Solved

Hide Windows Updates using Powershell

Posted on 2011-02-11
23
4,298 Views
Last Modified: 2012-06-21
Is it possible to use Powershell to hide Windows updates on Windows XP, Windows 7, Windows Server 2003, 2008, and 2008R2?
0
Comment
Question by:jbcsystech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 5
  • +1
23 Comments
 
LVL 4

Expert Comment

by:dailypcguy
ID: 34875612
What advantage do you seek using powershell over group policy objects? Normally you'd configure GPO's to change the default Windows Update location to a WSUS server or an offline WSUS update utility. I'm trying to figure why you'd want to use powershell instead?
0
 

Author Comment

by:jbcsystech
ID: 34875957
I'd like to use a Windows update powershell script for installing updates and need a way to control updates we don't want to install.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34876405
Your best bet for controlling which updates get installed is using WSUS.



WSUS step by step

http://araihan.wordpress.com/2009/08/13/install-and-configure-wsus-3-0-sp2-step-by-step/


there's also wuinstall

http://www.wuinstall.com/



WuInstall is a command line tool for Windows which enables you to install Windows updates for a certain workstation in a controlled way by using a command line script instead of the standard Windows update functionality.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:dailypcguy
ID: 34880123
dstewartjr Is correct, as this was where I was leading.

I don't use powerscript, but their site may be able to teach you how to do it. I looked there once and decided I didn't have time to learn yet another scripting language.

Me, I'd just use (as I do) WSUS offline update, so you download them once and apply them to many, in my case customers who never seem to update their machines.

http://www.wsusoffline.net/   (this is free, but donations are welcome)

Installed onto a larger portable USB drive, I just use this utility to update all of my machines, and GPO's to prevent them updating automotically. It covers all MS products XP to Win7 and servers, Office. You would need to have a seperate USB stick to achieve Win2000, as it is incompatible with the rest for some reason.

If you're really stuck on the idea of powerscript, I'll keep an eye out and wish you the best of luck! :-}
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34880185
wsusoffline would be *very* time consuming if you have many systems.
0
 
LVL 4

Expert Comment

by:dailypcguy
ID: 34881451
Yes granted, thats true.
Do you have a server in your system? You can configure a single server to download the updates (It's inluded in WinServ 2003-2008), and push them out to the client machines based on GPO's and you can control which machines get which updates if you really want to have that much control. Doing it that way saves bandwidth.
I once installed it on my Windows Home Server to act as the update server for my 10 clients. The only problem there was that by default WHS partitions are limited to 20Gb, and that's a bit small if you want to run a lot of apps on it, like home automation, media server, custom apps and addins for instance. You can move the WSUS updates to a share folder which helps, but 20gb still isn't big. I tried several ways to increase the partition size, but MS wouldn't let me, so I abandoned it. Now I use WSUS offline on a networked USB drive or a NAS, and pointed my clients vis GPO's to get heir updates from there.
Hope you get some powershell code though, sounds intriguing.
0
 
LVL 4

Expert Comment

by:dailypcguy
ID: 34881475
Oh, I meant to say you can install only admin approved updates using WSUS on a server, to specific machines or designated groups of machines, but that means you have to troll through individually, again a bit time rich.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34881499
"....but that means you have to troll through individually, again a bit time rich."

That's why there's automatic approval rules in WSUS

http://technet.microsoft.com/en-us/library/cc708458%28WS.10%29.aspx
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34881506
Also WSUS does absolutely no pushing of anything. Clients query the server for updates that are approved and report their status back to WSUS for reporting.
0
 
LVL 4

Expert Comment

by:dailypcguy
ID: 34881536
Have you had a look here?
http://blogs.technet.com/b/heyscriptingguy/archive/2009/03/11/how-can-i-search-for-download-and-install-an-update.aspx
Surely if you can search for updates using this powershell script and install them using powershell script, you could also ignore them using powershell scripting and using a black/whitelist scenario to prevent them being applied?
Just not sure then how you would push this script out to hundreds of worksations??
0
 
LVL 4

Expert Comment

by:dailypcguy
ID: 34881544
I'm well aware of both of those conditions. As I said, I had it working well for my needs, and I can see it won't work for you. Split hairs if you will, but I am only here trying to help you find a solution after all.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34881547
There's also this

Windows Update Agent force script, email results version 2.6
http://community.spiceworks.com/scripts/show/82-windows-update-agent-force-script-email-results-version-2-6
0
 

Author Comment

by:jbcsystech
ID: 34896227
Dailypcguy,

A black/whitelist is exactly what I'd like, but I've found little information on trying to do that with Powershell.  I'm still learning Powershell and having to rely a lot on Google and Scripting Guy. That's why I thought I'd try using Powershell to hide updates as I thought it would be easier.  

Thanks,
Tim
0
 

Author Comment

by:jbcsystech
ID: 34896240
Incidentally, I already have a working Windows Update Powershell script and a deployment mechanism, just need to add the white/black list scripting to it.
0
 
LVL 1

Expert Comment

by:Colchester_Institute
ID: 35127296
@ jbcsystech is there any chance you could post the script you use as i'm looking for something similar many thanks
0
 

Author Comment

by:jbcsystech
ID: 35127687
This is one I found on the Scripting Guys site so I can't take credit for it.  I asked them for help, but they did not have the time to assist with adding whitelist/blacklist functionality.  

The workaround I found was setting up an Internal WSUS server then using it in combination with this.  I disabled the automatic updates client on the workstations/servers and use run this script to install updates.  I realize I can do everything through WSUS, but I've used it before in our environment and the WSUS agent proved to be problematic (the reason I stopped using it in the first place).  So far, I've been using this for a month and it seems to be working well for us.  I'm going to keep trying to figure out how to add whitelist/blacklist functionality, but in the meantime this works.
---------------------------------------------------------------------------------------

clear-host
Write-host "Starting Update Process..." -foregroundcolor blue
Write-host ""
$UpdateSession = New-Object -com Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateupdateSearcher()
$SearchResult =  $UpdateSearcher.Search("IsAssigned=1 and IsHidden=0 and IsInstalled=0")
$UpdateLowNumber = 0
$UpdateHighNumber = 1
$NumberofUpdates = $searchResult.Updates.Count
while ($UpdateHighNumber -le $NumberofUpdates) {
$UpdatesToDownload = New-Object -com Microsoft.Update.UpdateColl
$Update = $searchResult.Updates.Item($UpdateLowNumber)
if ($Update.EulaAccepted -eq 0) {$Update.AcceptEula()}
[void]$UpdatesToDownload.Add($Update)
# $UpdatesToDownload.Remove($Update)
$Downloader = $UpdateSession.CreateUpdateDownloader()
$Downloader.Updates = $UpdatesToDownload
[void]$Downloader.Download()
$UpdatesToInstall = New-Object -com Microsoft.Update.UpdateColl
[void]$UpdatesToInstall.Add($Update)
$Title = $update.Title
$KBArticleIDs = $update.KBArticleIDs
$SecurityBulletinIDs = $update.SecurityBulletinIDs
$MsrcSeverity = $update.MsrcSeverity
$LastDeploymentChangeTime = $update.LastDeploymentChangeTime
$MoreInfoUrls = $update.MoreInfoUrls
Write-host "Installing Update $UpdateHighNumber of $NumberofUpdates"
Write-host "Title: $Title"
if ($KBArticleIDs -ne "") {Write-host "KBID: $KBArticleIDs"}
if ($SecurityBulletinIDs -ne "") {write-host "Security Bulletin: $SecurityBulletinIDs"}
if ($MsrcSeverity -eq "Critical") {Write-host "Rating: $MsrcSeverity" -foregroundcolor red} else {Write-host "Rating: $MsrcSeverity"}
if ($LastDeploymentChangeTime -ne "") {Write-host "Dated: $LastDeploymentChangeTime"}
if ($MoreInfoUrls -ne "") {Write-host "$MoreInfoUrls"}
$Installer = $UpdateSession.CreateUpdateInstaller()
$Installer.Updates = $UpdatesToInstall
$InstallationResult = $Installer.Install()
$InstallationResult = $Installer.Ignore()
Write-host "--------------------------------------------"
if ($InstallationResult.ResultCode -eq "2") {Write-host "  Installation Succeeded" -foregroundcolor green}  else {Write-host "  INSTALLATION FAILED, check event log for details" -foregroundcolor red}
if ($InstallationResult.RebootRequired -eq "False") {Write-host "  Reboot not required" -foregroundcolor green} else {Write-host "  REBOOT REQUIRED" -foregroundcolor red}
Write-host "--------------------------------------------"
Write-host ""
Write-host ""
$Title = ""
$KBArticleIDs =  ""
$SecurityBulletinIDs =  ""
$MsrcSeverity =  ""
$LastDeploymentChangeTime =  ""
$MoreInfoUrls =  ""
$UpdateLowNumber = $UpdateLowNumber + 1
$UpdateHighNumber = $UpdateHighNumber + 1
if ($ProgressValue -lt $NumberofUpdates) {$ProgressValue = $ProgressValue + 1}
}
$ComputerStatus = New-Object -com Microsoft.Update.SystemInfo
 if ($ComputerStatus.RebootRequired -eq 1) {Write-host "A Reboot is Required"}



0
 
LVL 1

Expert Comment

by:Colchester_Institute
ID: 35127736
Awesome little Script.... Do you use that on remote servers?
0
 

Author Comment

by:jbcsystech
ID: 35127824
No, all servers are on our internal lan.  I run it on multiple servers at a time using psexec.
0
 
LVL 1

Expert Comment

by:Colchester_Institute
ID: 35127860
hmmm kinda the way i'm trying to do it.

I've got a couple of Update scripts.

Basically like you I'm trying to update our severs in a Automated way (by remote servers I meant not having to log onto each server individually)

With the script you've given me I now just need to get it working on remote servers and get them to reboot once updates are done.....and possibly get a log file also...Maybe an email report
0
 

Author Comment

by:jbcsystech
ID: 35127939
I'm working on the log/email report functionality, but haven't perfect it yet and haven't had time to work on it lately.  I'm also trying to figure out how to only reboot the servers when a reboot is required.  If I come up with a working script I'll try to remember to post to you.

I use psexec @\\somelist.txt -e -s cmd.exe /c "echo | powershell -file \\windowsupdate.ps1"

somelist contains a list of servers (one per line)
the following is required to use psexec with powershell:    cmd.exe /c "echo | powershell  

This works for the number of Windows servers we have (approximately 40), but for a larger environment I'd recommend kicking off a scheduled task on the servers (can be accomplished using either Powershell or Group Policy) that runs the script.   You could also run multiple powershell windows at once and use separate server text files  (example=  somefile1.txt contains server1
server2
server3

while somefile2.txt contains
server4
server5
server6

and so forth).
0
 
LVL 1

Expert Comment

by:Colchester_Institute
ID: 35128022
ahh ok

I've got a script that has email Funcunality and reboot i'll have a look a dig it out.

Its that one that i've been trying to tweak etc
0
 
LVL 1

Accepted Solution

by:
Colchester_Institute earned 500 total points
ID: 35128063
heres the link

http://poshcode.org/1932
0
 

Author Comment

by:jbcsystech
ID: 35130791
Thanks, I'll give that a try.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question