WSUS 3.0: Approving Multiple Updates for a Specific Computer with Powershell
One of the best uses I have found for Powershell is for plugging gaps in holes left by GUI admin tools which don’t do everything that you want. Prior to Powershell you would typically have had to wait for the next service pack / full release / possibly ever before you had the functionality that you wanted.
I had an example of this recently with the GUI tool for WSUS 3.0. Essentially I was kicking off a project where we were going to target a particular group of machines for patching and the first step was to run a report for specific machines and then approve the updates to what WSUS calls a ComputerTargetGroup.
The problem with this is that although WSUS can provide you with a report which shows which updates are required for a specific machine, there is no way in the GUI that you can approve all of those updates in one go. Since it takes 5 clicks per approval, you only have to get into the 10’s of updates before this goes beyond tedious.
I knew there were some sample scripts for WSUS and Powershell on the Script Center so I headed over there and checked out some of the scripts. (This initial investigation led to the creation of the PowerGUI Powerpack for WSUS - fairly basic, but it was great way to learn what sort of things would be available)
So I then spent some time working on a script to approve multiple updates for a specific computer which is shown below. I’d love to say that I put this all togther myself, but really it is another illustration of how helpful people within the Powershell community are. Shay Levi was incredibly helpful putting the initial work of this script together, we got most of the way there, but it got left at the point where I could retrieve as objects the list of updates required for the computer, but couldn’t figure out how to approve them for a particular computer group.
Fortunately at Teched I went to a couple of sessions on WSUS 3.0 run by Program Manager Marc Shepard who contributes to the WSUS team blog. I went to see Marc at the ‘Ask The Experts’ stand inbetween the two sessions he was running. He seemed genuinely pleased to find someone with a particular request for the product (I guess it’s free so hey that must be a tricky product to be a Program Manager for ;-) ), took on my unfinished Powershell script and started coding away.
By the time I got to the next session Marc had a working script for me - there is no better recommendation for going to Teched than this!
The script is below. Before running the ApproveMultipleUpdates script you need to establish three things:
- WSUS Server Name
- Full DNS name of the computer you wish to query
- The Computer Group Target ID for the group you wish to make the approval to. You can find this either by using the PowerGUI Powerback or the code below:
Get-ComputerTargetGroups.ps1
[void][reflection.assembly]::LoadWithPartialName(“Microsoft.UpdateServices.Administration”) $updateServer = “WSUSServername” $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)
$wsus.GetComputerTargetGroups()
ApproveMultipleUpdates.ps1
[void][reflection.assembly]::LoadWithPartialName(“Microsoft.UpdateServices.Administration”)
$updateServer = “WSUSServername” $machineName = Read-Host “Please enter the full DNS name of the computer you wish to approve updates for”
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)
$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.includedInstallationStates = “NotInstalled”
$com = $wsus.GetComputerTargetByName($machineName) $groupid= Read-Host “Please enter the Computer Group Target ID”
$group = $wsus.GetComputerTargetGroup($groupid) $action = [Microsoft.UpdateServices.Administration.UpdateApprovalAction]::Install
$updates = $com.GetUpdateInstallationInfoPerUpdate($updateScope) $updates | foreach-object {$uid = $_.UpdateId; $u = $wsus.GetUpdate($uid); $u.Title; $u.Approve($action,$group);}
This is going to save us hours of work - big thanks to the guys who helped me out!
(I think a version of this script should be making its way onto the MS Script Center at some point too)