mylab.local | 2607:fcc8:acc1:ed00:cd0:baa4:eea2:80a | Windows 8.1 | 1/1/0001 12:00:00 AM |
To get a full listing of all of the commands available to you use the Get-Command command to view a list of all of the WSUS commands inside of the WSUS module.
[WSUSSERVER]: PS C:> Get-Command -Module UpdateServices
| CommandType | Name | Version | Source |
| Cmdlet | Add-WsusComputer | 2.0.0.0 | UpdateServices |
| Cmdlet | Approve-WsusUpdate | 2.0.0.0 | UpdateServices |
| Cmdlet | Deny-WsusUpdate | 2.0.0.0 | UpdateServices |
| Cmdlet | Get-WsusClassification | 2.0.0.0 | UpdateServices |
| Cmdlet | Get-WsusComputer | 2.0.0.0 | UpdateServices |
| Cmdlet | Get-WsusProduct | 2.0.0.0 | UpdateServices |
| Cmdlet | Get-WsusServer | 2.0.0.0 | UpdateServices |
| Cmdlet | Get-WsusUpdate | 2.0.0.0 | UpdateServices |
| Cmdlet | Invoke-WsusServerCleanup | 2.0.0.0 | UpdateServices |
| Cmdlet | Set-WsusClassification | 2.0.0.0 | UpdateServices |
| Cmdlet | Set-WsusProduct | 2.0.0.0 | UpdateServices |
| Cmdlet | Set-WsusServerSynchronization | 2.0.0.0 | UpdateServices |
Once you've got your WSUS server configured how you'd like, we can also manage the WSUS clients. Although Microsoft doesn't give us a good option to do this via PowerShell, we'll rely on the community here. Let's download a module from Github called WindowsUpdate. Once installed, this module allows you to query remote computers for installed updates, install required updates and more. Here's a way to get it downloaded and installed.
mkdir 'C:Program FilesWindowsPowerShellModulesWindowsUpdate'
Invoke-WebRequest -Uri https://raw.githubusercontent.com/adbertram/
Random-PowerShell-Work/master/Software%20Updates/WindowsUpdate.psm1 -
OutFile 'C:Program
FilesWindowsPowerShellModulesWindowsUpdateWindowsUpdate.psm1'
Once installed, you'll then have multiple commands available to you.
PS C:> gcm -Module windowsupdate
| CommandType | Name | Version | Source |
| Function | Get-WindowsUpdate | 0.0 | windowsupdate |
| Function | GetWindowsUpdateInstallResult | 0.0 | windowsupdate |
| Function | Install-WindowsUpdate | 0.0 | windowsupdate |
| Function | NewUpdateCriteriaQuery | 0.0 | windowsupdate |
| Function | NewWindowsUpdateScheduledTask | 0.0 | windowsupdate |
| Function | Remove-ScheduledTask | 0.0 | windowsupdate |
| Function | SearchWindowsUpdate | 0.0 | windowsupdate |
| Function | TestWindowsUpdateScheduledTask | 0.0 | windowsupdate |
| Function | Wait-ScheduledTask | 0.0 | windowsupdate |
| Function | Wait-WindowsUpdate | 0.0 | windowsupdate |
Let's say I'd like to see what updates are installed on that computer we referenced earlier on the server. To do that, I can use the Get-WindowsUpdate command like so:
PS> Get-WindowsUpdate -ComputerName client1
This task would list all of the updates that are available but are not installed. To take the next step and install those updates, you can then use the Install-WindowsUpdate command and even account for a reboot if necessary.
PS> Install-WindowsUpdate -ComputerName client1 -ForceReboot
One of the great things about managing WSUS with PowerShell is that you are capable of extending the functionality in any way you'd like. So, for example, I could stitch these commands together and perhaps take a list of computers from a text file, add them to a WSUS target group and then invoke an update install all in one script!
$computers = Get-Content -Path C:Computers.txt
foreach ($computer in $computers) {
Invoke-Command -ComputerName WSUSSERVER -ScriptBlock { Add-
WsusComputer -Computer $using:computer -TargetGroupName 'Group Here' }
Install-WindowsUpdate -ComputerName $computer
}
By using the PowerShell commands that Microsoft provides and a community resource module, you should by now see the possibilities. If you haven't used PowerShell to manage WSUS yet, I encourage you to give it a try and see just how much time you can save by automating a lot of those manual processes.