Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
Keep calm and we will be with you shortly!

Jörgen Nilsson 06 Oct 2022
1 min

Installing updates during OSD using PSWindowsUpdate

When we move workloads to Intune in our Co-Management scenarios we lose some features we have been using and need to go back to basic. In this short post we will install updates during OSD using the PSWindowsUpdate module which is great. When we moved the Windows Update workload and uninstalled WSUS we need another way of installing updates. I did a lot of testing and excluding drivers and all updates with “preview” in the title works really well.

Start by saving the PSWindowsUpdate module to a temp directory on a computer, we download it so we can add it to our CM Package we us to install updates.

Save-module PsWindowsUpdate -Path C:\Module

That will create the following folder with the module inside

Then we save the script below in the same folder. The script will do the following:

  • Copy the PSWindowsUpdate module to the local computer
  • Read the TS variable for the location of the SMSTS.log folder
  • Install updates from Windows Update excluding Drivers category and updates with “Preview” in the title.
  • Log the progress to a log file in the CCM\Logs folder
# Script to install updates from Microsoft Update during OSD

# Copy PSWindowsUpdate module
$TargetPath = Join-Path -Path $env:ProgramFiles -ChildPath "WindowsPowerShell\Modules"
mkdir $TargetPath -Force -ErrorAction Stop | Out-Null
Copy-item -path $PSScriptRoot'\PSWindowsUpdate' -Destination $TargetPath -Recurse
# Get SMSTSLog folder
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$SMSTSLogfile = $tsenv.Value("_SMSTSLogPath")
$SMSTSLogfilepath = $SMSTSLogfile.Replace("\SMSTS.log", "")

# Install updates from Microsoft Update
Import-Module PSWindowsUpdate
Get-WindowsUpdate -AcceptAll -Install -NotCategory "Drivers" -NotTitle Preview -WindowsUpdate -IgnoreReboot | Out-File "$SMSTSLogfilepath\WindowsUpdate-$(get-date -f yyyy-MM-dd).log" -force

Our source folder now looks something like this and can be copied to our MEMCM Source folder share.

In Configuration Manager we create a Package with source files and distribute them to the relevant DP’s.

In our Task Sequence we add the following steps, note the Restart Computer steps, I had to add two restart computer steps to get all of my physical test machines to not break the task sequence engine with an unexpected reboot. Be sure to test that out!

A tip if you are piloting moving Windows Update for business, add a variable to the Co-Management Pilot collection. Then we can use that as a condition to run updates using this script or using Configuration Manager depending on the variable.
I will post more on Co-Management and prestaging a Co-Managed computer soon