A quick blog post tonight:
When setting up WSUS, its common practice to trial updates internally prior to deployment across an entire environment…
For a recent WSUS setup I completed we decided to leave auto update approval on for all Windows Critical & Security updates so they could be tested after release every Patch Tuesday. After Microsoft’s recent spate of Out-Of-Band updates we were finding that machines were being updated half way through a month due the limited update controls you have with WSUS… We could opt to manually sync updates or select the longest time between syncs of “check once every 24 hours”.
Using some cool tips from the Hey Scripting Guy Blog I’ve slapped together this script that now runs as a scheduled task to download updates once a month on Patch Tuesday.
This is an impractical approach to updating, critical updates should be applied as soon as possible, however forcing a manual WSUS update could come in handy for a select few:
$ErrorActionPreference = "SilentlyContinue" # WSUS Connection Parameters: [String]$updateServer = "WSUS.resdevops.com" [Boolean]$useSecureConnection = $False [Int32]$portNumber = 80 # Load .NET assembly [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") # Connect to WSUS Server $Wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$useSecureConnection,$portNumber) # Perform Synchronization $Subscription = $Wsus.GetSubscription() $Subscription.StartSynchronization()
Write-host “WSUS Sync Started/Queued; Check WSUS console or Event log for any Errors.”;
How about adding the bits that show how to find the status of the synchronization, errors of last synchronization and such.
That would be pretty trival to Add – theres a couple of helpful methods we could use:
Would yield the current update count that failed to download from upstream.
Would also show some interesting metrics: