Tip

Install WSUS updates immediately with Windows PowerShell

There’s a point in every Windows administrator’s career where the power in command-line automation becomes completely apparent.

Before it hits you, tools like PowerShell and VBScript

Requires Free Membership to View

might appear quaint. You might see their value in performing little tasks, but the effort spent in creating the automation is often far greater than the time saved.

Then, one day, you figure out how one little script can change your life for the better. That script for me was a tiny but powerful WSUS hack back in 2007. Tired of late nights and long evenings each month waiting for WSUS’ scheduler to get started patching servers, I went heads down to script up a “You Patch Now” VBScript.

It took more than a few days and a lot of web searching, but my efforts concluded with a workable solution I called my WSUS Big Red Button (which I wrote about here). Double-click that VBScript and any Windows computer would immediately scan for updates, download those it needed, install them and reboot if necessary.

Even better, the script (or, more specifically, the Windows Update Agent) respected WSUS configurations applied either manually or via Group Policy. As a result, any computer already part of a WSUS infrastructure would install only updates marked Approved. Conversely, any computer not managed by a WSUS server would still install anything Microsoft Update suggested. Instantly, my monthly patching efforts diminished from hours to mere minutes.

Red Button Mark II, PowerShell Edition

Times change, as do scripting languages. Today, VBScript is an artifact of a time long past, replaced by the far more powerful PowerShell. As a result, it seems time to update my “Install WSUS Updates Immediately” Big Red Button with a replacement for the PowerShell generation.

Here’s the code. Far shorter than its VBScript genesis, this Big Red Button scans a Windows system, downloads whatever updates are necessary, installs them and reboots the computer should any installed patches require it:

#Define update criteria.

$Criteria = "IsInstalled=0 and Type='Software'"


#Search for relevant updates.

$Searcher = New-Object -ComObject Microsoft.Update.Searcher

$SearchResult = $Searcher.Search($Criteria).Updates


#Download updates.

$Session = New-Object -ComObject Microsoft.Update.Session

$Downloader = $Session.CreateUpdateDownloader()

$Downloader.Updates = $SearchResult

$Downloader.Download()


#Install updates.

$Installer = New-Object -ComObject Microsoft.Update.Installer

$Installer.Updates = $SearchResult

$Result = $Installer.Install()


#Reboot if required by updates.

If ($Result.rebootRequired) { shutdown.exe /t 0 /r }

A little explanation is in order for this “starter” script, as it is a distillation of the one I use in production today. This script is as minimal as it gets. As the comments suggest, execute it on a Windows computer and that machine will search for any relevant updates, download them (from either a configured WSUS server or Microsoft’s servers online), install them, and reboot if any updates request one.

I deliver this script in its most minimal form specifically to give you an opportunity to expand it for your own uses. While my original published VBScript was one of the first ever released to solve this specific problem, today a web search for “install WSUS updates with PowerShell” results in a vast range of options. Many of those go too far with notifications, journaling, emailing results files and all the other niceties that make scripts like these useful. They obscure what’s really being done.

More on WSUS

Automating patch management with WSUS 

WSUS: The basics

Free WSUS utility offers on-the-fly patch management for Windows 

WSUS deployment guide

This script’s first block provides a place to identify the criteria for those updates you want installed. I’ve listed a sample few for $Criteria, but you can add your own with the help of the documentation found on MSDN.

The second block instructs the onboard Windows Update Agent to search the local computer for missing updates. The third block uses those results, stored in the variable $SearchResult, to kick off an update download. Those updates are then installed in the fourth block. The fifth and final block queries that installation process to verify and force a reboot if requested.

Since the native Windows Update Agent will respect configurations handed to it manually or via Group Policies, running this will download only those updates you’ve approved for installation in your WSUS console. Start there first, before kicking off this script against individual machines. If a machine doesn’t have a local WSUS configuration, the Windows Update Agent will query against Microsoft’s Internet servers for the patches Microsoft deems appropriate (and constrained by the criteria you’ve added).

There’s plenty more you can add to this starter PowerShell script, like data gathering and reporting, emailing of reports, and all manner of if/then statements and verifications that tie everything together.

Even if you’ve never scripted before, little automations like this one present an opportunity to earn back precious hours of your life. Hopefully with it you can eliminate yet another piece of IT’s mundane scut work, freeing you to become a more efficient Windows administrator.

About the author:
Greg Shields is a Partner and Principal Technologist with Concentrated Technology, an IT analysis and strategic consulting firm. Contact him at http://www.ConcentratedTech.com.

This was first published in June 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.