Managing WSUS with PowerShell
Date Published: January 28, 2022
This guide provides essential PowerShell commands for managing Windows Server Update Services (WSUS). These commands help streamline update management, improve reporting, and enhance automation for administrators.
Force WSUS Clients to Check In
To trigger a WSUS client to check in and report its status:
Original Command:
$updateSession = New-Object -ComObject "Microsoft.Update.Session"
$updates = $updateSession.CreateUpdateSearcher().Search($criteria).Updates
wuauclt /reportnow
Explanation:
New-Object -ComObject: Initializes an update session to interact with the WSUS API.wuauclt /reportnow: Forces the client to send a status report to the WSUS server.
Update Microsoft Defender Signatures
To manage and update Defender signatures efficiently:
Original Command:
Set-MpPreference -SignatureUpdateInterval 1 -SignatureFallbackOrder {InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC}
Update-MpSignature
Explanation:
Set-MpPreference: Adjusts the frequency and fallback order for Defender signature updates.SignatureUpdateInterval: Specifies the interval in hours for updates.SignatureFallbackOrder: Defines the priority of sources for updates.
Update-MpSignature: Triggers a manual signature update.
Scan, Download, and Install Updates
To automate Windows updates with PowerShell:
Original Command:
$updates = Start-WUScan
Install-WUUpdates $updates
Get-WUIsPendingReboot
Explanation:
Start-WUScan: Initiates a scan for available updates.Install-WUUpdates: Installs updates retrieved from the scan.Get-WUIsPendingReboot: Checks if a system restart is required to complete the update process.
Enhancement:
Combine commands into a script to fully automate the process:
$updates = Start-WUScan
if ($updates.Count -gt 0) {
Install-WUUpdates $updates
if (Get-WUIsPendingReboot) {
Write-Host "Reboot required. Restarting system..."
Restart-Computer
} else {
Write-Host "Updates installed. No reboot required."
}
} else {
Write-Host "No updates available."
}
WSUS on Server Core
To manage WSUS in a Server Core environment, ensure SQLCMD is available:
Check SQLCMD Installation:
SQLCMD /?
If error code returned is 0 SQLCMD is present. If not, it is not installed. If SQLCMD is not installed, install it using your package manager or SQL Server tools.
Extract Update Descriptions from WSUS
To fetch update metadata, such as descriptions, directly from the WSUS database:
Original Command:
Get-WsusUpdate -UpdateId b8c3207f-4469-46b3-9a0f-b4057b54add3 | Select-Object *
$update = $wsus.SearchUpdates('KB890830')
Explanation:
Get-WsusUpdate: Retrieves updates from WSUS by their unique ID.SearchUpdates: Searches for specific updates using keywords like KB numbers.
Enhancement:
Export update details to a CSV for better reporting:
Get-WsusUpdate -UpdateId b8c3207f-4469-46b3-9a0f-b4057b54add3 | Select-Object * | Export-Csv -Path "C:\WSUS_UpdateDetails.csv" -NoTypeInformation
Best Practices
- Regular Maintenance:
- Reindex the WSUS database periodically to improve performance.
Invoke-WsusServerCleanup
- Reindex the WSUS database periodically to improve performance.
- Monitor Update Compliance:
- Use the WSUS dashboard or custom scripts to track update status.
- Automate Tasks:
- Schedule WSUS tasks (e.g., cleanup, synchronization) using Task Scheduler or PowerShell scripts.
References
General
http://pleasework.robbievance.net/howto-force-really-wsus-clients-to-check-in-on-demand/ https://docs.microsoft.com/en-us/powershell/module/defender/update-mpsignature?view=windowsserver2019-ps https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus https://microsoftgeek.com/?p=2247 https://www.stephenwagner.com/2019/05/15/guide-using-installing-wsus-windows-server-core-2019/
WSUS on Server Core
https://mcpmag.com/articles/2017/08/10/automate-wsus-using-the-powershell-updateservices.aspx https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/reindex-the-wsus-database
Linking Scheduled Tasks
http://woshub.com/schedule-task-to-start-when-another-task-finishes/
Extracting descriptions from WSUS DB
https://serverfault.com/questions/704553/can-i-change-the-update-descriptions-in-wsus