A quick blog post tonight:
When setting up WSUS, its common practice to trial updates internally prior to deployment across an entire environment…
For a recent WSUS setup I completed we decided to leave auto update approval on for all Windows Critical & Security updates so they could be tested after release every Patch Tuesday. After Microsoft’s recent spate of Out-Of-Band updates we were finding that machines were being updated half way through a month due the limited update controls you have with WSUS… We could opt to manually sync updates or select the longest time between syncs of “check once every 24 hours”.
Using some cool tips from the Hey Scripting Guy Blog I’ve slapped together this script that now runs as a scheduled task to download updates once a month on Patch Tuesday.
This is an impractical approach to updating, critical updates should be applied as soon as possible, however forcing a manual WSUS update could come in handy for a select few:
$ErrorActionPreference = "SilentlyContinue" # WSUS Connection Parameters: [String]$updateServer = "WSUS.resdevops.com" [Boolean]$useSecureConnection = $False [Int32]$portNumber = 80 # Load .NET assembly [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") # Connect to WSUS Server $Wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$useSecureConnection,$portNumber) # Perform Synchronization $Subscription = $Wsus.GetSubscription() $Subscription.StartSynchronization()
Write-host “WSUS Sync Started/Queued; Check WSUS console or Event log for any Errors.”;