Installing Pending updates through SCCM client using Powershell

This post is a part of my series on Patching SQL Server AG using SCCM and Powershell
Please read this post for the complete overview

To check if there are pending updates through the SCCM client using Powershell can be very straightforward by just using the get-WMIObject cmdlet:

#Getting Pending Updates through WMI


Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_SoftwareUpdate -ComputerName $Server | Where-Object { ($_.EvaluationState -like "*$($AppEvalState0)*" -or $_.EvaluationState -like "*$($AppEvalState1)*")}

We are only interested in Updates that are actually ready to install. These will have one of the following states:
ciJobStateNone ($AppEvalState0) or
ciJobStateAvailable ($AppEvalState1)

For a complete list of other states, see this page

But sometimes, the SCCM-admins approve stuff that needs a little bit more attention, that you – as a DBA- want to have more control of (think of CU’s for SQL Server or VMWareTools that can cause network connectivity issues during install – yes, this happenend to me) and you want to prevent that from installing automatically.

The Blacklist

If you want to prevent something from installing automatically try using some kind of Blacklist functionality. A place where you keep track of “forbidden” KBNumbers that cannot be installed unless you approve them.

To use this, all you have to do is filter the list of updates which is easy, because the WMI Call returns the pending updates including an ArticleID, which corresponds to the KB number (but without ‘KB’).

In the next example we get the contents of a .txt file (with a KBNumber per line) and then we filter the list.
we also want to send an email to the SCCM team to warn them when “blacklisted Articles” are found. We then continue getting the Pending Updates but without the blacklisted items:

$list= get-content 'c:\temp\Blacklist.txt'

#Get the list of KB numbers that are not allowed to be installed
$PendingBlacklistUpdates= (Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_SoftwareUpdate -ComputerName $Server | Where-Object { ($_.EvaluationState -like "*$($AppEvalState0)*" -or $_.EvaluationState -like "*$($AppEvalState1)*") -and ($_.ArticleID -in $list)})

   Write-warning "Blacklisted Updates ready to be installed found...Sending warning email to SCCM Team"  
   $subject='Blacklisted Updates found on server: ' + $server
   $sendFrom='emailadress here'
   $sendTo='emailaddress here'
   $smtpServer='smtpServer here'
   Send-MailMessage -From $sendFrom -To $sendTo -Subject  $subject -SmtpServer $smtpServer 

#Continue getting the updates but filter out the blacklist items
$PendingUpdateList = (Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_SoftwareUpdate -ComputerName $Server | Where-Object { ($_.EvaluationState -like "*$($AppEvalState0)*" -or $_.EvaluationState -like "*$($AppEvalState1)*") -and ($_.ArticleID -notin $list)})

Installing the updates

Now that we figured out how to get the updates we want we can now install them using the invoke-WMIMethod cmdlet:

Invoke-WmiMethod -ComputerName $Server -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (, $PendingUpdateList) -Namespace root\ccm\clientsdk | Out-Null

This will kick the SCCM client and the updates will be installed. During the installations you will have to wait for the intallations to finish:

#Invoking WMI method takes some time to kick in
    Start-Sleep -Seconds 60
    #Wait till all patches are installed
    $Result = $true
    while ($Result -eq $true) {
        $CCMUpdate = get-wmiobject -query "SELECT * FROM CCM_SoftwareUpdate" -namespace "ROOT\ccm\ClientSDK" -ComputerName $Server
        $Result = if (@($CCMUpdate | where-object { $_.EvaluationState -eq 2 -or $_.EvaluationState -eq 3 -or $_.EvaluationState -eq 4 -or $_.EvaluationState -eq 5 -or $_.EvaluationState -eq 6 -or $_.EvaluationState -eq 7 -or $_.EvaluationState -eq 11 }).length -ne 0) { $true } else { $false }  

I hope my guide on Installing Pending updates through SCCM client using Powershell was helpful—feel free to leave questions in the comments!

If the task still seems a bit daunting, book a call with Data Masterminds. We have the expertise to execute this and other SQL Server management and troubleshooting tasks to save you the headache.

Leave a Reply

Your email address will not be published. Required fields are marked *