0

Part of configuration is to run all the Windows Updates. I am trying to figure out how to express it with Powershell DSC. Seems like the best is to ensure that the windows updates are scheduled regularly.

I found xWindowsUpdateAgent DSC resource, but it does not allow to specify the schedule itself, only to ensure that the updates are scheduled.

So, is it possible to ensure a concrete windows update schedule?

mark
  • 725
  • 3
  • 15
  • 32
  • I'm quite sure that you can easily achieve the same by setting up the required registries, though I don't have any experience of DSC! – Am_I_Helpful May 02 '18 at 17:35

1 Answers1

0

xWindowsUpdateAgent is from the xWindowsUpdate DSC module. The resources can be used as part of a solution to a strictly defined schedule, but it's not complete by itself.

You can configure the machine in two ways:

  1. Use xWindowsUpdateAgent to set the category, and source of updates. Using ScheduledInstallation will rely on the local Windows Update schedule to download and install updates.

  2. Use DSC’s remediation schedule to drive update installs (exclusively or in addition to the Windows Update agent’s schedule).
    This requires using UpdateNow in your xWindowsUpdateAgent configuration, and setting the Local Configuration Manager’s Configuration Mode to ApplyAndAutoCorrect.
    Updates will be checked for and installed based on the ConfigurationModeFrequencyMins.
    You will also need to decide a reboot strategy for the updates, using either RebootIfNeeded or the machine’s reboot cycle for updating.

To achieve an absolute schedule, you could create a scheduled task to Start-DSCConfiguration on a configuration based on the second option above with UpdateNow.

This isn't the most straightforward approach, and would reevaluate any other settings in your configuration as well on the same schedule.

You could also use a scheduled task more directly to simply automate calls to the Windows Update Agent itself on a schedule (wuauclt.exe /updatenow), bypassing DSC. Creating a task like this is certainly doable with DSC, but I don't know of any existing resource that does it all in one. You'd need to write your own.

Community
  • 1
Matthew Wetmore
  • 1,633
  • 12
  • 21
  • The readme for xWindowsUpdate module will be updated shortly at the git repository. – Matthew Wetmore May 17 '18 at 21:35
  • But it does not allow me to specify the schedule, does it? – mark May 18 '18 at 00:44
  • You're right. I focused in on the capabilities of the module once I ran into documentation errors. I updated my answer. Short version - you could add more code to get the job done partially using the module, but it's not a super natural fit. There are more direct ways to do it. DSC itself isn't a perfect fit for doing a doing a singular task on a rigid schedule, and this module doesn't cover all the configuration needed to create a strictly scheduled task for that singular purpose. – Matthew Wetmore May 18 '18 at 15:17
  • Would you be able to suggest how to enforce a certain windows updates schedule with DSC? Also, could you explain why you think it is not a good fit for DSC? – mark May 18 '18 at 17:42
  • DSC itself normally runs on an interval, rather than a strict schedule. You could certainly create a scheduled task to drive DSC via `Start-DSCConfiguration` - but if you're going that route, you can just easily use DSC to create a scheduled task that drives the windows update agent directly. Normally you wouldn't have a configuration that does a singular task, either. Make sense? – Matthew Wetmore May 19 '18 at 01:57
  • I do not want DSC to run at a schedule. I need to ensure the Windows Updates are configured to run at a schedule. So, I am perfectly fine for DSC to check every 30 minutes that the Windows Update schedule is as specified in the configuration. – mark May 19 '18 at 03:12
  • You're right. We should probably start the answer over entirely, acknowledging xWindowsUpdate isn't going to be your solution (as you said in your question), and focus more on creating a configuration that uses a scheduled task to directly drive the Windows Update Agent. There is another answer about creating a scheduled task to run a script. That script could then call `wuauclt.exe /updatenow` . See: https://stackoverflow.com/questions/23175379/powershell-dsc-can-someone-please-provide-me-an-example-on-how-to-use-a-resourc – Matthew Wetmore May 19 '18 at 03:20