Support for force scanning against Windows Update (#217)

codaamok · web-flow · commit 700c1dc51e4d · 2023-04-16T04:44:49.000+02:00
diff --git a/README.md b/README.md
@@ -89,23 +89,27 @@ Install-KbUpdate -ComputerName server01 -HotfixId kb4486129
 When more than one computer is supplied, background jobs will be used to speed up the process. If you use the `-AllNeeded` switch, all needed patches will be installed.
 
 ```powershell
-# Install all needed updates and use the computer's current source as the Windows Update database checker
+# Install all needed updates and use the computer's Windows Update Agent configured source to scan against
 Install-KbUpdate -ComputerName localhost, sqlcs, sql01 -AllNeeded
 
-# Install all needed updates and use the offline Windows Update database checker
+# Install all needed updates and use the Windows Update offline scan file to scan against
 $scanfile = Save-KbScanFile
 Install-KbUpdate -ComputerName localhost, sqlcs, sql01 -AllNeeded -ScanFilePath $scanfile
 ```
 
 ### Get-KbNeededUpdate
 
-Checks the target machines for needed updates.  If Windows Update does not have access to WSUS or Microsoft's update catalog, a [local copy of the catalog](#Save-KbScanFile) can be provided.
+Checks the target machines for needed updates. If the Windows Update Agent (WUA) does not have access to WSUS or Windows Update (cloud service), a [local copy of the catalog](#Save-KbScanFile) can be provided.
 
+The local catalog is the Windows Update offline scan file, `wsusscn2.cab` - [see Microsoft documentation for more information](https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline).
 
 ```powershell
-# Get all the updates needed on the local machine using whatever upstream is set by Windows Update
+# Get all the updates needed on the local machine using whatever upstream is set by the Windows Update Agent (WUA)
 Get-KbNeededUpdate
 
+# Same as above, but instead the upstream is Windows Update (cloud service) regardless if the device is configured to use a WSUS server
+Get-KbNeededUpdate -UseWindowsUpdate
+
 # Get all the updates needed on server01 using the locally saved cab file
 $scanfile = Save-KbScanFile -Path \\server01\c$\temp
 Get-KbNeededUpdate -ComputerName server01 -ScanFilePath $scanfile
@@ -160,9 +164,11 @@ Get-KbInstalledSoftware -ComputerName server23 -ArgumentList "/S" | Uninstall-Kb
 
 ### Save-KbScanFile
 
- Windows Update Agent (WUA) plus [the wsusscn2.cab catalog file](https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline) can be used to scan computers for security updates without connecting to Windows Update or to a Windows Server Update Services (WSUS) server, which enables computers that are not connected to the Internet to be scanned for security updates.
+This downloads the [Windows Update offline scan file](https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline), `wsusscn2.cab`.
+
+The scan file `wsusscn2.cab` can be used to scan for missing updates without connecting to Windows Update or a Windows Server Update Services (WSUS). This is especially helpful for devices which are not connected to the Internet.
 
- This file is used by `Get-KbNeededUpdate` when the `-ScanFilePath` is used and `Install-KbUpdate` when the `-AllNeeded` and `-ScanFilePath` parameters are used.
+This file is used by `Get-KbNeededUpdate` when the `-ScanFilePath` is used and `Install-KbUpdate` when the `-AllNeeded` and `-ScanFilePath` parameters are used.
 
 ```powershell
 # Saves the cab file to a temporary directory and returns the results of Get-ChildItem for the cab file
@@ -175,7 +181,7 @@ Save-KbScanFile -Path C:\temp -AllowClobber
 $scanfile = Save-KbScanFile -Path \\server01\c$\temp
 Get-KbNeededUpdate -ComputerName server01 -ScanFilePath $scanfile
 
-# Install all needed updates and use the offline Windows Update database checker
+# Install all needed updates and use the Windows Update offline scan file
 $scanfile = Get-ChildItem -Path \\san\share\updates\wsusscn2.cab
 Install-KbUpdate -ComputerName localhost, sqlcs, sql01 -AllNeeded -ScanFilePath $scanfile
 ```
@@ -226,7 +232,7 @@ Get-KbUpdate -Since (Get-Date).AddDays(-30) -Architecture x64 |
     Out-GridView -Passthru |
     Save-KbUpdate -Path C:\temp\burn_to_dvd
 
-# Download Windows Update Client scan file
+# Download Windows Update offline scan file
 Save-KbScanFile -Path C:\temp\burn_to_dvd
 
 ### 💿💿💿         BURN TO DVD         💿💿💿 ###
diff --git a/private/Get-Needed.ps1 b/private/Get-Needed.ps1
@@ -2,10 +2,11 @@ function Get-Needed {
     param (
         $Computer,
         $ScanFilePath,
+        $UseWindowsUpdate,
         $VerbosePreference
     )
 
-    if ($ScanFilePath) {
+    if ($ScanFilePath -and -not $UseWindowsUpdate) {
         try {
             If (-not (Test-Path $ScanFilePath -ErrorAction Stop)) {
                 Write-Warning "Windows Update offline scan file, $ScanFilePath, cannot be found on $Computer"
@@ -24,7 +25,7 @@ function Get-Needed {
         Write-Verbose -Message "Processing $computer"
         $session = [type]::GetTypeFromProgID("Microsoft.Update.Session")
         $wua = [activator]::CreateInstance($session)
-        if ($ScanFilePath) {
+        if ($ScanFilePath -and -not $UseWindowsUpdate) {
             Write-Verbose -Message "Registering $ScanFilePath on $computer"
             try {
                 $progid = [type]::GetTypeFromProgID("Microsoft.Update.ServiceManager")
@@ -45,6 +46,11 @@ function Get-Needed {
         } else {
             Write-Verbose -Message "Creating update searcher"
             $searcher = $wua.CreateUpdateSearcher()
+
+            if ($UseWindowsUpdate) {
+                Write-Verbose -Message "Setting update searcher to use Windows Update cloud service"
+                $searcher.ServerSelection = 2
+            }
         }
         Write-Verbose -Message "Searching for needed updates"
         $wsuskbs = $searcher.Search("Type='Software' and IsHidden=0")
diff --git a/private/Start-DscUpdate.ps1 b/private/Start-DscUpdate.ps1
@@ -20,6 +20,7 @@ function Start-DscUpdate {
         [Parameter(ValueFromPipeline)]
         [pscustomobject[]]$InputObject,
         [switch]$AllNeeded,
+        [switch]$UseWindowsUpdate,
         [switch]$NoMultithreading,
         [switch]$EnableException,
         [bool]$IsLocalHost,
@@ -58,11 +59,17 @@ function Start-DscUpdate {
         }
 
         if ($AllNeeded) {
+            $GetKbNeededUpdate = @{
+                ComputerName = $ComputerName
+            }
             if ($ScanFilePath) {
-                $InputObject = Get-KbNeededUpdate -ComputerName $ComputerName -ScanFilePath $ScanFilePath -Force
-            } else {
-                $InputObject = Get-KbNeededUpdate -ComputerName $ComputerName
+                $GetKbNeededUpdate['ScanFilePath'] = $ScanFilePath
+                $GetKbNeededUpdate['Force']        = $true
+                
+            } elseif ($UseWindowsUpdate) {
+                $GetKbNeededUpdate['UseWindowsUpdate'] = $true
             }
+            $InputObject = Get-KbNeededUpdate @GetKbNeededUpdate
         }
 
         if ($HotfixId -and -not $InputObject.Link) {
diff --git a/public/Connect-KbWsusServer.ps1 b/public/Connect-KbWsusServer.ps1
@@ -15,9 +15,6 @@ function Connect-KbWsusServer {
     .PARAMETER Port
         Port number to connect to. Default is Port "443" and "8530" if using HTTP. Accepted values are "80","443","8350" and "8351"
 
-    .PARAMETER Credential
-        The optional alternative credential to be used when connecting to ComputerName.
-
     .PARAMETER EnableException
         By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
         This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
@@ -51,7 +48,6 @@ function Connect-KbWsusServer {
         [Parameter(ValueFromPipeline)]
         [Alias("WsusServer")]
         [PSFComputer]$ComputerName,
-        [pscredential]$Credential,
         [switch]$ForceInsecureConnection,
         [ValidateSet("80", "443", "8530", "8531" )]
         [int]$Port = 443,
diff --git a/public/Get-KbNeededUpdate.ps1 b/public/Get-KbNeededUpdate.ps1
@@ -1,21 +1,32 @@
 function Get-KbNeededUpdate {
     <#
     .SYNOPSIS
-         Checks for needed updates.
+        Scan for missing Windows updates.
 
     .DESCRIPTION
-         Checks for needed updates.
+        This cmdlet scans for missing Windows updates. It can scan against:
+
+        - Windows Server Update Service (WSUS) server
+        - Windows Update (cloud service)
+        - Windows Update offline scan file (wsusscn2.cab - see https://learn.microsoft.com/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline)
+
+        The offline scan file can be downloaded using Save-KbScanFile from an internet-connected computer.
 
     .PARAMETER ComputerName
         Used to connect to a remote host. Connects to localhost by default -- if scanning the local computer, the command must be run as administrator.
 
     .PARAMETER Credential
         The optional alternative credential to be used when connecting to ComputerName
 
+    .PARAMETER UseWindowsUpdate
+        This optional parameter will force the Windows Update Agent (WUA) to scan for needed updates against Windows Update (cloud service) instead of WSUS, regardless if the device is configured to use a WSUS server.
+
     .PARAMETER ScanFilePath
-        If Windows Update does not have access to WSUS or Microsoft's update catalog, a local copy of the catalog can be provided.
+        If the Windows Update Agent (WUA) does not have access to WSUS or Windows Update a local copy of the catalog can be provided.
+
+        The local copy of the catalog is the Windows Update offline scan file (wsusscn2.cab - see https://learn.microsoft.com/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline).
 
-        This optional parameter will force the command to use a local update database instead of WSUS or Microsoft's online update catalog.
+        This optional parameter will force the command to use a local update database instead of WSUS or Windows Update.
 
         The scan file catalog/database can be downloaded using Save-KbScanFile from an internet-connected computer.
 
@@ -52,13 +63,16 @@ function Get-KbNeededUpdate {
 
         Saves all the updates needed on the local machine to C:\temp
 #>
-    [CmdletBinding()]
+    [CmdletBinding(DefaultParameterSetName = 'UseWUA')]
     param(
         [PSFComputer[]]$ComputerName = $env:COMPUTERNAME,
         [pscredential]$Credential,
-        [parameter(ValueFromPipeline)]
+        [parameter(ParameterSetName = 'UseWUA')]
+        [switch]$UseWindowsUpdate,
+        [parameter(ParameterSetName = 'UseScanFile', ValueFromPipeline)]
         [Alias("FullName")]
         [string]$ScanFilePath,
+        [parameter(ParameterSetName = 'UseScanFile')]
         [switch]$Force,
         [switch]$EnableException
     )
@@ -79,32 +93,34 @@ function Get-KbNeededUpdate {
             try {
                 Write-PSFMessage -Level Verbose -Message "Adding job for $computer"
                 $arglist = [pscustomobject]@{
-                    ComputerName    = $computer
-                    Credential      = $Credential
-                    ScanFilePath    = $ScanFilePath
-                    EnableException = $EnableException
-                    Force           = $Force
-                    ScriptBlock     = $remotescriptblock
-                    ModulePath      = $script:dependencies
+                    ComputerName     = $computer
+                    Credential       = $Credential
+                    UseWindowsUpdate = $UseWindowsUpdate
+                    ScanFilePath     = $ScanFilePath
+                    EnableException  = $EnableException
+                    Force            = $Force
+                    ScriptBlock      = $remotescriptblock
+                    ModulePath       = $script:dependencies
                 }
 
                 $invokeblock = {
                     foreach ($path in $args.ModulePath) {
                         $null = Import-Module $path 4>$null
                     }
-                    $sbjson = $args.ScriptBlock | ConvertFrom-Json
-                    $sb = [scriptblock]::Create($sbjson)
-                    $machine = $args.ComputerName
-                    $Credential = $args.Credential
-                    $ScanFilePath = $args.ScanFilePath
-                    $EnableException = $args.EnableException
-                    $Force = $args.Force
-                    $ScriptBlock = $sb
+                    $sbjson           = $args.ScriptBlock | ConvertFrom-Json
+                    $sb               = [scriptblock]::Create($sbjson)
+                    $machine          = $args.ComputerName
+                    $Credential       = $args.Credential
+                    $UseWindowsUpdate = $args.UseWindowsUpdate
+                    $ScanFilePath     = $args.ScanFilePath
+                    $EnableException  = $args.EnableException
+                    $Force            = $args.Force
+                    $ScriptBlock      = $sb
 
                     $computer = $machine.ComputerName
                     $null = $completed++
 
-                    if ($ScanFilePath -and $Force -and -not $machine.IsLocalhost) {
+                    if ($ScanFilePath -and $Force -and -not $machine.IsLocalhost -and -not $UseWindowsUpdate) {
                         Write-PSFMessage -Level Verbose -Message "Initializing remote session to $computer and getting the path to the temp directory"
 
                         $scanfile = Get-ChildItem -Path $ScanFilePath
@@ -185,7 +201,7 @@ function Get-KbNeededUpdate {
                     if ($machine.IsLocalHost -and -not (Test-ElevationRequirement -ComputerName $computer)) {
                         continue
                     }
-                    Invoke-PSFCommand -Computer $computer -Credential $Credential -ErrorAction Stop -ScriptBlock $scriptblock -ArgumentList $computer, $cabpath, $VerbosePreference
+                    Invoke-PSFCommand -Computer $computer -Credential $Credential -ErrorAction Stop -ScriptBlock $scriptblock -ArgumentList $computer, $cabpath, $UseWindowsUpdate, $VerbosePreference
                 }
 
                 $jobs += Start-Job -Name $computer -ScriptBlock $invokeblock -ArgumentList $arglist -ErrorAction Stop
diff --git a/public/Install-KbUpdate.ps1 b/public/Install-KbUpdate.ps1
@@ -37,8 +37,13 @@ function Install-KbUpdate {
     .PARAMETER AllNeeded
         Installs all needed updates
 
+    .PARAMETER UseWindowsUpdate
+        This optional parameter will force the Windows Update Agent (WUA) to scan for needed updates against Windows Update (cloud service) instead of WSUS, regardless if the device is configured to use a WSUS server.
+
     .PARAMETER ScanFilePath
-        This optional parameter can be passed along with AllNeeded to use a local update database instead of WSUS or Microsoft's online update catalog.
+        This optional parameter can be passed along with AllNeeded to use a local copy of the catalogue instead of WSUS or Windows Update (cloud service.)
+
+        The local copy of the catalog is the Windows Update offline scan file (wsusscn2.cab - see https://learn.microsoft.com/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline).
 
         The local copy can be downloaded using Save-KbScanFile from an internet-connected computer.
 
@@ -122,6 +127,7 @@ function Install-KbUpdate {
         [Parameter(ValueFromPipeline)]
         [pscustomobject[]]$InputObject,
         [switch]$AllNeeded,
+        [switch]$UseWindowsUpdate,
         [parameter(ValueFromPipeline)]
         [Alias("FullName")]
         [string]$ScanFilePath,
@@ -133,14 +139,19 @@ function Install-KbUpdate {
         # $wublock = [scriptblock]::Create($((Get-Command Start-WindowsUpdate).Definition))
         $dscblock = [scriptblock]::Create($((Get-Command Start-DscUpdate).Definition))
         # cleanup
-        $null = Get-Job -ChildJobState Completed | Where-Object Name -in $ComputerName.ComputerName | Remove-Job -Force
+        $null = Get-Job -ChildJobState Completed | Where-Object Name -In $ComputerName.ComputerName | Remove-Job -Force
     }
     process {
         if (-not $PSBoundParameters.HotfixId -and -not $PSBoundParameters.FilePath -and -not $PSBoundParameters.InputObject -and -not $AllNeeded) {
             Stop-PSFFunction -EnableException:$EnableException -Message "You must specify either HotfixId or FilePath or AllNeeded or pipe in the results from Get-KbUpdate"
             return
         }
 
+        if ($ScanFilePath -and $UseWindowsUpdate) {
+            Stop-PSFFunction -EnableException:$EnableException -Message "You can not use -ScanFilePath and -UseWindowsUpdate together"
+            return
+        }
+
         if ($IsLinux -or $IsMacOs) {
             Stop-PSFFunction -Message "This command using remoting and only supports Windows at this time" -EnableException:$EnableException
             return
@@ -190,6 +201,7 @@ function Install-KbUpdate {
                     EnableException   = $EnableException
                     IsLocalHost       = $computer.IsLocalHost
                     AllNeeded         = $AllNeeded
+                    UseWindowsUpdate  = $UseWindowsUpdate
                     VerbosePreference = $VerbosePreference
                     ScanFilePath      = $ScanFilePath
                     ModulePath        = $script:dependencies
