Automating Windows Update

Tired of having to update all your servers manually, or with Microsoft WSUS, but without control?

Are you tired of wasting 1-2 hours, every time you deploy a template, for it to install all the latest patches?

Why not automate it the easy way?

Using some freely available tools you can easily make vRealize Orchestrator, or just your own powershell scripts, update Windows scheduled, at a time that suits you.

Michal Gajda  made this awesome powershell module called PSWindowsUpdate that lets you script install Windows updates.

You only need to do the following in your Windows Template, or whatever VM you want updated:

When you want to install updates, you need to run the following commands in powershell

# Commands

# Scan for Updates
Get-WUList

# Install Updates without Reboot
Get-WUInstall -MicrosoftUpdate -AutoSelectOnly -IgnoreReboot -IgnoreUserInput -Confirm:$false

If you get an error saying “WARNING: Can’t find registered service Microsoft Update. Use Get-WUServiceManager to get registered service.”

You need to either use -WindowsUpdate insted of -MicrosoftUpdate, or you need to register the MicrosoftUpdate service. Either select to use it through the Windows Update gui configurator or run the following command.

# Command
Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d -Confirm:$false

All this can be easily automated with vRealize Orchestrator. I am using the Guest Script Manager Package to automate it.

To get it to install scripted updates using an elevated prompt, you have to disable User Access Control in Windows. This will now work with any other account then local build-in Administrator account because you will need to elevate your prompt.

If you have the possibility to run in Interactive mode I found some code that I could modify, that can help you. Most of the credits go to Ben Armstrong for making this code.

function Get-ScriptDirectory
{
 Split-Path $script:MyInvocation.MyCommand.Path
}

# Get the ID and security principal of the current user account
$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
 
# Get the security principal for the Administrator role
$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
 
# Check to see if we are currently running "as Administrator"
if ($myWindowsPrincipal.IsInRole($adminRole))
 {
 # We are running "as Administrator" - so change the title and background color to indicate this
 $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"
 $Host.UI.RawUI.BackgroundColor = "DarkBlue"
 clear-host
 }
else
 {
 # We are not running "as Administrator" - so relaunch as administrator
 
 # Create a new process object that starts PowerShell
 $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
 
 # Specify the current script path and name as a parameter
 $newProcess.Arguments = $myInvocation.MyCommand.Definition;
 
 # Indicate that the process should be elevated
 $newProcess.Verb = "runas";
 
 # Start the new process
 $p = [System.Diagnostics.Process]::Start($newProcess);
 $p.WaitForExit()
 
 # Exit from the current, unelevated, process
 exit
 }
 
# Run your code that needs to be elevated here
Import-Module PSWindowsUpdate
Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d -Confirm:$false
Get-WUInstall -MicrosoftUpdate -AutoSelectOnly -IgnoreReboot -IgnoreUserInput -Confirm:$false
exit

If you need to run it with another admin account on the server you will have to change the Run all administrator user in admin approval mode, UAC setting to disabled, which is not really recommended.

Happy Scripting…

Leave a Reply

Your email address will not be published. Required fields are marked *