Wednesday, June 20, 2018

Introducing the Invoke-Wsus PowerShell function

A couple of weeks ago I wrote a blog post on WSUS management with PowerShell. The post came with a script that could be used to manage automatic approvals of WSUS patches and updates.

This time I have decided to transform that script in an advanced PowerShell function named Invoke-WSUS (you can find it on my Github).

This function is kind of jack-of-all-trade: depending on the used parameter set, it can do a series of actions, as shown in the description and in the help file.

    Invoke-Wsus is a function used to manage WSUS.
    Invoke-Wsus -ShowApprovalGroups -SettingFile string [commonparameters]
    Invoke-Wsus -SettingFile string -WsusName string -WsusPort int32 -WsusSSL -SyncDelay int32 -CleanupDay int32 -SendMail -SMTPServer string -From string -To string> [commonparameters]
    Invoke-Wsus -SettingFile string -WsusName string -WsusPort int32 -WsusSSL -SyncDelay int32 -CleanupDay int32 -ShowAll [commonparameters]
    Invoke-Wsus -SettingFile string -WsusName string -WsusPort int32 -WsusSSL -SyncDelay int32 -ShowApprovalSchedules [-RunApprovalSchedules] [commonparameters]
    Invoke-Wsus -ShowWsusTargetGroups -WsusName string -WsusPort int32 -WsusSSL [commonparameters]
    Invoke-Wsus -WsusName string -WsusPort int32 -WsusSSL -ShowLastWsusSync [commonparameters]
    Invoke-Wsus -WsusName string -WsusPort int32 -WsusSSL -SyncWsusNow [commonparameters]
    Invoke-Wsus -ShowNextPatchTuesday [commonparameters]
    Invoke-Wsus -ShowNextSyncTuesday -SyncDelay int32 [commonparameters]
    Invoke-Wsus -ShowNextClenaupDay -CleanupDay int32 [commonparameters]
    Invoke-Wsus is a function that is used to determine the next Patch Tuesday, to sync a
    WSUS server with Microsoft,     to approve patches based on target WSUS groups, and to
    show WSUS target groups configuration.


    To see the examples, type: "get-help Invoke-Wsus -examples".
    For more information, type: "get-help Invoke-Wsus -detailed".
    For technical information, type: "get-help Invoke-Wsus -full

Before you can use this function you have to use the Set-ApprovalDelay script to generate a JSON setting file. This file will contain the list of the approval schedules and, for each schedule, you will have associated WSUS target computer groups and the delay in days between the synchronization of your WSUS server and the actual approval of patches.

Let's take as an example the following JSON settings:

$DelaySettings += [pscustomobject]@{

    Name          = 'Immediate'

    WsusGroup   = 'Standard'

    ApprovalDelay = 1


$DelaySettings += [pscustomobject]@{

    Name          = 'OneWeek'

    WsusGroup   = 'Touchy','Critical'

    ApprovalDelay = 7

This settings will basically say to the Invoke-Wsus function that
  • computers belonging to a WSUS target computer group whose name matches the 'Standard' word will be patched 1 day after the synchroniezation of your WSUS server with Microsoft.
  • computers belonging to a WSUS target computer group whose name matches the 'Touchy' or 'Critical' word will be patched 7 days after the synchroniezation of your WSUS server with Microsoft.

You can simply adapt these settings to your environment and re-run the Set-ApprovalDelay script to generate a new setting file for your organization.

Now that you have understood what the configuratrion file is used for, here's a couple of useful examples that show what the Invoke-Wsus function is capable of.

Example 1: Showing the approval delay per target computer group from the setting file in a readable way

Invoke-Wsus -ShowApprovalGroups -SettingFile approvaldelaysettings.json' 

Today is 06/20/2018 11:28:05

Name      WsusGroup          ApprovalDelay
----      ---------          -------------
Immediate Standard                       1
OneWeek   {Touchy, Critical}             7
Example 2: Showing the list of target computer groups defined on the WSUS server

Invoke-Wsus -ShowWsusTargetGroups -WsusName 'wsusserver' -WsusPort 8530 -WsusSSL:$false

Today is 06/20/2018 13:26:45

Name                                     Total computers
----                                     ---------------
All Computers                                        381
Mission-Critical-M1                                   37
Mission-Critical-M2                                   35
Standard                                             210
User-Touchy-M1                                        50
User-Touchy-M2                                        49
Unassigned Computers                                   0
Having this information will simplify the work of chosing the words to use in the setting file to match target computer groups.

Example 3: Showing the next Patch Tuesday (optimistically renamed by Microsoft to Update Tuesday)

Invoke-Wsus -ShowNextPatchTuesday

Today is 06/20/2018 13:30:27
Next Patch Tuesday will be in 20 days on Tuesday, July 10, 2018
I let you take the time to find out what other actions this advanced function can perform. The only thing that is really important to understand is that this Invoke-Wsus function is meant to be scheduled daily on your WSUS Server just like in the example below:

Invoke-Wsus -ShowApprovalSchedules -SettingFile 'approvaldelaysettings.json' -SyncDelay 13 -RunApprovalSchedules -WsusName 'wsusserver' -WsusPort 8530 -WsusSSL:$false
This basically tell the function to execute the automatic approval of needed patches and updates for target computer groups based on a delay between Patch Tuesday, Synchronization day and the delay specified in the setting file.

You could also add a second scheduled task that will inform you by mail of the actions of the day by using the 'Send Mail' parameter set.

Let me know how it goes for you and if you have any question or improvement to suggest, feel free to get in touch with me.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...