2

Work has started a new focus in the way that we look after clients, trying to be more proactive rather than just reacting to problems. Part of this focus is to make sure that servers are up to date. We have deployed a GP to make servers update (Computer Configuration > Administrative Templates > Windows Components > Windows Updates > Configure Automatic Updates).

We now need a a way to make sure that the servers only restart at a specific time, rather than when they finish. I found what I thought was the answer here but it was only for Server 2003, not 2008 and 2012 which I need. Is there a similar GP that I could use? The plan would be to have the servers automatically scan, download and install updates through the week and anything that needs a restart to install will happen on the weekend.

Mickycampbell
  • 101
  • 1
  • 7

1 Answers1

3

The trick here is to not have Windows Update do the install via the Automatic Updates mechanism. You can set it to automatically download, but for automatic installs, there's no way to stop the reboot timer from triggering unless there's a user logged into the system, such as with the No auto-restart with logged on users for scheduled automatic updates installations policy. Since this is for servers, I'm going to assume that this is not the default case, and that nobody being logged in doesn't mean the machine's resources aren't necessary at the moment.

Set up a scheduled task that will trigger the install of the updates and report when the updates are finished, or some other action, so that you know the computer is due for a restart.

I very quickly modified the script found here to suit your needs:

#      Author: Gregory Strike
#     Website: www.GregoryStrike.com
#        Date: 02-19-2010
# Information: This script was adapated from the WUA_SearchDownloadInstall.vbs VBScript from Microsoft.  It uses the
#              Microsoft.Update.Session COM object to query a WSUS server, find applicable updates, and install them.

# < --- SNIP --- >

$UpdateSession = New-Object -Com Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()

$SearchResult = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")

$UpdatesToInstall = New-Object -Com Microsoft.Update.UpdateColl

For ($X = 0; $X -lt $SearchResult.Updates.Count; $X++){
    $Update = $SearchResult.Updates.Item($X)
    If ($Update.IsDownloaded) {
        $Null = $UpdatesToInstall.Add($Update)        
    }
}


If ($Install.ToUpper() -eq "Y" -or $Install.ToUpper() -eq "YES"){
    Write-Host("")
    Write-Host("Installing Updates...") -Fore Green

    $Installer = $UpdateSession.CreateUpdateInstaller()
    $Installer.Updates = $UpdatesToInstall

    $InstallationResult = $Installer.Install()

    $ResultsBody = "List of Updates Installed with Results:"
    For ($X = 0; $X -lt $UpdatesToInstall.Count; $X++){
        $ResultsBody = $ResultsBody + "`r`n" + $UpdatesToInstall.Item($X).Title + ": " + $InstallationResult.GetUpdateResult($X).ResultCode
    }

    If ($InstallationResult.RebootRequire -eq $True){
        Send-MailMessage -From server@example.com -To admin@example.com -Subject "Server has installed updates that require a reboot" -Body 
    } else {
        Send-MailMessage -From server@example.com -To admin@example.com -Subject "Server has installed updates that do not require a reboot" -Body
    }
}

NOTE:
You can use the original script linked and modify that to do the detect and download as well, in which case it would probably be best to disable the Configure Automatic Updates policy.

Addendum:
There's a Windows Update PowerShell Module in the Microsoft Script Center that provides the functionality needed to write your own Windows Update scripts easily. In fact, there are many good resources (at the time of this writing) on the first page of google for the search: powershell windows update

austinian
  • 1,699
  • 2
  • 15
  • 29
  • Thank you, I'm still new to scripts (beyond installing printers and mapping drives) so I will have a play around with this. If I am reading this right the only changes that I have to make are the email addresses? – Mickycampbell Aug 20 '15 at 23:07
  • If that's the only change you want to make, sure! I tried to make it so that it was as plug and play as possible. You could also gather the hostname (server that the script runs on) as a variable to put into the subject, for environments where there's more than one server, so you know which server installed which updates and the results of the installations. This doesn't have to be run on a server, you can of course test it on a workstation that has pending updates as well, just to see how it will work. – austinian Aug 21 '15 at 04:37
  • Yeah I had started to play around with the subject line, added %computername% and %userdomain% (look after multiple clients so this is necessary). I have a lab environment with several VM's I am testing this out before I move it to production. – Mickycampbell Aug 21 '15 at 05:40