SCVMM : Automatic Baseline update script

SCVMM (System Center: Virtual Machine Manager) 2012 and 2012R2 can manage the patch compliance on your servers. That’s a great feature but normally involves some manual work as you have to add each update to the Baselines manually.

My colleague Mikael Nyström (MVP) made a script to handle this automatically, which I’ve developed a bit further.

<#
.Synopsis
   Script to automatically keep SCVMM Baselines in sync with WSUS 
.DESCRIPTION
   Script that synchronizes WSUS Updates with SCVMM, both adding new updates and removes old inactive updates. 
.EXAMPLE
   Update-BaseLineUpdates $Baselinename

# Author
Current Author, Markus Lassfolk @Truesec 
Original Author, Mikael Nyström @Truesec 

# Version 1.2
  Markus Lassfolk 
 - Added section to remove inactive updates 

# Version 1.0 
  Markus Lassfolk 
 - Initial Release 

# Version 0.5 
  Mikael Nyström 

#>

Function Update-BaseLineUpdates{
Param
 (
 [Parameter(Mandatory=$false,
 ValueFromPipeline=$true,
 ValueFromPipelineByPropertyName=$true,
 ValueFromRemainingArguments=$false,
 Position=0)]
 [String]
 $BaseLineName
 )
$baseline = Get-SCBaseline -Name $BaseLineName

# Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -RemoveUpdates $baseline.Updates
write-host $baseline.UpdateCount : Current number of Updates in Baseline $BaseLineName

$addedUpdateList = ""
$addedUpdateList = @()

if ($baseline.UpdateCount -eq 0) { 
        write-host "No previous updates in" $BaselineName", adding all existing updates for" $BaseLineName "from WSUS"  
        $addedUpdateList += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value "True" | Where-Object -Property IsDeclined -Like -Value "False"| Where-Object -Property IsExpired -Like -Value "False" | Where-Object -Property IsSuperseded -Like -Value "False" | Where-Object -Property Products -like "*Windows Server 2012*"
        write-host $addedUpdateList.Count ": New updates to add in" $Baseline 
        Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -AddUpdates $addedUpdateList -RunAsynchronously
  }

if ($baseline.UpdateCount -gt 0 ) { 
        write-host "Scanning Newest 500 WSUS Updates for matching updates for $BaselineName" 
        $LatestUpdates = Get-SCUpdate -Newest 500 | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value "True" | Where-Object -Property IsDeclined -Like -Value "False"| Where-Object -Property IsExpired -Like -Value "False" | Where-Object -Property IsSuperseded -Like -Value "False" | Where-Object -Property Products -like "*Windows Server 2012*"
        write-host $LatestUpdates.Count ": Updates found, verifying if update(s) already exist in" $BaseLineName 

        Compare-Object -ReferenceObject $baseline.Updates -DifferenceObject $LatestUpdates -IncludeEqual | % {
        if($_.SideIndicator -eq '=>') { $addedUpdateList += Get-SCUpdate -ID $_.inputobject.id } 
        }

    write-host $addedUpdateList.Count : New updates to be added to SCVMM for $BaseLineName 
    write-host $addedUpdateList | ft
    Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -AddUpdate $addedupdateList -RunAsynchronously 
    }

    write-host "Scan WSUS for Updates that should not be Checked anymore" 
    $remove = ""
    $remove = @()
    $removeUpdateList = ""
    $removeUpdateList = @()

    $remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value "False" | Where-Object -Property Products -like "*Windows Server 2012*"
    $remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsDeclined -Like -Value "True"| Where-Object -Property Products -like "*Windows Server 2012*"
    $remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsExpired -Like -Value "True" | Where-Object -Property Products -like "*Windows Server 2012*"
    $remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsSuperseded -Like -Value "True" | Where-Object -Property Products -like "*Windows Server 2012*"

    write-host $remove.count "Remove Unapproved/Superseded/Expired/Declined updates" 

        Compare-Object -ReferenceObject $baseline.Updates -DifferenceObject $remove -IncludeEqual | % {
        if($_.SideIndicator -eq '==') { $removeUpdateList += Get-SCUpdate -ID $_.inputobject.id } 
        }

    Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -RemoveUpdates $RemoveupdateList 
}

Function Add-BaseLine{
Param
 (
 [Parameter(Mandatory=$false,
 ValueFromPipeline=$true,
 ValueFromPipelineByPropertyName=$true,
 ValueFromRemainingArguments=$false,
 Position=0)]
 [String]
 $BaseLineName
 )
$baseline = New-SCBaseline -Name $BaseLineName -Description $BaseLineName
$scope = Get-SCVMHostGroup -Name "All Hosts"
Set-SCBaseline -Baseline $baseline -AddAssignmentScope $scope
$scope2 = Get-SCVMMManagedComputer
ForEach($Server in $scope2){
Set-SCBaseline -Baseline $baseline -Name $baseLine -AddAssignmentScope $Server
}
}

Write-Host "Synchronizing with WSUS Server" 
Get-SCUpdateServer | Start-SCUpdateServerSynchronization 

. Update-BaseLineUpdates "Security Updates"
. Update-BaseLineUpdates "Critical Updates"
. Update-BaseLineUpdates "Updates"
. Update-BaseLineUpdates "Update Rollups"

#. Update-BaseLineUpdates "Definition Updates"
#. Update-BaseLineUpdates "Service Packs"
#. Update-BaseLineUpdates "Feature Packs"

write-host "Start Compliance Scan for all Servers" 
Get-SCVMMManagedComputer | Start-SCComplianceScan

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

.Synopsis

Script to automatically keep SCVMM Baselines in sync with WSUS

.DESCRIPTION

Script that synchronizes WSUS Updates with SCVMM, both adding new updates and removes old inactive updates.

.EXAMPLE

Update-BaseLineUpdates $Baselinename

# Author

Current Author, Markus Lassfolk @Truesec

Original Author, Mikael Nyström @Truesec

# Version 1.2

Markus Lassfolk

- Added section to remove inactive updates

# Version 1.0

Markus Lassfolk

- Initial Release

# Version 0.5

Mikael Nyström

Function Update-BaseLineUpdates{

Param

(

[Parameter(Mandatory=$false,

ValueFromPipeline=$true,

ValueFromPipelineByPropertyName=$true,

ValueFromRemainingArguments=$false,

Position=0)]

[String]

$BaseLineName

)

$baseline = Get-SCBaseline -Name $BaseLineName

# Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -RemoveUpdates $baseline.Updates

write-host $baseline.UpdateCount : Current number of Updates in Baseline $BaseLineName

$addedUpdateList = ""

$addedUpdateList = @()

if ($baseline.UpdateCount -eq 0) {

write-host "No previous updates in" $BaselineName", adding all existing updates for" $BaseLineName "from WSUS"

$addedUpdateList += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value "True" | Where-Object -Property IsDeclined -Like -Value "False"| Where-Object -Property IsExpired -Like -Value "False" | Where-Object -Property IsSuperseded -Like -Value "False" | Where-Object -Property Products -like "*Windows Server 2012*"

write-host $addedUpdateList.Count ": New updates to add in" $Baseline

Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -AddUpdates $addedUpdateList -RunAsynchronously

}

if ($baseline.UpdateCount -gt 0 ) {

write-host "Scanning Newest 500 WSUS Updates for matching updates for $BaselineName"

$LatestUpdates = Get-SCUpdate -Newest 500 | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value "True" | Where-Object -Property IsDeclined -Like -Value "False"| Where-Object -Property IsExpired -Like -Value "False" | Where-Object -Property IsSuperseded -Like -Value "False" | Where-Object -Property Products -like "*Windows Server 2012*"

write-host $LatestUpdates.Count ": Updates found, verifying if update(s) already exist in" $BaseLineName

Compare-Object -ReferenceObject $baseline.Updates -DifferenceObject $LatestUpdates -IncludeEqual | % {

if($_.SideIndicator -eq '=>') { $addedUpdateList += Get-SCUpdate -ID $_.inputobject.id }

}

write-host $addedUpdateList.Count : New updates to be added to SCVMM for $BaseLineName

write-host $addedUpdateList | ft

Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -AddUpdate $addedupdateList -RunAsynchronously

}

write-host "Scan WSUS for Updates that should not be Checked anymore"

$remove = ""

$remove = @()

$removeUpdateList = ""

$removeUpdateList = @()

$remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value "False" | Where-Object -Property Products -like "*Windows Server 2012*"

$remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsDeclined -Like -Value "True"| Where-Object -Property Products -like "*Windows Server 2012*"

$remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsExpired -Like -Value "True" | Where-Object -Property Products -like "*Windows Server 2012*"

$remove += Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsSuperseded -Like -Value "True" | Where-Object -Property Products -like "*Windows Server 2012*"

write-host $remove.count "Remove Unapproved/Superseded/Expired/Declined updates"

Compare-Object -ReferenceObject $baseline.Updates -DifferenceObject $remove -IncludeEqual | % {

if($_.SideIndicator -eq '==') { $removeUpdateList += Get-SCUpdate -ID $_.inputobject.id }

}

Set-SCBaseline -Baseline $baseline -Name $BaseLineName -Description $BaseLineName -RemoveUpdates $RemoveupdateList

}

Function Add-BaseLine{

Param

(

[Parameter(Mandatory=$false,

ValueFromPipeline=$true,

ValueFromPipelineByPropertyName=$true,

ValueFromRemainingArguments=$false,

Position=0)]

[String]

$BaseLineName

)

$baseline = New-SCBaseline -Name $BaseLineName -Description $BaseLineName

$scope = Get-SCVMHostGroup -Name "All Hosts"

Set-SCBaseline -Baseline $baseline -AddAssignmentScope $scope

$scope2 = Get-SCVMMManagedComputer

ForEach($Server in $scope2){

Set-SCBaseline -Baseline $baseline -Name $baseLine -AddAssignmentScope $Server

}

Write-Host "Synchronizing with WSUS Server"

Get-SCUpdateServer | Start-SCUpdateServerSynchronization

. Update-BaseLineUpdates "Security Updates"

. Update-BaseLineUpdates "Critical Updates"

. Update-BaseLineUpdates "Updates"

. Update-BaseLineUpdates "Update Rollups"

#. Update-BaseLineUpdates "Definition Updates"

#. Update-BaseLineUpdates "Service Packs"

#. Update-BaseLineUpdates "Feature Packs"

write-host "Start Compliance Scan for all Servers"

Get-SCVMMManagedComputer | Start-SCComplianceScan

The script has a few Pre-Requisites;

A WSUS Server defined in SCVMM
Approved patches for “Windows Server 2012” and “Windows Server 2012 R2” in WSUS
Pre-Defined Baselines (you can use Add-Baseline to create them) with these names;
- Security Updates
- Critical Updates
- Updates
- Update Rollups

That’s it! You can now run the script and automatically import all matching updates.

The following actions will be performed;

Synchronize updates with WSUS
Check if there are any updates in the Baseline already
- If the baseline is empty, import ALL matching updates
- If the baseline is NOT empty, check the Newest 500 updates and import all matching updates
Remove inactive updates
Repeat for all Baselines
Start a compliance scan

The script will not initiate any remediation. And as the script normally only checks the newest 500 updates, it has to be run fairly regular. In my environment, 500 updates is about 1 month of updates. Though to be safe, run it once a week.

11 thoughts on “SCVMM : Automatic Baseline update script”

Szymon Kowalczyk says:

2016-09-02 at 22:09

Hi there.
Thank you for this solution. It works with my SCVMM 2012 R2.

I would like to schedule this script but it doesn’t work properly (Task Scheduler is configured to run this script as SYSTEM).
TS returns 0 (success) after running task manually, but SCVMM Jobs doesn’t show any changes….

Any ideas how to Schedule it?
Patrik Hansson (@patrik_hansson) says:

2015-05-19 at 16:04

Tried as vanilla as possible but still same result. Giving up and using full sync. But for reference if anyone else is searching and finds this post.

Get-SCUpdate -KBArticle 2884846 = False

Get-SCUpdateServer | Start-SCUpdateServerSynchronization

Get-SCUpdate -KBArticle 2884846 = False

Get-SCUpdateServer | Start-SCUpdateServerSynchronization -ForceFullUpdateCatalogImport

Get-SCUpdate -KBArticle 2884846 = True
Patrik Hansson (@patrik_hansson) says:

2015-05-18 at 18:34

Ok, well the workaround works for me. Too bad I couldn’t get confirmation that it wasn’t me that was doing someting wrong but. Might to some more test installs in different ways just for fun. Will let you know if I get different results.
Markus Lassfolk says:

2015-05-18 at 17:03

I’m sorry Patrik but I’ve not been able to reproduce the problem in three different environments, or find any relevant logfiles to dig deeper into. Sorry
Patrik Hansson (@patrik_hansson) says:

2015-05-17 at 20:17

Same problem in UR6.
Patrik Hansson (@patrik_hansson) says:

2015-05-17 at 17:08

UR5
Will upgrade later today and see I it helps. Do you know if there is a log file for the synchronization ? Tried running with -debug but got nothing.
Markus Lassfolk says:

2015-05-17 at 16:48

Hmm interesting. Are you using UR6?
Patrik says:

2015-05-17 at 09:18

I found the issue, at least i think.
If i do a Start-SCUpdateServerSynchronization it says it syncing but IsApproved status doesn’t update in vmm (get-scupdate). But if i do Start-SCUpdateServerSynchronization -ForceFullUpdateCatalogImport the IsApproved status is uppdated from Wsus.
Tried a couple og updates and I’m able to reproduce the issue every time.
Markus Lassfolk says:

2015-05-17 at 08:45

It could be this line (54);
$LatestUpdates = Get-SCUpdate -Newest 500 | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value “True” | Where-Object -Property IsDeclined -Like -Value “False”| Where-Object -Property IsExpired -Like -Value “False” | Where-Object -Property IsSuperseded -Like -Value “False” | Where-Object -Property Products -like “*Windows Server 2012*”

It’s only checking the latest 500 updates in WSUS. And if there are no “Windows Server 2012*” updates in the last 500 (can be a lot of anti-virus definition updates) it won’t import anything. And if you don’t run the script often enough, it may miss updates due to that.

So I’ve changed that in my production environment to look like this;

$LatestUpdates = Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value “True” | Where-Object -Property IsDeclined -Like -Value “False”| Where-Object -Property IsExpired -Like -Value “False” | Where-Object -Property IsSuperseded -Like -Value “False”

So it’s importing all updates for all products and not just checking the last 500.
Also as I noticed it would be miss for example IE and .NET Framework updates.
Patrik says:

2015-05-16 at 22:31

I’v approved the updates in WSUS and synced but noting gets to baselines.
Checked the updates in VMM with Get-SCUpdate and there they are all IsApproved = False.
If i manualy add an update to a baseline i can see with get-scupdate that it changes to IsApproved = true.

What am i missing ?
Pingback: SCVMM : Automatic Baseline update script | Desk...

You must be logged in to post a comment.

11 thoughts on “SCVMM : Automatic Baseline update script”

Leave a Reply