You're reading from Windows Server 2016 Automation with PowerShell Cookbook - Second Edition
Windows administrators must manage Windows updates to ensure that the operating systems and software running on their computers are patched to resolve known bugs and are protected from known security vulnerabilities. Windows Server Update Services (WSUS) was a feature that was added in 2016 that enables the system administrators to manage the download and distribution of updates to the organization's computers.
Windows Software Update Services could be better named as Microsoft Software Update Services. WSUS manages not only Windows operating system updates but also updates for most Microsoft software products. Updates may apply to the Windows OS or any Microsoft software.
This chapter covers the installation and configuration of the WSUS server, the configuration of WSUS client computers, the management, approval, and installation of updates, and how to report on the status of the update installation.
To use WSUS, you first install the Windows feature for update services, then perform the initial configuration. WSUS has dependencies that include the IIS web server and ASP.NET 4.6, so these dependencies are installed automatically if they are not present.
To follow this recipe, open a PowerShell session on server WSUS1. WSUS1 is a domain-joined server with internet access.
The steps for the recipe are as follows:
- Install the Windows Update feature and tools, with
-Verbose
for additional feedback:
Install-WindowsFeature -Name 'UpdateServices' `
-IncludeManagementTools -Verbose
- Review the features that are installed on your server, noting that not only has
Windows Software Update Services
been installed, butWeb Server (IIS)
,ASP.Net 4.6
, andWindows Internal Database
have as well:
Get-WindowsFeature |
Where-Object -FilterScript {($psitem.Installed)}
- Create a folder for WSUS update content:
$WSUSContentDir...
Once you have completed the installation of WSUS, you configure the update services by choosing the product updates your organization requires, and which classifications of updates to download and make available to the computers on your network. Once these are defined, you can synchronize updates manually or on a schedule, and your WSUS server will download the updates for the product categories and update classifications you have selected from the Microsoft Update servers to make available to the computers on your network. The first synchronization can take hours, depending on your selections, and then subsequent synchronizations will pull only the newest updates since the last synchronization.
Windows computers download updates from Microsoft servers by default. To override this behavior, you can either configure the Windows Update client using GPO settings or manually update the registry of each client.
Run this recipe from WSUS1 with RSAT installed for working with Group Policy Objects.
$FeatureName = 'RSAT'
Install-WindowsFeature $FeatureName -IncludeAllSubFeature
The steps for the recipe are as follows:
- Define and view the WSUS server URL using the properties returned from
Get-WsusServer
:
$WSUSServer = Get-WsusServer
$WSUSServerURL = "http{2}://{0}:{1}" -f `
$WSUSServer.Name,
$WSUSServer.PortNumber,
('','s')[$WSUSServer.UseSecureConnection]
$WSUSServerURL
- Create a Group Policy Object (GPO) and link it to your domain:
$PolicyName = "WSUS Client"
New-GPO -Name $PolicyName
New-GPLink -Name $PolicyName -Target "DC=RESKIT...
Different types of computers in your organization require different approaches to software updating. Employee workstations run software that application servers do not. Some servers are mission critical and must only be updated after you test the updates thoroughly. Sometimes critical updates are released that must be applied immediately, while some may be optional.
To manage the distribution software updates, define computer target groups on your WSUS server and assign computers these target groups. Each computer target group can be configured to apply updates differently. You create a target group for the Domain Controllers in this recipe.
WSUS must be installed and configured on the update server, and clients must be configured to use the WSUS server to apply this recipe.
WSUS organizes Windows updates under different classifications. You can view these classifications by using the Get-WsusClassification
cmdlet. Two particularly important classifications you should check regularly are Critical Updates
and Definition Updates
. The Critical Updates
classification includes updates that address severe security flaws and zero-day vulnerabilities. The Definition Updates
classification includes definition files for Windows Defender to identify and remove malware.
These two classifications are important enough to approve them automatically. Auto-approval ensures WSUS installs these updates on client computers as soon as possible. In this recipe, you will create an auto-approval rule for these updates.
The WSUS administrator performs several tasks to manage update distribution. These tasks begin with the awareness of which updates are available, approved, installed or marked to be installed for each computer target group. For the available updates, the administrator must approve or reject the updates to control which updates are made available. This recipe covers listing installed updates, listing available updates, approving updates, and declining updates.
In this recipe, you manage updates using PowerShell. You should open a PowerShell session on WSUS1 to perform this recipe.
In this recipe you manage WSUS updates:
- Open a PowerShell session, and view the overall status of all Windows updates on WSUS1:
$WSUSServer = Get-WsusServer $WSUSServer.GetStatus()
- View the computer targets:
$WSUSServer.GetComputerTargets()
- View the installed updates on DC1 using
Get-Hotfix
andGet-SilWindowsUpdate
:
Get-HotFix -ComputerName DC1$CimSession = New-CimSession...