I had an example of this recently with the GUI tool for WSUS 3.0. Essentially I was kicking off a project where we were going to target a particular group of machines for patching and the first step was to run a report for specific machines and then approve the updates to what WSUS calls a ComputerTargetGroup.
The problem with this is that although WSUS can provide you with a report which shows which updates are required for a specific machine, there is no way in the GUI that you can approve all of those updates in one go. Since it takes 5 clicks per approval, you only have to get into the 10's of updates before this goes beyond tedious.
I knew there were some sample scripts for WSUS and Powershell on the Script Center so I headed over there and checked out some of the scripts. (This initial investigation led to the creation of the PowerGUI Powerpack for WSUS - fairly basic, but it was great way to learn what sort of things would be available)
So I then spent some time working on a script to approve multiple updates for a specific computer which is shown below. I'd love to say that I put this all togther myself, but really it is another illustration of how helpful people within the Powershell community are. Shay Levi was incredibly helpful putting the initial work of this script together, we got most of the way there, but it got left at the point where I could retrieve as objects the list of updates required for the computer, but couldn't figure out how to approve them for a particular computer group.
Fortunately at Teched I went to a couple of sessions on WSUS 3.0 run by Program Manager Marc Shepard who contributes to the WSUS team blog. I went to see Marc at the 'Ask The Experts' stand inbetween the two sessions he was running. He seemed genuinely pleased to find someone with a particular request for the product (I guess it's free so hey that must be a tricky product to be a Program Manager for ;-) ), took on my unfinished Powershell script and started coding away.
By the time I got to the next session Marc had a working script for me - there is no better recommendation for going to Teched than this!
The script is below. Before running the ApproveMultipleUpdates script you need to establish three things:
- WSUS Server Name
- Full DNS name of the computer you wish to query
- The Computer Group Target ID for the group you wish to make the approval to. You can find this either by using the PowerGUI Powerback or the code below:
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$updateServer = "WSUSServername"
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)
$wsus.GetComputerTargetGroups()
ApproveMultipleUpdates.ps1
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$updateServer = "WSUSServername"
$machineName = Read-Host "Please enter the full DNS name of the computer you wish to approve updates for"
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)
$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.includedInstallationStates = "NotInstalled"
$com = $wsus.GetComputerTargetByName($machineName)
$groupid= Read-Host "Please enter the Computer Group Target ID"
$group = $wsus.GetComputerTargetGroup($groupid)
$action = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install
$updates = $com.GetUpdateInstallationInfoPerUpdate($updateScope)
$updates | foreach-object {$uid = $_.UpdateId; $u = $wsus.GetUpdate($uid); $u.Title; $u.Approve($action,$group);}
This is going to save us hours of work - big thanks to the guys who helped me out!
(I think a version of this script should be making its way onto the MS Script Center at some point too)
7 comments:
Very cool. By the way, here's a quick tip: PowerGUI Script Editor lets you get nice syntax highlight in the PowerShell code in your posts:
1. In PowerGUI Script Editor, select the code.
2. In the menu, select Edit / Copy As / HTML.
3. Paste the html code into your posts (you might want to also enclose it into the pre tags)
I think sitting with the GURU's at TechEd must have rubbed off on you :)
Sweet - thanks for the tip Dmitry!
Let's hope so Al! If I can't pick up stuff from those guys I may as well give up.
Jonathan, This is a bit off track from this post, but I have a question about PowerShell and WSUS that you or somebody you know can hopefully answer for me.
I have written a complex PowerShell script for WSUS 3.0 to output specific information for our security metrics report. The script works well but is slow on servers that manage 1000's of computers and 1000's of updates.
I am using the "computertargetscope" class to filter my computer query, and the "updatescope" class to narrow down my update query.
I am trying to set "updatescope.classifications" to select only Security Updates and Critical Updates. However, when I use any variation of $updatescope.classifications = "Security updates", I receive an error: "'Classifications' is a Readonly property". When I refer to MSDN documentation, it says "Gets or sets the list of update classifications to search".
http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.updatescope_members(VS.85).aspx
What am I doing wrong? I can find barely any documentation on this subject.
InfoSec-Man: I've passed your question on to my contact on the WSUS product team. If you can send me a contact address to get [dash] scripting [at] hotmail [dot] co [dot] uk then I'll forward on to you anything he comes back with.
Thanks for the interest.
Use -eq instead of =. Apparently when using Classifications = is an assignment operator instead of comparison.
$updateScope.Classifications -eq "Security Updates"
Thanks so much Jonathan. Saved me so much time :-)
Post a Comment