PowerShell Desired State Configuration resources for WSUS

 

It’s been a long time i wanted to finish theses PowerShell Desired State Configuration resources to work with WSUS Configuration.Indeed, we have many servers that are not in domain, outside the WSUS GPO scope, but, they also need to be up to date, i’m sure you know why! So after few days of work the resource is online.

[su_label type=”important”]Important[/su_label] Keep in mind that this resource is still in beta, i need you to test it and make it stronger! Here are the available resources

Get-DscResource | ? { $_.Module -like "*cWSUS*" } | ft -AutoSize
ImplementedAs Name                             Module Properties                      
------------- ----                             ------ ----------                      
PowerShell    cWSUSAutoInstallMinorUpdates     cWSUS  {Enable, DependsOn}             
PowerShell    cWSUSAutoRebootWithLoggedOnUsers cWSUS  {Enable, DependsOn}             
PowerShell    cWSUSAutoUpdate                  cWSUS  {Enable, DependsOn}             
PowerShell    cWSUSElevateNonAdmins            cWSUS  {Enable, DependsOn}             
PowerShell    cWSUSEnable                      cWSUS  {Enable, DependsOn}             
PowerShell    cWSUSInstallDay                  cWSUS  {Day, DependsOn, Ensure}        
PowerShell    cWSUSInstallTime                 cWSUS  {Time, DependsOn, Ensure}       
PowerShell    cWSUSSetServer                   cWSUS  {Url, DependsOn, Ensure}        
PowerShell    cWSUSSetTargetGroup              cWSUS  {TargetGroup, DependsOn, Ensure}
PowerShell    cWSUSUpdateFrequency             cWSUS  {Frequency, DependsOn, Enable}  
PowerShell    cWSUSUpdateMode                  cWSUS  {Mode, DependsOn}               
PowerShell    cWSUSWindowsUpdateAccess         cWSUS  {Enable, DependsOn}

All are made to work with PowerShell v4+.

 

WHAT IS NOW AVAILABLE ?

I decided to split all properties in separate resources to make it easier to use, here are the explanations for each resources:

  • cWSUSAutoRebootWithLoggedOnUsers = If set to true, the logged-on user can decide whether to restart the client computer. If set to false, automatic Updates notifies the user that the computer will restart in 15 minutes.
  • cWSUSAutoUpdate = If set to true, Automatic Updates are disabled.
  • cWSUSElevateNonAdmins = If set to true, all members of the Users security group can approve or disapprove updates, if False, only Administrators can.
  • cWSUSEnable = Enable or Disable WSUS Server utilisation.
  • cWSUSInstallDay = Choose the day you want updates to be installed
  • cWSUSInstallTime = Choose the hour when you wan updates installed
  • cWSUSSetServer = Define your WSUS Server, if Ensure = Present. If Absent, Microsoft site will be used?
  • cWSUSSetTargetGroup = Name of the computer group to which the computer belongs. If Ensure = Absent, TargetGroup utilisation disabled.
  • cWSUSUpdateFrequency = Time between detection cycles.
  • cWSUSUpdateMode = Four update options: Notify before download, Auto download and notify of installation, Auto download and schedule installation (needs installDay and InstallTime setted), Automatic Updates (users can configure it)
  • cWSUSWindowsUpdateAccess = Prevents users from connecting to the Windows Update website.

 

WHAT WILL COME IN THE FUTUR ?

  • cAcceptTrustedPublisherCerts: Enable/Disable signed non-Microsoft updates
  • cRebootRelaunchTimeout: Time between prompts for a scheduled restart.
  • cRebootWarningTimeout: Length, in minutes, of the restart warning countdown after updates have been installed that have a deadline or scheduled updates.
  • cRescheduleWaitTime: Time in minutes that Automatic Updates waits at startup before it applies updates from a missed scheduled installation time.

 

HOW IT WORKS ?

It works like any other DSC resources πŸ˜‰ Here is a little example.

At first, download the module here, and copy it in your PowerShell module folder, and let the magic opers now ! Open your ISE, and make something similar to this

Configuration TestWSUS {
    
    Import-DscResource -module cWSUS

    Node localhost {
        
        cWSUSEnable WSUSEnable {
            Enable = "True"
        }

        cWSUSSetServer WSUSServer {
            Url = "http://127.0.0.1:8080"
            Ensure = "Present"
        }

        cWSUSSetTargetGroup TargetGroupDMZ {
            TargetGroup = "DMZPrivate"
            Ensure = "Present"
        }

        cWSUSUpdateMode WSUSMode {
            Mode = "Notify"
        }

        cWSUSWindowsUpdateAccess WSUSNoAccess {
               Enable = "False"
        }
    }
}


Push-Location C:\Temp
TestWSUS

Now apply the configuration !

Start-DscConfiguration -Path C:\Temp\TestWSUS -wait -Verbose

Now, the proofΒ  of the execution !

wsus_apply

If i try to get the current configuration, it works too πŸ™‚

Get-DscConfiguration

Get-WSUS-Configuration

And after that, let’s test our configuration ! πŸ™‚

WSUS_TestConfiguration

Seems everything is OK πŸ™‚

You have now a Desired State Configuration resource that you can use to drop your Old School GPOs to manage the WSUS configuration on all your nodes.

If you have comments, want addition.. ANYTHING. Please comment here, and for issues, open them on Github

[su_service title=”Pester” icon=”http://pwrshell.net/content/uploads/2015/03/index_pester.jpg” icon_color=”#76f9f7″]Bonus: Here is a little Pester script to validate your WSUS Configuration, of course, you can use apart from this DSC resource ;)[/su_service]

 

If you need more check on this Pester script, just look about the DSC resources files and explorer the Get-TargetResource functions πŸ˜‰

Hope you’ll like this DSC Resource.