WSUS AutoMan

One of Windows Server Update Services’ (WSUS) great lacking is its need for regular attention. A few features, like automatic approvals, can be setup in rules but several other regular items have to be attended to manually. WSUS AutoMan is a PowerShell script intended to be run as a scheduled task on a regular basis (suggested nightly).

WSUS AutoMan is written with the assumption the basic configuration of WSUS is identical to that used in the WSUS ABC Core setup for group assignments. If groups with different names or meanings are used to setup WSUS then WSUS AutoMan will need to be modified accordingly.

BASIC CONFIGURATION

Configuration of WSUS AutoMan is done at the top of the script between the “BEGIN CONFIG” and “END CONFIG” remarks. Values set are as follows;

  • $WSUSServer = the name of the WSUS server
  • $WSUSServerPort = the port WSUS is set to run on (default=8530)
  • $MaxUpdateAge = value in days. The number of days an update will remain in the WSUS database. This value allows a grooming of old updates to maintain a healthy database size. Be wary of setting this value too low due to the possibility of introducing a computer into the environment that may need updates prior to the last update in the database.
  • $DeadlineDay = updates approved with the $ApproveUpdates setting will have a deadline set for installation. $DeadlineDay is a numerical representation of the deadline day, 1=Monday…7=Sunday. * This setting only applies if using deadline config files.
  • $DeadlineHour = updates approved with the $ApproveUpdates setting will have a deadline set for installation. $DeadlineHour is a numerical representation of the deadline hour based on a 24 hour clock. * This setting only applies if using deadline config files.

ADVANCED CONFIGURATION (with config files)

Configuration files are purely optional but will greatly aid in maintenance with automating approvals, deadlines and declines. Configuration files use one-line entries, each line is a search criteria. Example; If a line has the word “Security” then every update with the word “Security” in it will be affected. Example configuration files are included in the download.

There are three types of configuration files starting with DECLINE.txt. This file will decline any update that matches search criteria. Declinations apply across all computer groups in WSUS.

The second type of configuration files are approval files. Approval files approve any update specified by search criteria for the WSUS computer group specified in the file name. File names for approval files are as such;

APPROVE-(group name).txt    Example: APPROVE-SERVERS.txt

The third type of configuration files are deadline files. Deadline files work like approval files but also apply the deadline specified with the $DeadlineDay and $DeadlineHour settings at the top of the WSUSAutoMan script. File names for deadline files are as such;

DEADLINE-(group name).txt   Example: DEADLINE-WORKSTATIONS.txt

Once updates have been automatically approved and automatically declined per the configuration, WSUS AutoMan will do the most neglected part of any WSUS installation; it will run maintenance. By default WSUS AutoMan will remove obsolete computers that have not communicated with WSUS in 30 days, decline expired updates, decline superseded updates, delete obsolete updates, compress updates (if they are downloaded) and remove unneeded content files.

Please remember that while WSUSAutoMan does a lot of the work in a WSUS implementation, this does not mean you should ignore WSUS. You should still check the WSUS server for new products, approve updates, etc.

NOTE: WSUS AutoMan can run for quite some time, especially in a large or complex environment. The first time WSUS Automan runs may take hours while it sorts through and cleans the database of unneeded entries. To speed this (and everything else WSUS does) you may consider running the WSUS Database Tune-Up first. Once WSUS AutoMan has been setup as a scheduled task, you will want to run WSUS Database Tune-Up afterwards to re-index the database after WSUS AutoMan has made its data changes.

DOWNLOAD WSUS AUTOMAN

-fin