Managing WSUS

September 18th, 2019 | Tags:

Block 1: Connect to the WSUS server and set the configuration.
We are first going to set the property “Download update files to this server only when updates are appoved”, turn off all update languages, and then set the only update language to English. At the end, this would all be pointless if we didn’t commit our changes with .Save.

Of course there are a lot more things you can do, just let intellisense go to work for you.

$wsus = Get-WSUSServer -Name wsus.domain.local -PortNumber 8530
$wsusConfig = $wsus.GetConfiguration()
$wsusConfig.DownloadUpdateBinariesAsNeeded = $True
$wsusConfig.AllUpdateLanguagesEnabled = $false

Block 2: Verifying an Auto-Approval rule is set and enabled.
In this example, we are simply going to check and see if “My Approval Rule” is created, and enabled.

$wsus = Get-WSUSServer -Name wsus.domain.local -PortNumber 8530
if ([bool]($wsus.GetInstallApprovalRules() | Where-Object {$_.Name -eq "My Approval Rule" -and $_.Enabled -eq $True}))
Write-Host "My Approval Rule is present and enabled."
Write-Host "My Approval Rule is improperly configured.  Expecting rule: My Approval Rule and set to Enabled."

Block 3: Setting the products WSUS will sync from Windows Update (or upstream)

In this example, we are going to set the products that WSUS will sync from its update source. This will not erase other products (like if you had Windows 7 previously selected), just add these new ones.

Get-WsusProduct | where-Object {
    $_.Product.Title -in (
    'Report Viewer 2005',
    'Report Viewer 2008',
    'Report Viewer 2010',
    'Visual Studio 2010 Tools for Office Runtime',
    'Microsoft SQL Server 2016',
    'Windows 10',
    'Windows Defender',
    'Windows Server 2016',
    'Forefront Endpoint Protection 2010')
} | Set-WsusProduct

Block 4: Setting which Update classifications you want to download from the update source

Pretty much in this example, I chose about everything but drivers.

Write-Host "Setting WSUS Update Classifications"
Get-WsusClassification | Where-Object {
    $_.Classification.Title -in (
    'Critical Updates',
    'Definition Updates',
    'Feature Packs',
    'Security Updates',
    'Service Packs',
    'Update Rollups',
} | Set-WsusClassification

Block 5: Kicking a product sync

In this example, we are just going to do a catalog sync, to make sure we have all available products. May be recommended before block 3 if you have a default install.

$wsus = Get-WSUSServer -Name wsus.domain.local -PortNumber 8530
$subscription = $wsus.GetSubscription()
write-host "Doing Sync just to grab new products, please wait (a new dot appears every 5 seconds until done)..."
While ($subscription.GetSynchronizationStatus() -ne 'NotProcessing') {
    Write-Host "." -NoNewline
    Start-Sleep -Seconds 5
write-host ""
Write-Host "Product sync complete."

Block 6: Turn on automatic sync and then sync 2 times a day.

In this example, I will turn on automatic sync – then sync twice a day. It’s been said that Defender/Forefront updates come out as often as 3 times a day, but most won’t download and push that often.

$wsus = Get-WSUSServer -Name wsus.domain.local -PortNumber 8530
$subscription = $wsus.GetSubscription()
$subscription.SynchronizeAutomaticallyTimeOfDay= (New-TimeSpan -Hours 0)

Block 7: Kicking a full sync
In this example, I will kick a full WSUS sync. Be patient, these can take a while.

$wsus = Get-WSUSServer -Name wsus.domain.local -PortNumber 8530
$subscription = $wsus.GetSubscription()
write-host "Kicking the WSUS Sync - be patient."
Write-Host "Waiting 1 minute before starting to monitor"
Start-Sleep -Seconds 60
while ($subscription.GetSynchronizationProgress().ProcessedItems -ne $subscription.GetSynchronizationProgress().TotalItems) {
    Write-Progress -PercentComplete (
    ) -Activity "WSUS Sync Progress"
Write-Host "WSUS Sync Complete."
No comments yet.