Tag Archives: WSUS

PowerShell – WMF5 (including PowerShell) 5 can be deployed using WSUS again, but there is a catch …

A couple of weeks ago I was thinking that I should blog that it’s a pity that Windows Management Framework (including PowerShell) could be not distributed through WSUS anymore. In the past it was available on through WSUS, but it was removed (expired) at some point due to some issues.

This meant to deploy PowerShell you could not deploy it through regular WSUS, but you had to either:

  • Include it in your base image
  • Install it manually
  • Install it using scripting
  • Install it using GPO
  • Install it using WSUS add-on solutions to deploy 3rd party packages. Example solutions include, but are not limited to Local Update Publisher (LUP), WSUS package publisher, SolarWinds patch manager.
  • Install it using enterprise systems management software. Example solutions include, but are not limited to System Center Configuration Manager (SCCM), Altiris, Landesk Management Suite, Tivoli Endpoint Manager (BigFix)
  • Install it using Intune

At many customers of ours this meant that PowerShell was left at version 2.0 for older operating systems unfortunately. For newer operating systems luckily version 3.0 was shipped by default. Still the version would never be updated in most cases.

Apparently the PowerShell team also thought something had to be done about that, because they made the Windows Management Framework (WMF) 5.0 RTM available via the Microsoft Update Catalog. Since it is published to the Microsoft Update Catalog, you have to manually import it to your WSUS environment. Also as the blog post states, before installing ensure you have reviewed known product incompatibilities (Exchange, SharePoint and System Center Virtual Machine Manager) and that the prerequisites are met.

I hope this will mean I will be seeing more up-to-date versions of PowerShell on systems of customers from now on.

One of the disadvantages however is that for operating systems before Windows 8.1/2012, a prerequisite is that WMF4 is installed, which cannot easily be deployed using WSUS unfortunately.









Tags: , , , ,

Microsoft – Important changes to the update mechanism in Windows 8 and Windows Server 2012

For a very long time, the update mechanism for both Windows clients and Windows servers have been the same. With Windows 8 and Windows Server 2012 this has changed.

Even though I’d already found out that something had changed with the Windows 8/Windows Server 2012 update mechanism by using it, I didn’t really know what changed and why.

  1. Windows 8 Modern (Metro) Apps security patching does not work the same as regular security patching. For more information, read “Microsoft’s new security patching routine raises concerns“.
  2. Default behavior after you install an important update in Windows 8 or in Windows Server 2012 is that you receive a notice that you have to restart the computer in three days. If the restart does not occur in three days, the computer displays a 15-minute countdown and then automatically restarts. By default, this automatic restart is delayed if the computer is locked, and the countdown will begin the next time that you sign in to the computer. Update KB2835627 has been released that introduces a new registry key called AlwaysAutoRebootAtScheduledTime which enables you to configure a forced restart after installation if desired.
  3. This great blog post provides more insight: “Managing Updates with Deadlines in an era of Automatic Maintenance“. The reactions are also very interesting.Some of the key takeaways from this post:
    • A new feature called Automatic Maintenance, runs nightly and performs various tasks such as lightly defragmenting hard drives (or TRIMming SSDs if necessary), checking, repairing, and optimizing the system component store, running anti-virus scans, installing updates, and more.
      • The setting for when to download and install updates doesn’t work in the same way as it did. While you can still set Windows Update to download updates and install them automatically or not, the day-of-the-week setting is not effective. It is included in the automatic maintenance and there isn’t a way to individually specify which maintenance tasks run on which day.
      • The Windows Update Agent doesn’t have to be active in the background all the time because of this. This consolidation reduces system resource usage and battery usage.
    • If you want to be in control of when updates will be installed you have to use WSUS and set deadlines for updates.

Even though I understand the reasoning behind the change, I would have preferred that Microsoft gave customers options to choose their preferred method. In my opinion this method makes sense for clients, but not so much for servers.

Also for some (smaller) companies the specific day and time patching method (including downloading from Microsoft Update) worked fine and now they might have to install, configure and maintain a WSUS server (including patch approvals) to achieve the same result.

What do you think about this ? Leave a comment on either my blog or on the original blog post : Managing Updates with Deadlines in an era of Automatic Maintenance


Tags: , , , , , , , , , , , , , , , , , ,

Powershell – Get WSUS clients Without Sync Or Report In X Days

One of the tasks of a WSUS administrator is to make sure that WSUS clients are up-to-date. This requires the WSUS clients to report to the WSUS server on a regular basis.

So if clients do not report to the WSUS server, you need to investigate and resolve the issue.

This script will show you which WSUS clients haven’t reported in X days:

Another use case would be if you manage a WSUS infrastructure with an upstream server and multiple downstream servers for each customer. If one or more 3rd parties are responsible for managing the WSUS clients, you could use this script to automatically mail them the clients they’re responsible for that haven’t reported for X days.

Leave a comment

Posted by on February 17, 2013 in Automation, ICT, Microsoft, Powershell, Windows, WSUS


Tags: , , , , , , , ,

SCOM2012 – Extract English Only MSP Update Rollup 3 files from CAB using PowerShell (and my vision on updating using WSUS/Microsoft Update)

I created this script to automate extracting English only MSP files from CAB files in the SCOM 2012 Update Rollup 3 (UR3) files. By default it will delete extracted non-English versions. With some minor modifications it can be used for any CAB file though, not just SCOM 2012 Update Rollup 3. It includes a lot of comments, so it is manageable and can be used for getting to know PowerShell better.

SCOM 2012 Update Rollup 3 can be downloaded here :

The issue with SCOM 2012 Update Rollup 3 is that after downloading you’ll end up with a total of 41 CAB files. The large number of files is because they are for different components and in multiple languages. And what is even worse, is that the file names do not show which file is for which language.This script will extract all cab files to a subfolder and will then removes the non English ones. Below are some of the example files in Update Rollup 3 to give you an idea about the nondescriptive file names:


Deploying SCOM 2012 components and updates to them can be done in multiple ways:       

Most of the work while updating will probably be updating the agents. Basically for SCOM 2012 there are 2 major ways to install agents:

  1. Push installation (initiated from SCOM 2012). Updates can then also be deployed from within SCOM (Remotely Manageable = Yes). Push installation is often preferred, because it is easy and also allows you to push updates to clients from within SCOM 2012. The downside however is that it also requires a lot of open ports (including RPC) which might not always be acceptable:           Push install and update install can also consume a lot of bandwidth and depending on your architecture (b.e. WAN links), the push install might not be the best way.
  2. A manual installation (anything that is not a push installation). Updates cannot be deployed from within SCOM (Remotely Manageable = No). Manual installation includes running setup manually, using a GPO software install or using deployment tools like System Center Configuration Manager). Using the GUI, you cannot simply set an agent back to remotely manageable = Yes. You can change this in SQL though, but keep in mind that connectivity  requirements still need to be met.

With Update Rollup 3, it is now possible to leverage WSUS / Microsoft Update to deploy updates (not the inital agent) to all SCOM 2012 components. I predict this will probably become the preferred way of updating SCOM 2012 for most companies:
+ It does not require many ports on your firewall to be opened.
+ Better bandwidth management (local WSUS, BranchCache, BITS).
+ Auto detects components on systems (component updates are not forgotten).
+ Still in control of when which updates are deployed/approved.
+ Leverage existing patch/update management procedures and systems WSUS/SCCM (standardization).
– Initial agent installation cannot be performed using WSUS.

PS: Also check these great blog posts when deploying Update Rollup 3:


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

%d bloggers like this: