Improve Windows Update for Business management

We all know that the transformation from the good old SCCM/WSUS is hard and from time to time complicated. Of course there are a ton of guides how to manage Windows Update for Business (WUfB) – like this amazing article HERE.

But not all customers are ready for the modern way of update management. In WSUS or even more in SCCM we have a detailed manageability of when to install which update.
This is missing in WUfB since in WUfB we assuming we are installing all updates via the ring model and we don’t need to install updates during a specific time window, or block specific KB’s.

I’ve a few customers that are still not able to adopt WUfB in the current form. They would like to have better control of the update installation – or just want to speed up the installation process with first downloading the updates and then install the updates.

Some of the configuration is possible via the CSP – HERE. You are able to configure the day and the time where Updates should be installed. This functionality can be used together with my script to improve the update performance.

The source files

Just in case you are looking for the source files. They are stored on GitHub HERE

The management options

The script will provide the following configuration options:

  1. Force Microsoft Update
    Since we are not able to overwrite WSUS settings via CSP, this will force the connection to WSUS without deleting any GPO/WU settings.
  2. Direct Download
    This will first download all updates and then install them when requested
  3. Enable Maintenance Window
    If you enable the maintenance window, updates only getting installed during the time
  4. Start Time
    After this time is reached, the update installation will start
  5. End Time
    No new update will be installed after the time – currently installing updates will be finished
  6. Day
    Choose a day of a week – right now the script only supports a one week interval – if you select “none” updates are available for installation everyday
  7. Hidden Updates
    Select KB’s you want to block for installation. Multiple KB’s are comma separated e.g. “KB123123,KB12312312”
  8. Un-Hidden Updates
    Select KB’s you want to allow again for installation. Multiple KB’s are comma separated e.g. “KB123123,KB12312312”. If an update is on “Hidden” and “Un-Hidden” list – it will be available for installation.

Still interested? Let’s see how it works and what you need.

How it works

In reality the script is not only one script – there are several parts.

  1. Profile configurator
  2. Installation script
  3. Main script for update installation

Profile configurator

The profile configurator is a GUI for easily create a new profile with all required settings that are listed in “The management options” above.

First of all – sorry for the old school GUI. Since it is based on PowerShell and Windows Forms, the design is not that fancy as you might expect.

The first three options – all based on True/False – are required for creating a XML file. For configuring the Start/End time and the maintenance day, you need first set “Enable Maintenance Window” to “True”.

After you configured everything you need, you can choose to copy the finished XML to clipboard and/or to a XML file.

The output should look like this:

<wap-provisioningdoc id="e4feca6a-e8d1-42d6-88dd-281de6b459a5" name="customprofile">
<characteristic type="com.airwatch.winrt.powershellcommand" uuid="2f77119f-765f-489b-80fc-59f5acd7248a">
  <parm name="PowershellCommand" value="Invoke-Command -ScriptBlock {
    New-Item HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Force;
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name DirectDownload -PropertyType String -Value True;
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name HiddenUpdates -PropertyType String -Value "";
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name UnHiddenUpdates -PropertyType String -Value  "";
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name LastInstallationDate -PropertyType String -Value "";
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name MaintenaceWindow -PropertyType String -Value True;
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name MWDay -PropertyType String -Value "";
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name MWStartTime -PropertyType String -Value  00:00;
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name MWStopTime -PropertyType String -Value 01:00;
    New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate -Name UseMicrosoftUpdate -PropertyType String -Value True  
}"/>
</characteristic>
</wap-provisioningdoc>

As you can see, I’m using registry keys to manage the device. For this a new registry hive HKLM:\SOFTWARE\Policies\Custom\WindowsUpdate
gets created, every time the profile gets updated – e.g. when you add a new KB to the hidden update list.

Now you know, that the script uses the registry as configuration source and we can manage those settings easily via profile. Let’s see how we can install the script.

Installation script

The installation script does the following:

  1. Creates a scheduled task to run every X minutes and on every startup
    This will trigger the Windows update script
  2. Copy the SearchWindowsUpdate.ps1 to the installation dir you defined
  3. Copy the PSWindowsUpdate PowerShell module to “C:\Program Files\WindowsPowerShell\Modules”

You have the following parameter for the script:

[string]$LogPath,
[string]$InstallDir,
[int]$UpdateInterval

LogPath – to define the log directory – if not set, there will be no logs generated – e.g. C:\Logs\CustomUpdate
InstallDir – define where the script will be copied – e.g. C:\Windows\CustomUpdate
UpdateInterval – define how often the script will run – in minutes – e.g. 60

The command-line could be look like this:

install.ps1 -LogPath "C:\Logs\CustomUpdate" -InstallDir "C:\Windows\CustomUpdate" -UpdateInterval 120

Main Script for update installation

As already mentioned before, the script uses the PSWindowsUpdate script – all Infos regarding the module are HERE.

If you don’t want to deploy the module via Workspace ONE, you can uncomment line 107 to 133. This will install NuGet as package provider and the PSWindowsUpdate module.

Otherwise the script is pretty straight forward and is already explained in the previous topics.

If you need any more information or any other functionality, please leave a comment and I’ll take a look at it.

Deployment

First of all – download the files from GitHub – HERE.

If you want to deploy the script via Workspace ONE, you can zip the following files:

  • the “PSWindowsUpdate” folder
  • dummy.exe – download it from github, or just create a black textfile and rename it from .txt to .exe
  • install.ps1
  • SearchWindowsUpdates.ps1

after you created the ZIP file you can upload this ZIP to the console.

As there is no uninstallation, you can just type NA or “-” as uninstall command.

As installation command please use the following:

powershell -executionpolicy bypass -file install.ps1 -LogPath "C:\Temp\Logs" -InstallDir "C:\Windows\CustomUpdate" -UpdateInterval 120

Feel free to change as you need it.

For the “When To Call Install Complete” action, check if the file
“C:\Windows\CustomUpdate\SearchWindowsUpdates.ps1”
exists.
If you like, you can add the image as icon.

Deploy the application and you are ready to go.

FAQ

Can I get even more control?

If you want even more control, you can use the Windows Update Profile and set the Auto-Approved Updates settings to “not allowed”. Then only approved updates will be available for installation.

What happens if I’m using a Windows Update profile?

The profile will manage which updates are available for installation.
E.g. you are auto approving security updates, all security updates will be installed – if set to not to use auto-approve, only approved updates by the administrator will be installed

What if I approved an update but set it as hidden update?

The update will not be installed as long as you not unhide it.

Should I deploy the script to every devices even if Windows Update for Business is good enough?

No – only deploy it to devices which really have special needs for update management.

Written by
+ posts

Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP