MENU
Many IT professionals use Windows Software Update Services (WSUS) to manage updates across all their Windows systems and other third-party software. When paired up with PowerShell, managing updates becomes even quicker and more efficient.
WSUS monitors for and installs updates while PowerShell makes syncing them from Microsoft easy. You can also use PowerShell to make checking the status of the computers you’re managing more straightforward and adaptable.
WSUS isn’t just for Windows. It can also manage updates for some third-party software as well as Office products, SQL Server and Exchange Server.
Below, find out how to sync your WSUS server with Microsoft update, how to query all the computers your WSUS server is managing, and how to use PowerShell commands in WSUS.
One way to remotely connect to a WSUS server is to use PowerShell remoting, so make sure that your WSUS server has this enabled. PowerShell remoting is a feature that allows you to run commands on a remote computer as if you were logged in locally. This is useful for managing WSUS servers from anywhere without having to use Remote Desktop or other tools.
To enable PowerShell remoting on a WSUS server, follow these steps. Run a command on the WSUS server to configure it to receive remote commands. You might also want to modify firewall settings to allow the computers to talk to each other. Open ports 5985 and 5986 to do so.
Keep your WSUS server consistently synchronized with Microsoft Update to help maintain a secure, up-to-date and reliable Windows infrastructure.
Now that you have enabled PowerShell remoting, connect to your WSUS server using the PowerShell cmdlet Enter-PSSession.
PS> Enter-PSSession -ComputerName WSUSSERVER
[WSUSSERVER]: PS>
Keep in mind that you’re entering an interactive remoting session to demonstrate some commands. You may also use the Invoke-Command command to automate many of these commands in a larger script.
First, determine how to query all updates currently on our WSUS server. To do that, use the Get-WsusUpdate command. When this command is run on a new WSUS server, you’ll see that nothing is returned. This is because no updates have been synchronized yet. Initiate a sync from PowerShell using the Get-WsusServer cmdlet.
(Get-WsusServer).GetSubscription().StartSynchronization()
Once complete, all updates that were configured to sync should be downloaded locally. Once you’ve ensured all patches are synced with Microsoft Update, look at all of the clients this server is currently managing updates on.
Use the Get-WsusComputer command to get an overview of all the computers your WSUS server is managing.
[WSUSSERVER]: PS C:> Get-WsusComputer
Computer | IP address | Operating system | Last status report |
---|---|---|---|
client1.mylab.local | 2607:fcc8:acc1:ed00:cd0:baa4:eea2:80a | Windows 8.1 | 1/1/0001 12:00:00 AM |
To get a full listing of all of the commands available to you, use the Get-Command command. You then can view a list of all of the WSUS commands inside of the WSUS module.
[WSUSSERVER]: PS C:> Get-Command -Module UpdateServices
Command type | Name | Version | Source |
Cmdlet | Add-WsusComputer | 2.0.0.0 | UpdateServices |
Cmdlet | Approve-WsusUpdate | 2.0.0.0 | UpdateServices |
Cmdlet | Deny-WsusUpdate | 2.0.0.0 | UpdateServices |
Cmdlet | Get-WsusClassification | 2.0.0.0 | UpdateServices |
Cmdlet | Get-WsusComputer | 2.0.0.0 | UpdateServices |
Cmdlet | Get-WsusProduct | 2.0.0.0 | UpdateServices |
Cmdlet | Get-WsusServer | 2.0.0.0 | UpdateServices |
Cmdlet | Get-WsusUpdate | 2.0.0.0 | UpdateServices |
Cmdlet | Invoke-WsusServerCleanup | 2.0.0.0 | UpdateServices |
Cmdlet | Set-WsusClassification | 2.0.0.0 | UpdateServices |
Cmdlet | Set-WsusProduct | 2.0.0.0 | UpdateServices |
Cmdlet | Set-WsusServerSynchronization | 2.0.0.0 | UpdateServices |
Periodically export your WSUS settings as part of your disaster recovery and business continuity plans. Ready access to these settings can improve recovery time significantly in case of a server failure or other issues.
Once you have your WSUS server configured the way you’d like, you can also manage the WSUS clients. Although Microsoft doesn’t give you a good option to do this via PowerShell, you can rely on the community and download a module from Github called WindowsUpdate. Once installed, this module allows you to query remote computers for installed updates, install required updates, and more. Here’s how to download and install it:
mkdir ‘C:Program FilesWindowsPowerShellModulesWindowsUpdate’
Invoke-WebRequest -Uri https://raw.githubusercontent.com/adbertram/
Random-PowerShell-Work/master/Software%20Updates/WindowsUpdate.psm1 –
OutFile ‘C:Program
FilesWindowsPowerShellModulesWindowsUpdateWindowsUpdate.psm1′
Once the module is installed, you’ll have multiple commands available to you.
PS C:> gcm -Module windowsupdate
Command type | Name | Version | Source |
---|---|---|---|
Function | Get-WindowsUpdate | 0.0 | windowsupdate |
Function | GetWindowsUpdateInstallResult | 0.0 | windowsupdate |
Function | Install-WindowsUpdate | 0.0 | windowsupdate |
Function | NewUpdateCriteriaQuery | 0.0 | windowsupdate |
Function | NewWindowsUpdateScheduledTask | 0.0 | windowsupdate |
Function | Remove-ScheduledTask | 0.0 | windowsupdate |
Function | SearchWindowsUpdate | 0.0 | windowsupdate |
Function | TestWindowsUpdateScheduledTask | 0.0 | windowsupdate |
Function | Wait-ScheduledTask | 0.0 | windowsupdate |
Function | Wait-WindowsUpdate | 0.0 | windowsupdate |
Let’s say you’d like to see what updates are installed on that computer you referenced earlier on the server. To do that, use the Get-WindowsUpdate command:
PS> Get-WindowsUpdate -ComputerName client1
This task lists all of the updates that are available but are not installed. To install those updates, use the Install-WindowsUpdate command and even account for a reboot if necessary. [Related article: Installing Windows Patches with PowerShell].
PS> Install-WindowsUpdate -ComputerName client1 -ForceReboot
One of the great things about managing WSUS with PowerShell is that you can extend the functionality in any way you’d like. So, for example, you could stitch these commands together and perhaps take a list of computers from a text file, add them to a WSUS target group, and invoke an update install all in one script.
$computers = Get-Content -Path C:Computers.txt
foreach ($computer in $computers) {
Invoke-Command -ComputerName WSUSSERVER -ScriptBlock { Add-
WsusComputer -Computer $using:computer -TargetGroupName ‘Group Here’ }
Install-WindowsUpdate -ComputerName $computer
}
By using the PowerShell commands that Microsoft provides as well as a community resource module, you open up many possibilities. If you haven’t used PowerShell to manage WSUS yet, give it a try. You’ll see how much time you can save by automating manual processes.
Leveraging PowerShell to manage WSUS can save you considerable time and effort. It also gives you the flexibility to extend functionality according to your needs.
PowerShell is worth learning. It’s not as hard to absorb as many coding languages, and mastering it can help simplify and automate a lot of the necessary-but-unproductive IT jobs in your business. Check out our other articles below to find out more:
Mark Fairlie contributed to this article.