Automating Cumulative Windows 7 Updates: WSUS Configuration & PowerShell Scripting for Seamless Patch Management


2 views

When dealing with fresh Windows 7 SP1 installations, you'll encounter multiple update cycles - typically 3-5 iterations with reboots between each. The manual approach becomes impractical for system administrators managing multiple machines. Here's why this happens:

Initial SP1 Base -> First Round Patches -> Reboot -> 
Second Round Patches -> Reboot -> Security Rollups -> Final Updates

Windows Server Update Services (WSUS) does more than local caching. When properly configured, it enables:

  • Batch approval of updates
  • Scheduled installation windows
  • Automatic reboot policies
  • Update grouping and sequencing

For immediate update installation without WSUS infrastructure, use this PowerShell script:

# Update automation script for Windows 7
$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$SearchResult = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")

while ($SearchResult.Updates.Count -gt 0) {
    $UpdatesToInstall = New-Object -ComObject Microsoft.Update.UpdateColl
    foreach ($Update in $SearchResult.Updates) {
        $UpdatesToInstall.Add($Update) | Out-Null
    }
    
    $Installer = $UpdateSession.CreateUpdateInstaller()
    $Installer.Updates = $UpdatesToInstall
    $InstallationResult = $Installer.Install()
    
    if ($InstallationResult.RebootRequired) {
        Restart-Computer -Force
        break
    }
    
    $SearchResult = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")
}

To configure WSUS for automatic immediate installations:

  1. Create a new Group Policy Object (GPO)
  2. Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
  3. Enable "Configure Automatic Updates" and set to option 4 (Auto download and schedule install)
  4. Set "Automatic Updates detection frequency" to 1 hour
  5. Configure "Specify intranet Microsoft update service location" with your WSUS server address

For one-time deployments, consider creating an updated installation image with DISM:

dism /mount-wim /wimfile:install.wim /index:1 /mountdir:mount
dism /image:mount /add-package /packagepath:"patches\*.msu"
dism /unmount-wim /mountdir:mount /commit

When deploying fresh Windows 7 SP1 installations, administrators face a notorious update chaining issue. The initial Windows Update pass typically yields ~45 updates, but subsequent scans reveal additional patches in layered dependencies. This creates a tedious manual process requiring 4-7 iterative update/reboot cycles.

Windows Server Update Services (WSUS) provides more than just local caching. When properly configured, it enables:

  1. Batch approval of update groups
  2. Automatic installation scheduling
  3. Reboot control policies
# Sample GPO Configuration Path:
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

# Key Settings:
- Configure Automatic Updates: Enabled (Option 4 - Auto download and schedule install)
- Specify active hours: Disabled
- Automatic Updates detection frequency: 1 hour
- No auto-restart with logged on users: Disabled

For standalone machines without WSUS, this script handles iterative updating:


# WindowsUpdateAutomation.ps1
$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$SearchResult = $UpdateSearcher.Search("IsInstalled=0 and Type='Software'")

if ($SearchResult.Updates.Count -gt 0) {
    $UpdatesToInstall = New-Object -ComObject Microsoft.Update.UpdateColl
    $SearchResult.Updates | Where-Object { $_.IsDownloaded -eq $false } | ForEach-Object { $UpdatesToInstall.Add($_) }
    
    $Downloader = $UpdateSession.CreateUpdateDownloader()
    $Downloader.Updates = $UpdatesToInstall
    $Downloader.Download()
    
    $Installer = $UpdateSession.CreateUpdateInstaller()
    $Installer.Updates = $UpdatesToInstall
    $InstallationResult = $Installer.Install()
    
    if ($InstallationResult.RebootRequired) {
        Restart-Computer -Force
    }
}

To enforce real-time updates in WSUS environments:

  1. Configure WSUS server with "Immediate installation" approval rule
  2. Set client-side policy: "Auto-install and restart at scheduled time"
  3. Deploy registry tweak to suppress active hours:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings]
"ActiveHoursStart"=dword:00000000
"ActiveHoursEnd"=dword:00000000
"IsActiveHoursEnabled"=dword:00000000

Critical update groups should be processed in this order:

  1. Servicing stack updates (KB3020369)

    2. li>Convenience rollup (KB3125574)

  2. Monthly security quality rollups
  3. IE cumulative updates