Automation in Patch Managment…

One of my areas of my work has been to handle Patch Managment for x-numbers of clients and with multiple clients everything becomes more complicated to handle.

Therefore i’ve started to try to automate as much as possible with everything about Patch Managment by using Powershell.

What I have collected in this article will help you set up Maintenance Windows, send emails with a list of downloaded and published updates, and emails about status after the updates are completed.

You can choose to go through the article and copy the scripts manually, or you can go to my github and download all the scripts at once.

Link to my Githb where you find all scripts

Before you start…

You need to have the following already configured in your enviroment.

  • X-numbers of Collections with devices ready for patches
  • A plan when you want to have your Maintenance Windows for each Collection
  • ADR setup with Update Package and Update Group
  • You need a standard domain user with read-rights in MECM and with rights to run batch job on server where you will run the schedule Tasks

Note: Your ADR must not create new Update Group for each month, it needs to reuse existing Update Group to make the email created in step two and three to work.

Step One – Maintenance Windows

The first you need to do, and do before every new year are to run a script to set Maintenance Windows on your Collections.

Script requirements

  • Execute the script on the site-server or on a client with the MECM-console installed.
  • The user who execute the script need admin-rights in MECM and on the Server/Client (rights to install Powershell modules)
  • Powershell 5.x – 7.x

In the script i have a function called “Get-PatchTuesday” and this functions calculate which day in month “Patch Tuesday” occurs.

What data you need to run the script:

  •  Numbers of weeks after Patch Tuesday
  • Numbers of days after Patch Tuesday
  • Start hour
  • Start minute
  • Lenght i hours (0-23)
  • Lenght in minutes (0-59)
  • Delete old Maintenance Windows (Yes/No)
  • Allowed in Maintenance Windows (Everything, Task Sequence or Updates only)
  • Collection ID
  • For which month you want your Maintenance Windows (1-12)

Step Two – Send-UpdateDeployedMail.ps1

This script generate and send a Email where the recipient get information of downloaded and published Microsoft Updates in a specified Update Group with hyperlinks to kb-article.

This script should be executed x-days after Patch Tuesday and before Maintenance Windows goes active.

To be able to run UpdateDeployedMail.ps1 you need to install Powershell 7.x. The script uses a module called “Send-MailkitMessage”. You also need MECM-Console installed or execute the script on the site-server.

The server where you execute the script need to be white-listed in your Exchange.

Things you need to configure in the script…

  • LimitDays – How many days back in time you want the script to check for updates
  • Sitecode – Your sitecode
  • UpdateGroupName – Your Update Group
  • EmailFrom – Your no-reply address
  • Email_Error – If hte script can´t find any Updates downloaded or Published according to your LimitDays it will send a Email to a group och user to notify of a problem.
  • Email_Success –  The group or user to recieve Email
  • SMTP – Your SMTP-server
  • Portnumber – Your portnumber for your SMTP-server (default 25)
  • Customer – The Company name

Your also need to customize the Email and for that you need some html-knowledge (You can find the most on Google 🙂 )

Script requirements

  • Powershell 7.x
  • Configuration Manager Powershell Module
  • Server/client white-listed in your MailServer
  • logo.png (optional)
  • Module Send-MailKitMessage

Step Three – Send-UpdateStatusMail.ps1

This script generates an Email with information of success and failure of updates in a specific Update Group.

To configure the script you need to set:

  • Limitday – Numbers of days back in time for the deployment
  • Sitecode – Your sitecode
  • UpdateGroupName – Update Group Name
  • EmailFrom – Your no-reply address
  • EmailTo – Group or user address
  • EmailCustomer – Name of Company
  • EmailSMTP – Your smtp-server
  • EmailPort – Your portnumber for mailserver (Default 25)

Your also need to customize the Email and for that you need some html-knowledge (You can find the most on Google 🙂 )

Script requirements

  • Powershell 7.x
  • Configuration Manager Powershell Module
  • Server/client white-listed in your MailServer
  • logo.png (optional)
  • Module Send-MailKitMessage

Step four – Schedule task to send Mail

In order to send emails at a specific time after patch Tuesday, I needed to create this script. The built-in Schedule Task didn’t have the offsetdays feature I needed to get what I wanted.

The only downside right now is that if you send out updates in each month and want mail out every month, there will be twelve Schedule Tasks.

Then once every year you need to execute the script to remove old jobs and post new ones, the same as you get to do for the Maintenance Windows script.

Script requirements

  • Adminrights on server to add and remove Schedule Tasks
  • A domainuser with read-rights in MECM and the user must get rights on site-server to run batch jobs.
  • Powershell 5.x

Note: The script will fail if you run it with Powershell 7.x, it will fail on “-Trigger”

The parameters you need to provide:

  • Offsetweeks – Weeks after Patch Tuesday
  • OffsetDays – Days after Patch Tuesday
  • AddStarthour – Hour to start Schedule Task (0-23)
  • AddStartMinutes – Minutes to Start Schedule Task (0-59)
  • PatchMonth – Which month to run Schedule Task (1-12)
  • PatchYear – Which year to run Schedule Task
  • FolderName – Name of folder in Schedule Task where the Jobs will be created
  • UserName – The user to run Schedule Task
  • Execute – pwsh.exe or Powershell.exe.. or what ever you want to use
  • Scriptpath – Where the script that you use in the Schedule Task


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Damberg Online

Subscribe now to keep reading and get access to the full archive.

Continue reading