Each PowerShell module developer team, which includes the various feature teams inside the overall Windows Server product team, approach their problem domains slightly differently. Their product, their PowerShell module, has a certain usage style.
An important stylistic difference is the balance between cmdlets and object method calls. For some modules, you manage the service totally through cmdlets. The DNSServer and DHCPServer modules are examples of this.
The Windows Update module, on the other hand, makes use of method calls to perform the desired administrative task, such as approving or declining a specific update. Thus, many administrative functions are performed via method calls rather than cmdlets.
This recipe shows you how you can make use of the UpdateServer object and its rich collections of methods.
This recipe runs on WSUS1, a WSUS server that you set up in the previous recipes in this chapter. You can certainly adapt this recipe to use your own local WSUS server.
- On
WSUS1, open a session on theWSUS1host and check overall status:$WSUSServer = Get-WsusServer $WSUSServer.GetStatus()
- View the computer targets:
$WSUSServer.GetComputerTargets() | Sort-Object -Property FullDomainName | Format-Table -Property FullDomainName, IPAddress, Last* - Search the WSUS server for updates with titles containing Windows Server 2016 that are classified as security updates, then use
Get-Member, reviewing the properties and methods of theMicrosoft.UpdateServices.Internal.BaseApi.Updateobject:$ST = 'Windows Server 2016' $SU = 'Security Updates' $SecurityUpdates = $WSUSServer.SearchUpdates($ST) | Where-Object UpdateClassificationTitle -eq $SU | Sort-Object -Property CreationDate -Descending - View the first 10 security updates on
WSUS1:$SecurityUpdates | Sort-Object -Property Title | Select-Object -First 10 | Format-Table -Property Title, Description - Select one of the updates to approve based on the KB article ID:
$SelectedUpdate = $SecurityUpdates | Where-Object KnowledgebaseArticles -eq 3194798
- Define the computer target group where you approve this update:
$DCTargetGroup = $WSUSServer.GetComputerTargetGroups() | Where-Object -Property Name -eq 'Domain Controllers'
- Approve the update for installation in the target group:
$SelectedUpdate.Approve('Install',$DCTargetGroup) - Select one of the updates to decline based on a KB article ID:
$DeclinedUpdate = $SecurityUpdates | Where-Object -Property KnowledgebaseArticles -eq 4020821
- Decline the update:
$DeclinedUpdate.Decline($DCTargetGroup)
In step 1, you use the Get-WsusServer cmdlet to return an UpdateServer object. This object and its methods are at the core of automating WSUS. You then use the GetStatus() method to return the status of your WSUS server, which looks like this:
In step 2, you use the GetComputerTargets() method to get the host computers served by your WSUS server, which looks like this:
In step 3, you use the SearchUpdates() method to get the security updates for hosts running Windows Server 2016. This step produces no output.
In step 4, you review the first 10 security updates, which looks like this:
In step 5, which produces no output, you select a specific update, based on a KB article number. In step 6, you define a target group to which to apply the selected update. This step produces no output.
In step 7, you approve this selected patch for installation for all Domain Controllers computer target group. The output of this step looks like this:
In step 8, you select an update that you wish not to install. This step produces no output. In step 9, you decline the update for the Domain Controllers computer target group.
In step 3, you examined the security updates for Windows Server 2016. You could also have looked for any Updates or Critical Updates. You can also vary the value of the $ST parameter to search for different targets, such as Windows 10 or Office.
In step 5, you selected a specific update. If you are an IT Pro responsible for Windows Update Services inside your organization, you need to keep up to date on critical updates so you can deploy urgent patches as quickly as possible.
In step 9, you declined a specific update for one computer target group. As you administer WSUS, you are likely to discover certain updates that can be declined since they do not impact certain target groups. Keeping on top of which patches to approve or decline can be a lot of work, but is vital to ensure that your systems are updated promptly.