Solved

Hide Windows Updates using Powershell

Posted on 2011-02-11
23
4,069 Views
Last Modified: 2012-06-21
Is it possible to use Powershell to hide Windows updates on Windows XP, Windows 7, Windows Server 2003, 2008, and 2008R2?
0
Comment
Question by:jbcsystech
  • 7
  • 6
  • 5
  • +1
23 Comments
 
LVL 4

Expert Comment

by:dailypcguy
Comment Utility
What advantage do you seek using powershell over group policy objects? Normally you'd configure GPO's to change the default Windows Update location to a WSUS server or an offline WSUS update utility. I'm trying to figure why you'd want to use powershell instead?
0
 

Author Comment

by:jbcsystech
Comment Utility
I'd like to use a Windows update powershell script for installing updates and need a way to control updates we don't want to install.
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Your best bet for controlling which updates get installed is using WSUS.



WSUS step by step

http://araihan.wordpress.com/2009/08/13/install-and-configure-wsus-3-0-sp2-step-by-step/


there's also wuinstall

http://www.wuinstall.com/



WuInstall is a command line tool for Windows which enables you to install Windows updates for a certain workstation in a controlled way by using a command line script instead of the standard Windows update functionality.
0
 
LVL 4

Expert Comment

by:dailypcguy
Comment Utility
dstewartjr Is correct, as this was where I was leading.

I don't use powerscript, but their site may be able to teach you how to do it. I looked there once and decided I didn't have time to learn yet another scripting language.

Me, I'd just use (as I do) WSUS offline update, so you download them once and apply them to many, in my case customers who never seem to update their machines.

http://www.wsusoffline.net/   (this is free, but donations are welcome)

Installed onto a larger portable USB drive, I just use this utility to update all of my machines, and GPO's to prevent them updating automotically. It covers all MS products XP to Win7 and servers, Office. You would need to have a seperate USB stick to achieve Win2000, as it is incompatible with the rest for some reason.

If you're really stuck on the idea of powerscript, I'll keep an eye out and wish you the best of luck! :-}
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
wsusoffline would be *very* time consuming if you have many systems.
0
 
LVL 4

Expert Comment

by:dailypcguy
Comment Utility
Yes granted, thats true.
Do you have a server in your system? You can configure a single server to download the updates (It's inluded in WinServ 2003-2008), and push them out to the client machines based on GPO's and you can control which machines get which updates if you really want to have that much control. Doing it that way saves bandwidth.
I once installed it on my Windows Home Server to act as the update server for my 10 clients. The only problem there was that by default WHS partitions are limited to 20Gb, and that's a bit small if you want to run a lot of apps on it, like home automation, media server, custom apps and addins for instance. You can move the WSUS updates to a share folder which helps, but 20gb still isn't big. I tried several ways to increase the partition size, but MS wouldn't let me, so I abandoned it. Now I use WSUS offline on a networked USB drive or a NAS, and pointed my clients vis GPO's to get heir updates from there.
Hope you get some powershell code though, sounds intriguing.
0
 
LVL 4

Expert Comment

by:dailypcguy
Comment Utility
Oh, I meant to say you can install only admin approved updates using WSUS on a server, to specific machines or designated groups of machines, but that means you have to troll through individually, again a bit time rich.
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
"....but that means you have to troll through individually, again a bit time rich."

That's why there's automatic approval rules in WSUS

http://technet.microsoft.com/en-us/library/cc708458%28WS.10%29.aspx
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Also WSUS does absolutely no pushing of anything. Clients query the server for updates that are approved and report their status back to WSUS for reporting.
0
 
LVL 4

Expert Comment

by:dailypcguy
Comment Utility
Have you had a look here?
http://blogs.technet.com/b/heyscriptingguy/archive/2009/03/11/how-can-i-search-for-download-and-install-an-update.aspx
Surely if you can search for updates using this powershell script and install them using powershell script, you could also ignore them using powershell scripting and using a black/whitelist scenario to prevent them being applied?
Just not sure then how you would push this script out to hundreds of worksations??
0
 
LVL 4

Expert Comment

by:dailypcguy
Comment Utility
I'm well aware of both of those conditions. As I said, I had it working well for my needs, and I can see it won't work for you. Split hairs if you will, but I am only here trying to help you find a solution after all.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
There's also this

Windows Update Agent force script, email results version 2.6
http://community.spiceworks.com/scripts/show/82-windows-update-agent-force-script-email-results-version-2-6
0
 

Author Comment

by:jbcsystech
Comment Utility
Dailypcguy,

A black/whitelist is exactly what I'd like, but I've found little information on trying to do that with Powershell.  I'm still learning Powershell and having to rely a lot on Google and Scripting Guy. That's why I thought I'd try using Powershell to hide updates as I thought it would be easier.  

Thanks,
Tim
0
 

Author Comment

by:jbcsystech
Comment Utility
Incidentally, I already have a working Windows Update Powershell script and a deployment mechanism, just need to add the white/black list scripting to it.
0
 
LVL 1

Expert Comment

by:Colchester_Institute
Comment Utility
@ jbcsystech is there any chance you could post the script you use as i'm looking for something similar many thanks
0
 

Author Comment

by:jbcsystech
Comment Utility
This is one I found on the Scripting Guys site so I can't take credit for it.  I asked them for help, but they did not have the time to assist with adding whitelist/blacklist functionality.  

The workaround I found was setting up an Internal WSUS server then using it in combination with this.  I disabled the automatic updates client on the workstations/servers and use run this script to install updates.  I realize I can do everything through WSUS, but I've used it before in our environment and the WSUS agent proved to be problematic (the reason I stopped using it in the first place).  So far, I've been using this for a month and it seems to be working well for us.  I'm going to keep trying to figure out how to add whitelist/blacklist functionality, but in the meantime this works.
---------------------------------------------------------------------------------------

clear-host
Write-host "Starting Update Process..." -foregroundcolor blue
Write-host ""
$UpdateSession = New-Object -com Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateupdateSearcher()
$SearchResult =  $UpdateSearcher.Search("IsAssigned=1 and IsHidden=0 and IsInstalled=0")
$UpdateLowNumber = 0
$UpdateHighNumber = 1
$NumberofUpdates = $searchResult.Updates.Count
while ($UpdateHighNumber -le $NumberofUpdates) {
$UpdatesToDownload = New-Object -com Microsoft.Update.UpdateColl
$Update = $searchResult.Updates.Item($UpdateLowNumber)
if ($Update.EulaAccepted -eq 0) {$Update.AcceptEula()}
[void]$UpdatesToDownload.Add($Update)
# $UpdatesToDownload.Remove($Update)
$Downloader = $UpdateSession.CreateUpdateDownloader()
$Downloader.Updates = $UpdatesToDownload
[void]$Downloader.Download()
$UpdatesToInstall = New-Object -com Microsoft.Update.UpdateColl
[void]$UpdatesToInstall.Add($Update)
$Title = $update.Title
$KBArticleIDs = $update.KBArticleIDs
$SecurityBulletinIDs = $update.SecurityBulletinIDs
$MsrcSeverity = $update.MsrcSeverity
$LastDeploymentChangeTime = $update.LastDeploymentChangeTime
$MoreInfoUrls = $update.MoreInfoUrls
Write-host "Installing Update $UpdateHighNumber of $NumberofUpdates"
Write-host "Title: $Title"
if ($KBArticleIDs -ne "") {Write-host "KBID: $KBArticleIDs"}
if ($SecurityBulletinIDs -ne "") {write-host "Security Bulletin: $SecurityBulletinIDs"}
if ($MsrcSeverity -eq "Critical") {Write-host "Rating: $MsrcSeverity" -foregroundcolor red} else {Write-host "Rating: $MsrcSeverity"}
if ($LastDeploymentChangeTime -ne "") {Write-host "Dated: $LastDeploymentChangeTime"}
if ($MoreInfoUrls -ne "") {Write-host "$MoreInfoUrls"}
$Installer = $UpdateSession.CreateUpdateInstaller()
$Installer.Updates = $UpdatesToInstall
$InstallationResult = $Installer.Install()
$InstallationResult = $Installer.Ignore()
Write-host "--------------------------------------------"
if ($InstallationResult.ResultCode -eq "2") {Write-host "  Installation Succeeded" -foregroundcolor green}  else {Write-host "  INSTALLATION FAILED, check event log for details" -foregroundcolor red}
if ($InstallationResult.RebootRequired -eq "False") {Write-host "  Reboot not required" -foregroundcolor green} else {Write-host "  REBOOT REQUIRED" -foregroundcolor red}
Write-host "--------------------------------------------"
Write-host ""
Write-host ""
$Title = ""
$KBArticleIDs =  ""
$SecurityBulletinIDs =  ""
$MsrcSeverity =  ""
$LastDeploymentChangeTime =  ""
$MoreInfoUrls =  ""
$UpdateLowNumber = $UpdateLowNumber + 1
$UpdateHighNumber = $UpdateHighNumber + 1
if ($ProgressValue -lt $NumberofUpdates) {$ProgressValue = $ProgressValue + 1}
}
$ComputerStatus = New-Object -com Microsoft.Update.SystemInfo
 if ($ComputerStatus.RebootRequired -eq 1) {Write-host "A Reboot is Required"}



0
 
LVL 1

Expert Comment

by:Colchester_Institute
Comment Utility
Awesome little Script.... Do you use that on remote servers?
0
 

Author Comment

by:jbcsystech
Comment Utility
No, all servers are on our internal lan.  I run it on multiple servers at a time using psexec.
0
 
LVL 1

Expert Comment

by:Colchester_Institute
Comment Utility
hmmm kinda the way i'm trying to do it.

I've got a couple of Update scripts.

Basically like you I'm trying to update our severs in a Automated way (by remote servers I meant not having to log onto each server individually)

With the script you've given me I now just need to get it working on remote servers and get them to reboot once updates are done.....and possibly get a log file also...Maybe an email report
0
 

Author Comment

by:jbcsystech
Comment Utility
I'm working on the log/email report functionality, but haven't perfect it yet and haven't had time to work on it lately.  I'm also trying to figure out how to only reboot the servers when a reboot is required.  If I come up with a working script I'll try to remember to post to you.

I use psexec @\\somelist.txt -e -s cmd.exe /c "echo | powershell -file \\windowsupdate.ps1"

somelist contains a list of servers (one per line)
the following is required to use psexec with powershell:    cmd.exe /c "echo | powershell  

This works for the number of Windows servers we have (approximately 40), but for a larger environment I'd recommend kicking off a scheduled task on the servers (can be accomplished using either Powershell or Group Policy) that runs the script.   You could also run multiple powershell windows at once and use separate server text files  (example=  somefile1.txt contains server1
server2
server3

while somefile2.txt contains
server4
server5
server6

and so forth).
0
 
LVL 1

Expert Comment

by:Colchester_Institute
Comment Utility
ahh ok

I've got a script that has email Funcunality and reboot i'll have a look a dig it out.

Its that one that i've been trying to tweak etc
0
 
LVL 1

Accepted Solution

by:
Colchester_Institute earned 500 total points
Comment Utility
heres the link

http://poshcode.org/1932
0
 

Author Comment

by:jbcsystech
Comment Utility
Thanks, I'll give that a try.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now