Domain Wide, automated updates

Dear folks with bigger brains.

So I am pretty new to the PowerShell remote management world. But I must say I love it!

I work for a company with around 100-150 Servers as a System Admin in a three man team, and I have been tasked with investigating the feasibility of running updates on remote computers (streamline the process of what we are doing now) with PowerShell.

I know of the PSWindowsUpdate Module, but I am not sure how to use this across such a wide group.

WHAT I NEED HELP WITH - capitol for those not looking for a novel

-Various Windows Server 2008 R2 and 2012 Data Center Servers
-Some Require local credentials

Policy Constraints:
-Company will not allow Automatic updates and requires we be able to exclude updates our “security” team deems “unstable”

Desired Result:
-Run Windows updates in PSSessions on batches of servers, excluding occasional updates.
-Be prompted for Server Restarts.

Any help would be great on this! I appreciate your time!

wsus or sccm.

There are plenty of windows update scripts out there. The caveat would be getting around the remote security restrictions. Some use scheduled tasks run as the system account, some use psexec.

PowerShell isn’t a stellar tool for patch management, IMO. WSUS is far better, and PowerShell (or GPO, or DSC) is good at making sure WSUS is configured properly. Given a WSUS infrastructure, you can control which updates hit your machines. I’ve run across more than a few patches which will not install correctly via a Remoting session; it just isn’t what Remoting (or hot fixes) were designed for. But WSUS absolutely allows you to decide on a patch-by-patch basis, if you want, what’s being deployed to the environment. I’m not sure how “remote” your remote computers are, so getting connectivity back to WSUS could be something to figure out.

Ugh. I can say I’m glad I’ve already worked this one out in my company lol. We have almost 250 servers now.

I’ll explain how I ended up doing mine. First I deconstructed the PSWindowsUpdate module and built it into a tidy little script that just checks for and applies updates. It does an automatic restart after notifying the users and waiting a set delay. We have a WSUS server to approve or decline updates as required so I don’t need to worry about that here.

Then I created a second script that sets up a TCP listener, and tweaked the update script to send all the output through TCP. Messy, but necessary to get the output remotely.

The first script goes on the server and is run via a scheduled task. The second script is run through Invoke-Command and runs the scheduled task, then sets up the listener and writes back the output.

This allowed me to run the updates remotely, and with complete customisation, but not particularly easy to manage. So lastly I wrote a C# application that holds a list of our servers and the last time each one was updated. It automatically recommends servers to update based on our requirements, allows me to trigger those updates and puts them in a listview with the status of the script. The output of selected servers are shown in a textbox.

I’ve of course made a ton of tweaks since writing it, turning it into a module, timestamps, status shows download and update progress, but these things evolve as you use them and figure out what would make it better. Eventually, when I’m happy it’s stable, I’ll rewrite it completely in PowerShell to run automatically every night.

The list in red needs to be updated manually (I’ve been a bit lazy over Christmas lol) and the list in the middle is what should be updated today. I had to do this as a form as it needs to be usable by admins not familiar with PowerShell and in my case it’s just a lot neater.

I’m happy to provide elements of this if you’re interested.

Dan, Don and Deadly-Bagel! Thank you guys! This has given me a lot to ponder on and come up with an action plan.

Deadly-Bagel, let me run this by my team and see what they think. I might actually be reaching out to you for those elements as i can see that being of use as well.

Thank you!

Sure, no problem. Just work out what kind of interface you want to use (command line, form, none, detailed/basic/no progress, etc) and I’ll put together whatever I can share that you can use. I’ll get updates from the thread or you can append to my username =)