Connecting to WSUS with PowerShell -- Microsoft Certified Professional Magazine Online

Connecting to WSUS with PowerShell

Automate Microsoft patches with the aid of the Windows Server Update Services.

By Adam Bertram
01/20/2016

Windows Server Update Services (WSUS) is a common, free product from Microsoft that allows system administrators to apply the latest software patches from Microsoft on a mass scale. WSUS offers a graphical interface to manage downloading patches from Microsoft, creating target groups and approving and deploying patches. Sometimes you need to perform some automation around WSUS and this is where PowerShell comes in handy.

By using PowerShell to interact with WSUS via the command line allows you to add WSUS actions into bigger automation workflows. For example, in a previous position I needed to sync approved software updates from System Center Configuration Manager (SCCM) to a WSUS server. Since there's no built-in way to do this, I was forced to write a PowerShell script to do so. This allowed me to keep two disparate sources of updates consistently in sync with one another -- a not-so-common task but one that was necessary at the time.

What if you need to perform some kind of automation with WSUS and PowerShell? Where do you start? The first thing you must ensure is that you meet a couple minor prerequisites. First, I'm assuming that you don't want to connect to WSUS on the WSUS server itself. You're probably going to be interacting with WSUS remotely on a domain-joined computer. If so, you're going to need to download and install the WSUS Administration Console. This installs all of the .NET assemblies you will need to interact with WSUS via PowerShell.

Once you've got the administration console installed, you'll then open up a PowerShell console or input into a script the step to actually load the assembly into the current session. This allows you to instantiate a WSUS object which you can then use to interact with WSUS in a number of different ways.

To do this, you'll use the LoadwithPartialName static method and pass the appropriate object type to this method.

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

Once this is done, you can now build a WSUS object that will serve as the basis for most of the calls you will be making to the WSUS server in your script.

To make a connection to the WSUS server, you will use the GetUpdateServer() method on the Microsoft.UpdateServices.Administration.AdminProxy object. This method supports three parameters; the WSUS server name, an option to use SSL or not and the port in which your WSUS server is listening on.

In the example below, I have a WSUS server called MYWSUS listening on the default port of 8530 which is the non-SSL port.

$script:Wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer(MYWSUS, $false, 8530)

If this command works, you have now established a connection to your WSUS server. At this point, you are open to perform any number of tasks on your WSUS server. To discover what's possible, I suggest looking into the various methods you can call on this object by using the Get-Member cmdlet.

$wsus | Get-Member

This will give you a list of all properties and objects available to you. For example, in my SCCM to WSUS sync script, I needed to enumerate all updates on my WSUS server. To do this, I used the GetUpdates() method which output every update that was currently available on the WSUS server.

$wsus.GetUpdates()

You'll see that this outputs each update which has properties unique to each object such as if it's approved or not, if it has a license agreement, etc. From these update objects, you are then able to perform actions on the update objects as well. For example, if I'd like to accept the license agreement on all updates on my WSUS server I'd simply need to enumerate all updates and call the AcceptLicenseAgreement() method on each one.

$updates = $wsus.GetUpdates()

  foreach ($update in $updates) {

  if  ($update.HasLicenseAgreement) {

  $update.AcceptLicenseAgreement()

  }

  }

You'll see that each update has a HasLicenseAgreement property as well. This allows me to only choose the updates that actually need to have their license agreement accepted.

There's so much more you can do with WSUS and PowerShell. Now that you're connected and given the tools to start you can now automate just about any task you need to in WSUS!

About the Author

Adam Bertram is a 20-year veteran of IT. He's an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam also founded the popular TechSnips e-learning platform. He mainly focuses on DevOps, system management and automation technologies, as well as various cloud platforms mostly in the Microsoft space. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam's articles at adamtheautomator.com, connect on LinkedIn or follow him on Twitter at @adbertram or the TechSnips Twitter account @techsnips_io.