Quick follow-up on WSUS on Windows Server 2012 Core from scratch

I’ve been using WSUS from the Powershell console since I published my post on WSUS on Windows Server 2012 Core from scratch in February 2013.

I’d like to mention two mistakes I did:

  • I don’t really need to decline updates when they have approved. They can be also “not approved” which is their original state.
  • My filter for Office 2010 was a little bit too restrictive.

Let’s see how I manage my updates for Windows 7 and do not reproduce the above mistakes

  • Start a synchronization
  • # Check the date of the last sync (it's configured to sync manually)            
    (Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()            
                
    # Initiate a sync            
    (Get-WsusServer).GetSubscription().StartSynchronization()            
                
    # View its progress            
    (Get-WsusServer).GetSubscription().GetSynchronizationStatus()            
                
    # Check that the last sync date is today and a success            
    (Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()
  • Handle Windows 7 security updates
  • # Find any update that has 'Windows 7' string mentioned            
    $allW7updates = (Get-WsusServer).SearchUpdates("Windows 7")            
                
    # Select my target group of computers            
    $targetgroup = (Get-WsusServer).GetComputerTargetGroups() |             
    Where Name -eq "Windows 7 x64"            
                
    # View all the x64 updates for Windows 7            
    $allW7updates | Where { (-not($_.IsSuperseded)) -and            
     ($_.Title -match "x64") -and             
     ($_.UpdateClassificationTitle -eq "Security Updates") -and            
     (-not($_.isApproved)) -and            
     (-not($_.isDeclined))             
    } |             
    ft Title,State,KnowledgebaseArticles,SecurityBulletins -AutoSize            
                
    # Mark these required updates as 'to be installed' by client computers            
    $allW7updates | Where { (-not($_.IsSuperseded)) -and            
     ($_.Title -match "x64") -and            
     ($_.UpdateClassificationTitle -eq "Security Updates") -and            
     (-not($_.isApproved)) -and            
     (-not($_.isDeclined))} |            
    Where {            
     $_.Title -notmatch ".NET Framework 4"            
    } | ForEach-Object -Process {            
     $_.Approve(            
      [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install,            
      $targetgroup            
     )            
    }            
                
    # View superseded updates that were previously approved            
    $allW7updates | Where {            
     ($_.IsSuperseded) -and            
     ($_.isApproved)            
    } | ft Title,SecurityBulletins            
                
    # Remove them by flagging them as 'not approved'            
    $allW7updates |             
     Where { ($_.IsSuperseded) -and ($_.isApproved) } |            
     ForEach-Object -Process {            
      $_.Approve(            
       [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::NotApproved,            
       $targetgroup            
      )            
     }
  • Handle Office 2010 updates
  • # View all Office 2010 (32bit) updates            
    (Get-WsusServer).SearchUpdates("2010") | Where {            
     (-not($_.IsSuperseded)) -and            
     ($_.Title -match "32-bit") -and            
     ($_.UpdateClassificationTitle -eq "Security Updates") -and            
     (-not($_.isApproved)) -and            
     (-not($_.isDeclined))             
    } | ft Title,SecurityBulletins,IsApproved,IsSuperseded -AutoSize            
                
    # Mark these required updates as 'to be installed' by client computers            
    (Get-WsusServer).SearchUpdates("2010") | Where {            
     (-not($_.IsSuperseded)) -and            
     ($_.Title -match "32-bit") -and            
     ($_.UpdateClassificationTitle -eq "Security Updates") -and            
     (-not($_.isApproved)) -and            
     (-not($_.isDeclined))             
    } | ForEach-Object -Process {            
     $_.Approve(            
      [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install,            
      $targetgroup            
     )            
    }            
                
    # View superseded updates that were previously approved            
    (Get-WsusServer).SearchUpdates("2010") | Where {            
     ($_.IsSuperseded) -and            
     ($_.isApproved)             
    } |             
    ft Title,SecurityBulletins,IsApproved,IsSuperseded -AutoSize            
                
    # Remove them by flagging them as 'not approved'            
    (Get-WsusServer).SearchUpdates("2010") | Where {            
     ($_.IsSuperseded) -and             
     ($_.isApproved) } |             
    ForEach-Object -Process {            
     $_.Approve(            
      [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::NotApproved,            
      $targetgroup            
     )            
    }
    Advertisements

    One thought on “Quick follow-up on WSUS on Windows Server 2012 Core from scratch

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s