WSUS Updates with PowerShell and PDQ

WSUS Updates with PowerShell and PDQ

As System Administrators we are all tasked with scheduled Windows patching maintenance, and if you've ever had to rely on Microsoft update manager or

Security Incident Response and Data Acquisition
Packet Capture with PowerShell
Testing SSL and TLS with PowerShell

As System Administrators we are all tasked with scheduled Windows patching maintenance, and if you’ve ever had to rely on Microsoft update manager or some other third party applications you know the pain of ensuring that “ALL” updates get applied correctly, especially on the “FIRST” round! So I came up with a PowerShell solution that incorporates PDQ Deploy and PDQ Inventory to easy push to numerous systems in parallel. It can be run without PDQ, however I simply use it as a great method of deploying to large numbers of systems in parallel.

So how many of you are PAYING annual licensing fees to use Wuinstall? ( This solution can be used to do everything that they are doing and charging you for! Why waste the money??

* Requires PowerShell 5 and PSWindowsUpdate module.

The Code:

# Install required modules
Install-PackageProvider -Name NuGet -MinimumVersion -Force
Install-Module pswindowsupdate -force
Import-Module PSWindowsUpdate -force
# End installing required modules
# SMTP Email Configuration Settings
$from = ""
$to = "", ""
$smtp = "your smtp servername"
$sub = "$($env:COMPUTERNAME): Windows Updates Installed and Rebooted"
$sub1 = "$($env:COMPUTERNAME): No Updates Needed"
$body = "Server Windows Update Report"
$body1 = "No new updates found."
# This is needed if the smtp server requires authentication
$secpasswd = ConvertTo-SecureString "smtp password here" -asplaintext -force
# Define the email attachment report
$attachement = "c:\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log"
$mycreds = New-Object System.Management.Automation.PSCredential ("smtp username", $secpasswd)
# Start WSUS updates
$updates = Get-wulist -verbose
$updatenumber = ($updates.kb).count
if ($updates -ne $null) {
Install-WindowsUpdate -AcceptAll -Install -AutoReboot | Out-File "c:\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force
# Now let's send the email report
Send-MailMessage -To $to -From $from -Subject $sub -Body $body -Attachments $attachement -Credential $mycreds -SmtpServer $smtp -DeliveryNotificationOption Never -BodyAsHtml -UseSsl
Send-MailMessage -To $to -From $from -Subject $sub1 -Body $body1 -Credential $mycreds -SmtpServer $smtp -DeliveryNotificationOption Never -BodyAsHtml -UseSsl 

You can set to no reboot after install by changing the -AutoReboot to -IgnoreReboot in this line:

Install-WindowsUpdate -AcceptAll -Install -AutoReboot | Out-File "c:\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force

I segregate my systems into a group in PDQ Inventory called “Install and Reboot”, this way in my PDQ package I can specify two steps, one for “No Reboot” and a second step for “Auto Reboot”.

You can see in the step above that I first check if PowerShell 5 is installed, if not then it will be installed. Which of the next two steps run are dependent on members of the “Install and Reboot” group.


Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Code Monkey Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of