WSUS is one of the more divisive topics that I see routinely brought up among IT folks. Some people love it and swear by it. Others have a deep loathing for the updating solution and either begrudgingly use it or look for alternatives to replace it. Personally, I fall somewhere in the middle. It does what it's supposed to do for the most part, but I also feel like it could do it so much better. So instead of going into who's right and who's wrong (though I'm definitely right), let's instead find out how PDQ Inventory and PDQ Deploy can take away some of the pain points of using WSUS and make all our techy lives that much sweeter.
What Is WSUS
WSUS (Windows Server Update Services) is Microsoft's solution for managing and distributing Microsoft product updates. WSUS has been around for years, allowing sysadmins to patch their environments from a centralized system. Despite its longevity, one of the complaints often brought up against WSUS is its lack of innovation over the years. While there have been minor changes and improvements here and there, I think Microsoft's philosophy with WSUS is, "if it's not broken, don't improve it."
Administrators configure WSUS to download updates for the Microsoft operating systems and products they support in their environments. The core WSUS workflow is essentially approving or denying updates for specific computer groups. Client workstations will eventually detect, download, and install approved updates (eventually being the keyword). Most client/server interactions can be configured using group policy, which does provide an okay level of granularity but doesn't offer complete control over the installation process.
I like to compare WSUS to my kids. If I ask my kids to clean their rooms, I know it'll get done; I just don't know if it'll get down today, tomorrow, or a week from now. Similarly, I know WSUS will eventually get those approved updates pushed out; I just don't know exactly when. Sure, I can configure an aggressive detection frequency and installation schedule, but that can get pretty taxing and inconvenient for clients.
For most updates, this behavior is acceptable. In fact, installing non-critical updates a week or two after coming out is pretty standard practice. You don't want to be Microsoft's guinea pig after all. However, when a critical update needs to be pushed out to your environment immediately, many users will find WSUS inadequate and not the right tool for the job.
The Right Tools For The Job
Instead of struggling with WSUS when you need to get those critical updates pushed out, we can use PDQ Inventory and PDQ Deploy to ensure the job gets done immediately. PDQ Inventory specializes in collecting information from the computers in your environment. We can also use it to scan for available Windows updates from WSUS, allowing us to use that data to build reports and dynamic collections. With PDQ Deploy, we can create packages for Windows updates and push them out to our entire environment in minutes.
If you don't already have PDQ Inventory and PDQ Deploy and you want to follow along with this guide, we've got you covered. You can download a free 14-day trial of Inventory and Deploy to try it out for yourself.
Using A PowerShell Scanner To Check For Available WSUS Updates
The first thing we'll want to do is to scan our computers to see what updates they have available to them from WSUS. We can accomplish this with a PowerShell scanner. If you haven't already checked out our PowerShell Scanner repository on GitHub, I highly recommend it. It has tons of great PowerShell scanners that add to the already fantastic functionality of PDQ Inventory. Make sure to look over the README file, which will guide you through using Git to clone the GitHub repository.
If you choose to clone the repository with Git, the PowerShell scanner you'll want to use is the scanner called Get Available Windows Updates. You'll also need to modify one line of the PowerShell script because, in its current form, it checks online for available windows updates instead of WSUS.
Change line 5 from:
After making that change, the only thing you need to do is import the XML file into PDQ Inventory.
In PDQ Inventory, click File > Import
Browse to the Get Available Windows Update folder and select the Scan Profile.xml file and click Open
You'll receive a message letting you know the import completed, after which you should find your new scan profile in the Scan Profiles window.
If GitHub isn't your thing, I'll guide you through creating this PowerShell scanner from scratch. Here is the code you'll need for the scanner. You can either copy it and save it as a PowerShell file and point to it from the PowerShell scanner or paste the code directly into the PowerShell scanner.
You'll notice that a lot of the properties in this script are commented out. This object returns quite a few properties, many of which are probably useless to most people. Feel free to uncomment any property you want to include in your results. Just make sure to uncomment it from the top section as well as the null section.
To create the PowerShell scanner in PDQ Inventory:
Click Scan Profiles
Give the scan profile a name
Click Add > PowerShell
Provide a scanner name (it can be given the same name as the scan profile)
If you saved the script to a .ps1 file, use the ellipsis button to point to the file. Otherwise, select Script and paste the script into the given field
If you want to have this scanner run on a schedule, click the Triggers tab. Otherwise, click OK to close the Scan Profile
With the scan profile created, we can now run it against computers. If some computers in your environment use WSUS and some use Microsoft online for updates, you'll want to create a collection for just the computers using WSUS to target.
To run the scan profile against all computers in PDQ Inventory:
Right-click on All Computers
Click Scan Collection > (Your Scan Profile Name)
You'll see the scan status of your computers change to indicate that the scan has started
Once the scan is complete, double-click on a computer to open the computer details window
Click the PowerShell menu option
Change the drop-down menu to the correct PowerShell scanner
You should now be able to see the results of the scan
With all this information now in Inventory, not only is it easier to review and digest than WSUS, but we can also use it to build collections and reports.
Build Dynamic Collections From PowerShell Scanner Data
If you have an update that needs to get pushed out immediately, the first step is to identify the computers that need the update installed. We can accomplish this pretty easily by building a dynamic collection of computers that require the update. One thing to note is that you need to ensure you are only grouping computers with the same OS versions. Otherwise, you may deploy an incorrect update to a computer which will fail.
In PDQ Inventory, click New Dynamic Collection
Give the collection a name
Change the first filter to the name of the WSUS PowerShell scanner
For the Column, select KB
Choose Contains for the comparison
Enter the KB number into the value field
Add a new filter by clicking the Add Value Filter button
For the filter choose Computer
For the column, choose SP / Release
In the comparison column, select Equals
In the value, enter the OS version you are targeting
Click OK to finish making the collection
Once you've finished, the collection should look similar to this.
The collection should automatically populate with the computers that meet the criteria. In my case, it should populate with computers that need KB4577586 installed and are on version 2004. Of course, you can further filter out information as you need, such as architecture, but this is all I need for my environment.
Building Reports From Dynamic Collections
One of the best things about dynamic collections is that you can use them to easily build reports.
In PDQ Inventory, right-click on the dynamic collection you just created
Click New > Report From Collection
The Report Builder window should open
By default, the filters from the dynamic collection are already added. You can customize the report further, or you can add additional Columns to the report to include more information
When you are finished, click Save and Run Report
Deploying Updates Using PDQ Deploy
Okay, we've got our data and our dynamic collection; now it's time to get the update deployed. The easiest way to obtain the update is to download it from the Microsoft Update Catalog. Enter the KB number you need, and you'll be given a list of updates to download with that KB number for different operating systems. Make sure you download the correct update for the operating system you are targeting. In my case, I'm looking for KB4577586 for Win 10 x64 version 2004.
This particular update says it's available for version 1903 and later. Click the download button to download the update and save it to your PDQ Deploy repository.
With the update downloaded, open PDQ Deploy and we'll go through building a custom package.
Click New Package
Give the package a name
Click New Step > Install
Point the update file by clicking the ellipsis button
Click Save to finish building the package
With our package built, it's just a matter of deploying it out to the dynamic collection we created earlier.
Select the package you just created
Select Deploy > Depoy Once
Click Choose Targets > PDQ Inventory > Collection
Select the collection we created earlier.
If everything looks okay, click Deploy Now
Congratulations, you've successfully deployed that critical Windows update to your systems and didn't have to wait around for WSUS to do it! If you want to make sure everything deployed correctly, you can scan your systems with the PowerShell scanner again, which will re-check to see which updates are available. When the scan completes, the computers in the dynamic collections should automatically be removed from the collection.
As I mentioned earlier, WSUS is pretty good at making sure your systems are up to date. However, it does have a few shortcomings, especially when it comes to getting an update pushed out immediately. With PDQ Inventory and PDQ Deploy, you'll never have to worry about sitting around for hours waiting for an update to get installed, it'll be installed exactly when you want it to be installed. Now, if I could just find a tool that would get my kids to clean their rooms when I ask them to clean their rooms.
Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.