WSUS Updates with PowerShell and PDQ

WSUS Updates with PowerShell and PDQ

As System Administrators we are all tasked with scheduled Windows patching maintenance, and if you've ever had to rely on Microsoft update manager or

Testing SSL and TLS with PowerShell
Packet Capture with PowerShell
Deprecating TLS 1.0 and TLS 1.1

As System Administrators we are all tasked with scheduled Windows patching maintenance, and if you’ve ever had to rely on Microsoft update manager or some other third party applications you know the pain of ensuring that “ALL” updates get applied correctly, especially on the “FIRST” round! So I came up with a PowerShell solution that incorporates PDQ Deploy and PDQ Inventory to easy push to numerous systems in parallel. It can be run without PDQ, however I simply use it as a great method of deploying to large numbers of systems in parallel.

So how many of you are PAYING annual licensing fees to use Wuinstall? (https://www.wuinstall.com/) This solution can be used to do everything that they are doing and charging you for! Why waste the money??

* Requires PowerShell 5 and PSWindowsUpdate module.

The Code:

# Install required modules
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module pswindowsupdate -force
Import-Module PSWindowsUpdate -force
# End installing required modules
# SMTP Email Configuration Settings
$from = "asm.alerts@asm-inc.com"
$to = "you@email.com", "you2@email.com"
$smtp = "your smtp servername"
$sub = "$($env:COMPUTERNAME): Windows Updates Installed and Rebooted"
$sub1 = "$($env:COMPUTERNAME): No Updates Needed"
$body = "Server Windows Update Report"
$body1 = "No new updates found."
# This is needed if the smtp server requires authentication
$secpasswd = ConvertTo-SecureString "smtp password here" -asplaintext -force
# Define the email attachment report
$attachement = "c:\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log"
$mycreds = New-Object System.Management.Automation.PSCredential ("smtp username", $secpasswd)
# Start WSUS updates
$updates = Get-wulist -verbose
$updatenumber = ($updates.kb).count
if ($updates -ne $null) {
Install-WindowsUpdate -AcceptAll -Install -AutoReboot | Out-File "c:\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force
# Now let's send the email report
Send-MailMessage -To $to -From $from -Subject $sub -Body $body -Attachments $attachement -Credential $mycreds -SmtpServer $smtp -DeliveryNotificationOption Never -BodyAsHtml -UseSsl
}
else
{ 
Send-MailMessage -To $to -From $from -Subject $sub1 -Body $body1 -Credential $mycreds -SmtpServer $smtp -DeliveryNotificationOption Never -BodyAsHtml -UseSsl 
}

You can set to no reboot after install by changing the -AutoReboot to -IgnoreReboot in this line:

Install-WindowsUpdate -AcceptAll -Install -AutoReboot | Out-File "c:\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force

I segregate my systems into a group in PDQ Inventory called “Install and Reboot”, this way in my PDQ package I can specify two steps, one for “No Reboot” and a second step for “Auto Reboot”.

You can see in the step above that I first check if PowerShell 5 is installed, if not then it will be installed. Which of the next two steps run are dependent on members of the “Install and Reboot” group.

 
Code Monkey
Code Monkey 2018-12-01 03:24:36
| |

Another thing I do is I have a step that creates a restore point before I apply updates, it's saved my butt a few times: Enable-ComputerRestore -drive "c:\" Checkpoint-Computer -Description "Before Updates" -RestorePointType "MODIFY_SETTINGS"