Purpose:
You are looking for a WSUS/Microsoft Update replacement integrated with PDQ Products to ensure that endpoints have all available patches from Microsoft.
Overview:
Although we currently offer Microsoft Cumulative Updates in our Package Library, we frequently have customers asking about a full WSUS/Microsoft Update replacement integrated into our products. While we typically avoid third-party tools, the PSWindowsUpdate module is well-known and widely used for checking and applying all available Microsoft updates to a machine and can be a viable alternative to WSUS/Microsoft Update. This is also an advantage for Connect customers, having the Microsoft Updates downloaded directly from Microsoft servers instead of a traditional on-premise server.
If you are a military or government organization, you may want to review this PowerShell Module in greater detail before placing it into production to ensure that it meets your security standards:
Publisher: PowerShellGallery
Home: https://www.powershellgallery.com/packages/PSWindowsUpdate/2.2.0.3
Download: https://psg-prod-eastus.azureedge.net/packages/pswindowsupdate.2.2.0.3.nupkg
VirusTotal Report: https://www.virustotal.com/gui/file/29b510ec19c8c8796ecf762f11a852143878c64ca76c7606764df428677a9d0a
Requirements:
1. Endpoints must have internet access. These packages will not work on air-gapped networks.
2. PowerShell scripts must be enabled and allowed to run on endpoints.
3. Endpoints must have access to Microsoft servers to download updates.
Getting Started:
There are currently 6 Packages in the Package Library available for you to use:
1. PSWindowsUpdate - Get All Applicable Updates from Microsoft (Audit Only)
2. PSWindowsUpdate - Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)
3. PSWindowsUpdate - Install All Applicable Critical and Security Updates from Microsoft
4. PSWindowsUpdate - Install All Applicable Drivers from Microsoft
5. PSWindowsUpdate - Install All Applicable Feature Updates from Microsoft
6. PSWindowsUpdate - Install Specific Microsoft KB
Each of these packages will do the following:
1. Check if the PSWindowsUpdate module is installed. If it is not, it will download the Nuget Installer and then download the PSWindowsUpdate module.
2. It will then Run the PSWindowsUpdate module and check for all available Microsoft patches.
3. Depending on the package, it will then install specific updates.
4. Reboots are disabled, but may be required in order to complete the installation of some patches.
PACKAGE: Get All Applicable Updates from Microsoft (Audit Only)
This package is an Audit-Only package. You can run this and then view the Output log to see what applicable Microsoft Updates are available for the endpoint. You can then choose which other PSWindowsUpdate packages to use to install a subset or all of the updates on the machine.
IMPORTANT! Additional setup for PDQ Deploy and Inventory customers:
1. To extend this audit functionality for PDQ Inventory users, there are 2 additional XML files that have been bundled with this package. Once the package is downloaded, You can find them here:
$(Repository)\PSWindowsUpdate\InventoryScanner_GetApplicableMicrosoftUpdates.xml
$(Repository)\PSWindowsUpdate\InventoryReport_GetApplicableMicrosoftUpdates.xml
(The default path for $(Repository) is typically: C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository)
2. Open PDQ Inventory / Right-click on Scan Profiles and choose Import. Navigate to $(Repository)\PSWindowsUpdate\InventoryScanner_GetApplicableMicrosoftUpdates.xml and choose Open
3. Open PDQ Inventory / Right-click on Reports and choose Import. Navigate to $(Repository)\PSWindowsUpdate\InventoryReport_GetApplicableMicrosoftUpdates.xml and choose Open
4. You can now right-click and Scan Computers or Scan Collection with the newly imported Get Applicable Microsoft Updates scanner
5. Once the scan has been completed, You can view the results of these scans by opening a computer's inventory, then clicking on the PowerShell section (in the left pane). Choose PowerShell (Get Applicable Microsoft Updates) from the drop-down box. Available updates will appear or you may notice an empty screen, in which case there are currently no applicable updates.
6. Additionally, for a simpler, cleaner report, if you return to the Inventory home screen and click on Reports, you can open and run the Get Applicable Updates from Microsoft report. This will report on all machines that you have scanned with the Get Applicable Microsoft Updates scanner (Step 4) and help you identify which Microsoft updates are applicable to your environment. You can then take action to install the updates you choose with one of the following PSWindowsUpdate Packages:
PACKAGE: Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)
This package will install ALL applicable updates from Microsoft, but will not install hardware drivers and feature updates.
PACKAGE: Install All Applicable Critical and Security Updates from Microsoft
This package will install Critical and Security Patches ONLY. This package will install cumulative updates as well as other critical updates and security updates.
PACKAGE: Install All Applicable Drivers from Microsoft
There are many hardware drivers now available from Microsoft to update, including but not limited to printers, video, mice, keyboards, network, and third-party firmware drivers. We strongly recommend additional testing, especially with network and firmware drivers on test machines or a test lab before deploying to remote machines and risking OS or network connectivity issues with installation failure.
PACKAGE: Install All Applicable Feature Updates from Microsoft
This package will specifically install Feature Updates. Please note that Feature Updates can take quite a bit of time to download and install, so you may need additional contact with end users to coordinate a block of time for a feature update (overnight deployment).
PACKAGE: Install Specific Microsoft KB
This package currently is only applicable for PDQ Deploy and gives you the ability to directly modify the KB Number you wish to deploy in the Parameters field in Step 1. Please pay close attention to preserving the exact syntax in the Parameters field:
Example 1 with one KB Number:
-KBArticleID 'KB8675309'
Example 2 with 2 or more KB Numbers to install:
-KBArticleID 'KB8675309', 'KB9274836', 'KB3371337'
Customizing PSWindowsUpdate for your own Environment:
While the default packages above will be a suitable WSUS/Microsoft Update alternative for the majority of our customers, If you are comfortable with PowerShell, You can download any of the PSWindowsUpdate packages (With the exception of the Specific Microsoft KB package) and convert the auto-download package to a standard package: (https://help.pdq.com/hc/en-us/articles/115002840691-Auto-Download-Convert-to-a-Standard-Package) Then you can browse to the PowerShell file in Step 1 and there are many different options to target and install updates specifically:
General Categories:
'Critical Updates', 'Definition Updates', 'Drivers', 'Feature Packs', 'Security Updates', 'Service Packs', 'Tools', 'Update Rollups', 'Updates', 'Upgrades'
Category: CategoryID
Application: 5C9376AB-8CE6-464A-B136-22113DD69801
Connectors: 434DE588-ED14-48F5-8EED-A15E09A991F6
Critical Updates: E6CF1350-C01B-414D-A61F-263D14D133B4
Definition Updates: E0789628-CE08-4437-BE74-2495B842F43B
Developer Kits: E140075D-8433-45C3-AD87-E72345B36078
Feature Packs: B54E7D24-7ADD-428F-8B75-90A396FA584F
Guidance: 9511D615-35B2-47BB-927F-F73D8E9260BB
Security Updates: 0FA1201D-4330-4FA8-8AE9-B877473B6441
ServicePacks: 68C5B0A3-D1A6-4553-AE49-01D3A7827828
Tools: B4832BD8-E735-4761-8DAF-37F882276DAB
UpdateRollups: 28BC880E-0592-4CBF-8F95-C79B17911D5F
Updates: CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
EXAMPLE: Get all available patches from Microsoft
Get-WindowsUpdate -MicrosoftUpdate -Verbose
EXAMPLE: Exclude information:
Get-WindowsUpdate -MicrosoftUpdate -Verbose -NotCategory 'Drivers' -NotTitle 'OneDrive' -NotKBArticleID 'KB4489873'
EXAMPLE: Install updates by Category
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -Category 'Critical Updates', 'Security Updates', 'Updates'
EXAMPLE: Install updates by CategoryID
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -CategoryIDs 'E6CF1350-C01B-414D-A61F-263D14D133B4', 'CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83', '0FA1201D-4330-4FA8-8AE9-B877473B6441'
EXAMPLE: Install updates by KB number:
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -KBArticleID 'KB2267602', 'KB4533002'
