This is a post I’ve been meaning to write for a while, and here I’ll explain some of the basic methods and commands to manage WSUS solely through Powershell. No one really wants to be logging onto machines unecessarily with RDP, and these have been personally useful to me when customers have had insane hoops to jump through in order to log in (password expiry policies, Workspaces with Pins and OTP, locked behind VPNs, for example)
Synchronise WSUS with Windows Update:
(Get-WSUSServer).GetSubscription().StartSynchronisation()
Get the result of the last synchronisation:
(Get-WSUSServer).GetSubscription().GetLastSynchronisation()
These two are useful if you would prefer to power down WSUS servers outside of company patch windows (e.g. monthly patch cycles) to save on costs, as the Update DB on the server wont be up to date all of the time.
Another useful command is to list all the computers managed by WSUS:
Get-WsusComputer -All
And to filter to specific instances, for example if you wanted to check if they were being managed:
Get-WsusComputer -NameIncludes "ComputerName"
Finally, to clear out old machines that have either been decomissioned or no longer exist (especially useful if you still manage ASG instances or scaleset VMs with WSUS, though I would recommend you use Patch Management/Automation Accounts instead)
Get-WsusServer "computername" | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates
That about wraps up basic admin tasks. You can get really in-depth with scripting for WSUS, although I personally haven’t gone that deep into it either. As above, we’ve moved on from managing static infrastructure and are now using Patch Management in AWS and Automation Accounts in Azure for Windows patch management. It really takes the pain away and gets rid of one extra VM to manage.
For a full listing of available commands, punch in:
Get-Command -Module UpdateServices
Or view these online on the MS Documentation page: https://docs.microsoft.com/en-us/powershell/module/updateservices
Easy enough, right?
Of course, you can use any of these commands in conjunction with Enter-PSSession, SSM in AWS or Cloud Shell in Azure to connect to a Powershell console on the VM/instance.
