Using PowerShell with SCCM Pending Updates

SCCM Pending Updates
SCCM Pending Updates

We’ve been deploying Microsoft updates with System Center Configuration Manager for a few months now. Each month we get a little better at the process and trust the system more. After approving each month’s patches, I kept finding myself logging into my servers to see if they had pending updates ready to be deployed at the next maintenance window. Logging into each server doesn’t scale, so I needed to find a way to automate the process using PowerShell.

After using a search engine I was able to find the correct WMI class that I could use to query for SCCM client software updates.

Once I had the proper namespace and class, I wrapped a function around it to get the information I need along with a simplified summary output.

Full Output (Default)

Summary Output

If I find that the computer I’m working on still doesn’t have the updates that I approved, I give it a good kick with the following three client actions from the same CMClient module :

Try it out for yourself.

 

Test-ADUser

Have you ever wanted to know if a user was valid, disabled, or expired? I created a tool to validate a username against Active Directory called Test-ADUser.

Example 1: Valid User Output

Example 2: An Expired User

Example 3:
Test-ADUser -username disableduser

Example 4:
Test-ADUser -username invaliduser

Get your copy today at the PowerShell gallery (Install-Module MrAADAdministration).

PowerShell and SCCM Client Actions

SCCM Client Actions
SCCM Client Actions

If you work with System Center Configuration Manager (SCCM) you will be familiar with the number client actions that you can execute. Some of these actions are used more often than others, and learning what each of them do is for another blog post.

In our quest to roll out automated patching with SCCM we found that we often needed to run these various actions to get the SCCM client to check back in for new policy and check for pending updates. After logging into a handful of computers to open the Configuration Manger client applet from Control Panel to perform a Machine Policy Retrieval and Evaluation Cycle, I had to stop myself and find a faster way.

“What if I could use PowerShell to do this for me?”

I started like I normally do trying to find a SCCM client module with built-in cmdlets, but that path led to futility. Thankfully I found @adbertram wrote a PowerShell module that could execute the proper WMI method for the client actions. I immediately downloaded the code and started to try it out. I found one problem: the functions only accepted a single computer name at a time. I asked Adam about it. He told me to go ahead and update the code, and do a pull request on Git. I said I’d be glad to, pretending I knew how to do any of that Git stuff. After updating the code and performing my first Git pull request, we now have a SCCM client module for invoking client actions on multiple computers.

Let me show you a few examples:

Check out the CMClient module on Github and the PowerShell gallery (Install-Module CMClient).

Send your positive feedback to me and your bugs and complaints to Adam.

Get-WindowsUpdatePolicy

 

Windows UpdateI’ve been working on a project to roll out automated patching to the servers in our environment. We have been using a combination of group policy and WSUS, which is a great solution, but it doesn’t allow for multiple maintenance windows. Since we are primarily a Windows shop we chose to use System Center Configuration Manger (SCCM) as our solution. If you’ve worked with SCCM you know that “it’s a full time job.” So over the last few months we’ve been carving off some servers from our WSUS and moving them to SCCM for patching. During the changeover we needed to verify if the server was  actually talking to SCCM instead of our existing WSUS infrastructure. For the first few servers I logged on and launched regedit.exe to look at the policy key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. After doing this two (too many) times I realized this wasn’t going to scale. I put together a PowerShell script to read the registry keys we needed from one or more remote servers.

Introducing Get-WindowsUpdatePolicy

Now with a quick command I can see what WSUS server a computer is configured to use. Try it out, and let me know if you find it to be useful.