maxkabakov - Fotolia

How to work with the WSUS PowerShell module

The PoshWSUS module automates the process to synchronize and approve Windows updates. You can also use it to perform essential maintenance on the WSUS server.

In many enterprises, you use Windows Server Update Services to centralize and distribute Windows patches to end-user devices and servers.

WSUS is a free service that installs on Windows Server and syncs Windows updates locally. Clients connect to and download patches from the server. Historically, you manage WSUS with a GUI, but with PowerShell and the PoshWSUS community module, you can automate your work with WSUS for more efficiency. This article will cover how to use some of the common cmdlets in the WSUS PowerShell module, found at this link.

Connecting to a WSUS server

The first task to do with PoshWSUS is to connect to an existing WSUS server so you can run cmdlets against it. This is done with the Connect-PSWSUSServer cmdlet. The cmdlet provides the option to make a secure connection, which is normally on port 8531 for SSL.

Connect-PSWSUSServer -WsusServer wsus -Port 8531 -SecureConnection
Name                 Version              PortNumber           ServerProtocolVersion
----                 -------              ----------           ---------------------
wsus             10.0.14393.2969      8530                 1.20

View the WSUS clients

There are various cmdlets used to view WSUS client information. The most apparent is Get-PSWSUSClient, which shows client information such as hostname, group membership, hardware model and operating system type. The example below gets information on a specific machine named Test-1.

Get-PSWSUSClient Test-1 | Select-Object *
ComputerGroup             : {Windows 10, All Computers}
UpdateServer              : Microsoft.UpdateServices.Internal.BaseApi.UpdateServer
Id                        : 94a2fc62-ea2e-45b4-97d5-10f5a04d3010
FullDomainName            : Test-1
IPAddress                 : 172.16.48.153
Make                      : HP
Model                     : HP EliteDesk 800 G2 SFF
BiosInfo                  : Microsoft.UpdateServices.Administration.BiosInfo
OSInfo                    : Microsoft.UpdateServices.Administration.OSInfo
OSArchitecture            : AMD64
ClientVersion             : 10.0.18362.267
OSFamily                  : Windows
OSDescription             : Windows 10 Enterprise
ComputerRole              : Workstation
LastSyncTime              : 9/9/2019 12:06:59 PM
LastSyncResult            : Succeeded
LastReportedStatusTime    : 9/9/2019 12:18:50 PM
LastReportedInventoryTime : 1/1/0001 12:00:00 AM
RequestedTargetGroupName  : Windows 10
RequestedTargetGroupNames : {Windows 10}
ComputerTargetGroupIds    : {59277231-1773-401f-bf44-2fe09ac02b30, a0a08746-4dbe-4a37-9adf-9e7652c0b421}
ParentServerId            : 00000000-0000-0000-0000-000000000000
SyncsFromDownstreamServer : False

WSUS usually organizes machines into groups, such as all Windows 10 machines, to apply update policies. The command below measures the number of machines in a particular group called Windows 10 with the cmdlet Get-PSWSUSClientsinGroup:

Get-PSWSUSClientsInGroup -Name 'Windows 10' | Measure-Object | Select-Object -Property Count
Count
-----
   86

How to manage Windows updates

With the WSUS PowerShell module, you can view, approve and decline updates on the WSUS server, a very valuable and powerful feature. The command below finds all the Windows 10 feature updates with the title "Feature update to Windows 10 (business editions)." The output shows various updates on my server for version 1903 in different languages:

Get-PSWSUSUpdate -Update "Feature update to Windows 10 (business editions)"  | Select Title
Title
-----
Feature update to Windows 10 (business editions), version 1903, en-gb x86
Feature update to Windows 10 (business editions), version 1903, en-us arm64
Feature update to Windows 10 (business editions), version 1903, en-gb arm64
Feature update to Windows 10 (business editions), version 1903, en-us x86
Feature update to Windows 10 (business editions), version 1903, en-gb x64
Feature update to Windows 10 (business editions), version 1903, en-us x64

Another great feature of this cmdlet is it shows updates that arrived after a particular date. The following command gives the top-five updates that were downloaded in the last day:

Get-PSWSUSUpdate -FromArrivalDate (Get-Date).AddDays(-1) | Select-Object -First 5
Title                          KnowledgebaseArticles  UpdateType CreationDate            UpdateID
-----                          ---------------------  ---------- ------------            --------
Security Update for Microso... {4475607}              Software   9/10/2019 10:00:00 AM   4fa99b46-765c-4224-a037-7ab...
Security Update for Microso... {4475574}              Software   9/10/2019 10:00:00 AM   1e489891-3372-43d8-b262-8c8...
Security Update for Microso... {4475599}              Software   9/10/2019 10:00:00 AM   76187d58-e8a6-441f-9275-702...
Security Update for Microso... {4461631}              Software   9/10/2019 10:00:00 AM   86bdbd3b-7461-4214-a2ba-244...
Security Update for Microso... {4475574}              Software   9/10/2019 10:00:00 AM   a56d629d-8f09-498f-91e9-572...

The approval and rejection of updates is an important part of managing Windows updates in the enterprise. The WSUS PowerShell module makes this easy to do. A few years ago, Microsoft began releasing preview updates for testing purposes. I typically want to decline these updates to avoid their installation on production machines. The following command finds every update with the string "Preview of" in the title and declines them with the Deny-PSWSUSUpdate cmdlet.

Get-PSWSUSUpdate -Update "Preview of" | Where-Object {$_.IsDeclined -eq 'False' } | Deny-PSWSUSUpdate
Patch                                                                                                                                                             IsDeclined
-----                                                                                                                                                             ----------
2019-08 Preview of Quality Rollup for .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems (KB4512193)                                              True
2019-08 Preview of Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 (KB4512193)                                  True
2019-08 Preview of Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 and Server 2008 R2 for x64 (KB4512193)       True
2019-07 Preview of Quality Rollup for .NET Framework 2.0 on Windows Server 2008 SP2 for Itanium-based Systems (KB4512196)                                               True
2019-08 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 for x64 (KB4512194)                  True
2019-07 Preview of Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 (KB4512196)                                                        True
2019-08 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Server 2012 R2 for x64 (KB4512195)       True
2019-07 Preview of Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 for x64 (KB4512196)                                                True

Syncing WSUS with Microsoft's servers

In the WSUS GUI, users can set up a daily synchronization between their WSUS server and the Microsoft update servers to download new updates. I like to synchronize more than once a day, especially on Patch Tuesday when you may get several updates in one day. For this reason, you can create a scheduled task that runs a WSUS sync hourly for a few hours per day. The script can be as simple as this command below:

Start-PSWSUSSync
Synchronization has been started on wsus.

Performing cleanups

A WSUS server can be fickle. I have had to rebuild WSUS servers several times, and it is a pretty lengthy process because you have to download all the updates to the new server. You can avoid this process by running a cleanup on the WSUS server. The Start-PSWSUSCleanup cmdlet performs many of these important actions, such as declining superseded updates, cleanup of obsolete updates and removing obsolete computers:

Start-PSWSUSCleanup -DeclineSupersededUpdates -DeclineExpiredUpdates -CleanupObsoleteUpdates -CompressUpdates -CleanupObsoleteComputers -CleanupUnneededContentFiles
Beginning cleanup, this may take some time...
SupersededUpdatesDeclined : 223
ExpiredUpdatesDeclined    : 0
ObsoleteUpdatesDeleted    : 0
UpdatesCompressed         : 4
ObsoleteComputersDeleted  : 6
DiskSpaceFreed            : 57848478722

Dig Deeper on Microsoft messaging and collaboration