I have written this a few times for various companies I have consulted for and each time it gets a little more efficient. This is the simplest version I have managed yet as its for an enviroment that is just Server 2012 servers and nothing else. It is easliy modified into a more complex enviroment.
The idea is we have two machine groups. One for testing and one for the live.
We periodically install all the avliable updates to the test enviroment and after an acceptable period we then apply these tested updates to live.
I schedule this script to run every 3 weeks. Every 3 weeks we have a new batch of updates going to test, and the tested batch going to live. It's really that simple.
If we come accross a problem update we need to manually decline it before the next time the script runs or it will be applied to live.
SC = Test enviroment
PC= Live
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
Import-Module -Name UpdateServices
We define the server into a varibale, this is for the c# assemblies
$wsusserver = 'localhost'$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($wsusserver,$False,8530)
We define the server into a varibale, this is for the native PS libries
$WsusServerPS = Get-WsusServer -Name 'localhost' -PortNumber 8530
Do wsus Maintainance.
Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
Get all possible updates
$Updates = $wsus.GetUpdates()
Get the WSUS groups
$wsus.GetComputerTargetGroups()$PCMachines = $wsus.GetComputerTargetGroups() | ? {$.Name -eq "PC"}$SCMachines = $wsus.GetComputerTargetGroups() | ? {$.Name -eq "SC"}
Apply uodates from SC group to PC
ForEach ($Update in $Updates){if ($Update.GetUpdateApprovals($SCMachines).Count -ne 0 -and $Update.GetUpdateApprovals($PCMachines).Count -eq 0){$Update.Approve(‘Install’,$PCMachines) | Out-Null}}
Get windows 2012 updates only. Be aware that some updates are for windows 2012 and 8.1
$Server2012updates = $Updates | where {($.ProductTitles -like "Windows Server 2012")}$Server2012updates = $Server2012updates | where {($.IsSuperseded -ne $True)}
accept EULA if needed
$license = $Server2012updates | Where {$.RequiresLicenseAgreementAcceptance}$license | ForEach {$.AcceptLicenseAgreement()}
##Approve updates to SC
Foreach ($Server2012update in $Server2012updates){$Server2012update.Approve('Install',$SCMachines)}
Finally we cleanup the Wsus instance
Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates