I previously detailed steps to automate approved updates from a WSUS server with WUInstall (https://deangrant.wordpress.com/2013/09/24/patch-management-with-windows-update-server-and-wuinstall/) which focused on installing updates on Amazon Web Services EC2 instances.
I have recently modified the process to take into account VM guests in a vSphere environment ,using the same process of client side targeting and executing WuInstall on the remote machine, also with the following requirements:
- Create a snapshot of the guest VM specified in the collection and add the name ‘Windows Update on ddMMyyyyHHmm’.
- Once the snapshot is completed, invoke WuInstall to install the approved updates.
In order to target the guest VMs to which I wish to install the approved updates I am using custom attributes to determine the environment and if updates are enabled, as below:
| Name | Value |
| Environment | DEV | TST | PRE | PRD |
| Windows Update | Yes | No |
As the script will target guest VMs in a number of environments, the script defines a mandatory parameter for an expected Environment value.
Param ([Parameter(Mandatory=$true)][string] $Environment)
In order to invoke the script there is a dependency on the Mware vSphere PowerCLI snap-in (https://www.vmware.com/support/developer/PowerCLI/) and for this to be imported into the current powershell session.
If (-not (Get-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue))
{
Add-PSSnapin VMware.VimAutomation.Core > $null
}
I will also generate a date string to be used in the snapshot name.
$Date = (get-date).toString('ddMMyyyyHHmm')
Now, we will establish a connection to the vCenter server.
Connect-VIServer <server name or ip address> > $null
We will now be required to filter the guest VMs where the custom attribute ‘Environment’ is equal to the mandatory parameter specified.
$VMs = Get-VM | Get-Annotation -CustomAttribute "Environment" | Where-Object {$_.Value -eq $Environment}
For each guest VM that is returned in the collection we will compare the ‘WindowsUpdate’ custom attribute and if this is equal to ‘Yes’ create a snapshot of the guest VM with the name ‘Windows Update on ddMMyyyyHHmm’ and invoke the WuInstall to install the approved updates.
ForEach ($VM in $VMs)
{
$WindowsUpdate = Get-VM $VM.AnnotatedEntity.Name | Get-Annotation -CustomAttribute "WindowsUpdate" | Where-Object {$_.Value -eq "Yes"}
If ($WindowsUpdate.Value -eq "Yes")
{
New-Snapshot -VM $VM.AnnotatedEntity.Name -Name ("Windows Update on " + $Date)
$Hostname = $VM.AnnotatedEntity.Name
$Command = "& 'C:\Program Files (x86)\SysinternalSuite\PsExec.exe' \\$Hostname -c -f -s \\<Server>\>Share>\Tools\WUInstall.exe /install /autoaccepteula /reboot_if_needed /logfile \\<Server>\<Share>\Logs\WUInstall_$Hostname.log"
Invoke-Expression $Command
}
}
Once completed the connection to the vCenter server will be terminated.
Disconnect-VIServer -Server <server name or ip address> -Confirm:$False
In order to invoke the script run the following:
./Invoke-WindowsUpdate.ps1 - Environment <Environment Attribute>
The script will require the user account invoking the script to have ‘Virtual Machine Power Users’ role, to which I cloned the built-in role and local administrator privelages on each guest VM to install the approved updates.
The full Windows Powershell script can be downloaded from the below link:
Deans Blog 
One thought on “Patch Management for guest VMs with Windows Update Server and WuInstall on vSphere”