How To Work With The WSUS PowerShell Module - TechTarget

Maybe your like

Home
Microsoft messaging and collaboration

maxkabakov - Fotolia

Dan Franciscus

Published: 27 Sep 2019

In many enterprises, you use Windows Server Update Services to centralize and distribute Windows patches to end-user devices and servers.

WSUS is a free service that installs on Windows Server and syncs Windows updates locally. Clients connect to and download patches from the server. Historically, you manage WSUS with a GUI, but with PowerShell and the PoshWSUS community module, you can automate your work with WSUS for more efficiency. This article will cover how to use some of the common cmdlets in the WSUS PowerShell module, found at this link.

Connecting to a WSUS server

The first task to do with PoshWSUS is to connect to an existing WSUS server so you can run cmdlets against it. This is done with the Connect-PSWSUSServer cmdlet. The cmdlet provides the option to make a secure connection, which is normally on port 8531 for SSL.

Connect-PSWSUSServer -WsusServer wsus -Port 8531 -SecureConnection Name Version PortNumber ServerProtocolVersion ---- ------- ---------- --------------------- wsus 10.0.14393.2969 8530 1.20

View the WSUS clients

There are various cmdlets used to view WSUS client information. The most apparent is Get-PSWSUSClient, which shows client information such as hostname, group membership, hardware model and operating system type. The example below gets information on a specific machine named Test-1.

Get-PSWSUSClient Test-1 | Select-Object * ComputerGroup : {Windows 10, All Computers} UpdateServer : Microsoft.UpdateServices.Internal.BaseApi.UpdateServer Id : 94a2fc62-ea2e-45b4-97d5-10f5a04d3010 FullDomainName : Test-1 IPAddress : 172.16.48.153 Make : HP Model : HP EliteDesk 800 G2 SFF BiosInfo : Microsoft.UpdateServices.Administration.BiosInfo OSInfo : Microsoft.UpdateServices.Administration.OSInfo OSArchitecture : AMD64 ClientVersion : 10.0.18362.267 OSFamily : Windows OSDescription : Windows 10 Enterprise ComputerRole : Workstation LastSyncTime : 9/9/2019 12:06:59 PM LastSyncResult : Succeeded LastReportedStatusTime : 9/9/2019 12:18:50 PM LastReportedInventoryTime : 1/1/0001 12:00:00 AM RequestedTargetGroupName : Windows 10 RequestedTargetGroupNames : {Windows 10} ComputerTargetGroupIds : {59277231-1773-401f-bf44-2fe09ac02b30, a0a08746-4dbe-4a37-9adf-9e7652c0b421} ParentServerId : 00000000-0000-0000-0000-000000000000 SyncsFromDownstreamServer : False

WSUS usually organizes machines into groups, such as all Windows 10 machines, to apply update policies. The command below measures the number of machines in a particular group called Windows 10 with the cmdlet Get-PSWSUSClientsinGroup:

Get-PSWSUSClientsInGroup -Name 'Windows 10' | Measure-Object | Select-Object -Property Count Count ----- 86

How to manage Windows updates

With the WSUS PowerShell module, you can view, approve and decline updates on the WSUS server, a very valuable and powerful feature. The command below finds all the Windows 10 feature updates with the title "Feature update to Windows 10 (business editions)." The output shows various updates on my server for version 1903 in different languages:

Get-PSWSUSUpdate -Update "Feature update to Windows 10 (business editions)" | Select Title Title ----- Feature update to Windows 10 (business editions), version 1903, en-gb x86 Feature update to Windows 10 (business editions), version 1903, en-us arm64 Feature update to Windows 10 (business editions), version 1903, en-gb arm64 Feature update to Windows 10 (business editions), version 1903, en-us x86 Feature update to Windows 10 (business editions), version 1903, en-gb x64 Feature update to Windows 10 (business editions), version 1903, en-us x64

Another great feature of this cmdlet is it shows updates that arrived after a particular date. The following command gives the top-five updates that were downloaded in the last day:

Get-PSWSUSUpdate -FromArrivalDate (Get-Date).AddDays(-1) | Select-Object -First 5 Title KnowledgebaseArticles UpdateType CreationDate UpdateID ----- --------------------- ---------- ------------ -------- Security Update for Microso... {4475607} Software 9/10/2019 10:00:00 AM 4fa99b46-765c-4224-a037-7ab... Security Update for Microso... {4475574} Software 9/10/2019 10:00:00 AM 1e489891-3372-43d8-b262-8c8... Security Update for Microso... {4475599} Software 9/10/2019 10:00:00 AM 76187d58-e8a6-441f-9275-702... Security Update for Microso... {4461631} Software 9/10/2019 10:00:00 AM 86bdbd3b-7461-4214-a2ba-244... Security Update for Microso... {4475574} Software 9/10/2019 10:00:00 AM a56d629d-8f09-498f-91e9-572...

The approval and rejection of updates is an important part of managing Windows updates in the enterprise. The WSUS PowerShell module makes this easy to do. A few years ago, Microsoft began releasing preview updates for testing purposes. I typically want to decline these updates to avoid their installation on production machines. The following command finds every update with the string "Preview of" in the title and declines them with the Deny-PSWSUSUpdate cmdlet.

Get-PSWSUSUpdate -Update "Preview of" | Where-Object {$_.IsDeclined -eq 'False' } | Deny-PSWSUSUpdate Patch IsDeclined ----- ---------- 2019-08 Preview of Quality Rollup for .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems (KB4512193) True 2019-08 Preview of Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 (KB4512193) True 2019-08 Preview of Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 and Server 2008 R2 for x64 (KB4512193) True 2019-07 Preview of Quality Rollup for .NET Framework 2.0 on Windows Server 2008 SP2 for Itanium-based Systems (KB4512196) True 2019-08 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 for x64 (KB4512194) True 2019-07 Preview of Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 (KB4512196) True 2019-08 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Server 2012 R2 for x64 (KB4512195) True 2019-07 Preview of Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 for x64 (KB4512196) True

Syncing WSUS with Microsoft's servers

In the WSUS GUI, users can set up a daily synchronization between their WSUS server and the Microsoft update servers to download new updates. I like to synchronize more than once a day, especially on Patch Tuesday when you may get several updates in one day. For this reason, you can create a scheduled task that runs a WSUS sync hourly for a few hours per day. The script can be as simple as this command below:

Start-PSWSUSSync Synchronization has been started on wsus.

Performing cleanups

A WSUS server can be fickle. I have had to rebuild WSUS servers several times, and it is a pretty lengthy process because you have to download all the updates to the new server. You can avoid this process by running a cleanup on the WSUS server. The Start-PSWSUSCleanup cmdlet performs many of these important actions, such as declining superseded updates, cleanup of obsolete updates and removing obsolete computers:

Start-PSWSUSCleanup -DeclineSupersededUpdates -DeclineExpiredUpdates -CleanupObsoleteUpdates -CompressUpdates -CleanupObsoleteComputers -CleanupUnneededContentFiles Beginning cleanup, this may take some time... SupersededUpdatesDeclined : 223 ExpiredUpdatesDeclined : 0 ObsoleteUpdatesDeleted : 0 UpdatesCompressed : 4 ObsoleteComputersDeleted : 6 DiskSpaceFreed : 57848478722

Dig Deeper on Microsoft messaging and collaboration

How to use Windows Update for Business with Group Policy
By: Damon Garn
The Microsoft patch management guide for admins
By: Adam Fowler
Windows Server Update Services (WSUS)
By: Kinza Yasar
Windows as a service
By: Eddie Lockhart

How To Work With The WSUS PowerShell Module - TechTarget

Connecting to a WSUS server

View the WSUS clients

How to manage Windows updates

Syncing WSUS with Microsoft's servers

Performing cleanups

Dig Deeper on Microsoft messaging and collaboration

How to use Windows Update for Business with Group Policy

The Microsoft patch management guide for admins

Windows Server Update Services (WSUS)

Windows as a service

Add-WsusComputer (UpdateServices) - Microsoft Docs

Add-WsusComputer - Windows-powershell-docs - GitHub

Add Computers To WSUS Group Using PowerShell

WSUS: Managing Groups With PowerShell | Achieve More

Scripts/Import-1 0.9.0 - PowerShell Gallery

Configuring WSUS Computer Groups

Distribute Computers Across Several Groups For WSUS Using ...

WSUS Script To Add List Of Computers To A Group In WSUS

[Server 2012][WSUS] Adding Computers From AD Security Group To ...

How To Get Computer Group Membership With Or Without PowerShell

Install And Configure WSUS On Windows Server 2019 - Prajwal Desai

Use PowerShell To Make WSUS Suck Less

Patch Manager Computer Groups - SolarWinds Documentation

Using PowerShell To Output WSUS Group Information - DailySysAdmin

Contact