Steven Datt

Tag: Powershell

  • Sync WSUS with Windows Update via Powershell

    This is a post I’ve been meaning to write for a while, and here I’ll explain some of the basic methods and commands to manage WSUS solely through Powershell. No one really wants to be logging onto machines unecessarily with RDP, and these have been personally useful to me when customers have had insane hoops to jump through in order to log in (password expiry policies, Workspaces with Pins and OTP, locked behind VPNs, for example)

    Synchronise WSUS with Windows Update:

    (Get-WSUSServer).GetSubscription().StartSynchronisation()

    Get the result of the last synchronisation:

    (Get-WSUSServer).GetSubscription().GetLastSynchronisation()

    These two are useful if you would prefer to power down WSUS servers outside of company patch windows (e.g. monthly patch cycles) to save on costs, as the Update DB on the server wont be up to date all of the time.

    Another useful command is to list all the computers managed by WSUS:

    Get-WsusComputer -All

    And to filter to specific instances, for example if you wanted to check if they were being managed: 

    Get-WsusComputer -NameIncludes "ComputerName"

    Finally, to clear out old machines that have either been decomissioned or no longer exist (especially useful if you still manage ASG instances or scaleset VMs with WSUS, though I would recommend you use Patch Management/Automation Accounts instead)  

    Get-WsusServer "computername" | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates

    That about wraps up basic admin tasks. You can get really in-depth with scripting for WSUS, although I personally haven’t gone that deep into it either. As above, we’ve moved on from managing static infrastructure and are now using Patch Management in AWS and Automation Accounts in Azure for Windows patch management. It really takes the pain away and gets rid of one extra VM to manage. 

    For a full listing of available commands, punch in:

    Get-Command -Module UpdateServices

    Or view these online on the MS Documentation page: https://docs.microsoft.com/en-us/powershell/module/updateservices

    Easy enough, right?

    Of course, you can use any of these commands in conjunction with Enter-PSSession, SSM in AWS or Cloud Shell in Azure to connect to a Powershell console on the VM/instance.

     

     

     

     

     

     

  • Exporting AD group members using Powershell

    We had a client who was experiencing high usage on one of their TS servers last week, and I was asked to compile and export a list of users on each TS to send to the client so we could move people around. I found a handy Powershell cmdlet that let me do this really easily, as well as being able to export to file.

    Simply put, it’s this:

    Get-ADGroupMember -identity GroupName | Export-csv -pathC:\GroupMembers.csv -NoTypeInformation

    The first section, Get-ADGroupMember -identity GroupName is where you specify the name of the group that you want to obtain the list of members for

    We have the pipe, to signify an extra command linked to the first, in this case, we want to export the results to a csv file called GroupMembers.csv

    The -NoTypeInformation switch just removes an unecessary line from the start of the csv.

    More information on the export-csv command, including additional switches can be found on Microsoft TechNet – https://technet.microsoft.com/en-us/library/hh849932.aspx