Powershell - Loop Install of Available Software Updates (SCCM)

Question

I have the below script which I am using to run on critical desktop clients to install all available updates (quarterly) that have been deployed by SCCM.

As some deployed updates only become available when other dependent updates have been installed the script is stopping before the reboot.

I ideally want it to loop and continue to install all available updates until all have installed and then proceed to automatically reboot.

Any ideas?

Add-Type -AssemblyName PresentationCore, PresentationFramework

switch (
  [System.Windows.MessageBox]::Show(
    'This action will download and install critical Microsoft updates and may invoke an automatic reboot. Do you want to continue?',
    'WARNING',
    'YesNo',
    'Warning'
  )
) {
 'Yes' 
 {
Start-Process -FilePath "C:\Windows\CCM\ClientUX\scclient.exe" "softwarecenter:Page=InstallationStatus"
$installUpdateParam = @{
        NameSpace = 'root/ccm/ClientSDK'
        ClassName = 'CCM_SoftwareUpdatesManager'
        MethodName = 'InstallUpdates'
    }

    $getUpdateParam = @{            
        NameSpace = 'root/ccm/ClientSDK'
        ClassName = 'CCM_SoftwareUpdate'
        Filter = 'EvaluationState < 8'
    }       

    [ciminstance[]]$updates = Get-CimInstance @getUpdateParam

    if ($updates) {
        Invoke-CimMethod @installUpdateParam  -Arguments @{ CCMUpdates = $updates } 

        while(Get-CimInstance @getUpdateParam){
            Start-Sleep -Seconds 30
        }
    }

    $rebootPending = Invoke-CimMethod -Namespace root/ccm/ClientSDK -ClassName CCM_ClientUtilities -MethodName DetermineIfRebootPending
    if ($rebootPending.RebootPending){
        Invoke-CimMethod -Namespace root/ccm/ClientSDK -ClassName CCM_ClientUtilities -MethodName RestartComputer
    }
    'No' 
    #  Exit-PSSession
  }
}

Answer 1

Hello @therway

It is unclear what may make the script to stop.

I would recommend to enable Verbose output by adding $VerbosePreference="Continue" variable.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/write-verbose?view=powershell-7.2

This would help to add depth of the running tasks and where it may stop.

Hope this helps with your query,

--------
--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

If you reboot the machine you're going to terminate the connection, and with that the pipeline, from the local machine to the machine that's rebooted.

You can use the Restart-Computer cmdlet with the -Wait and -Timeout to avoid that.

Answer 3

the script is stopping before the reboot.

Are you sure it's stopping? This looks like a potential infinite loop.

 while(Get-CimInstance @getUpdateParam){
             Start-Sleep -Seconds 30
         }

Does SCCM have a log somewhere that records the value of EvaluationState as updates are installed? You could also add a counter in there so that if you've been sleeping longer than say 20 minutes, to break out of that loop and go ahead and check the reboot status.

I implemented patching on our Windows servers, but we used WSUS and the COM interface to Windows Update. What I found was that the "second set of patches" didn't show up until the pending ones were installed and AFTER the reboot had occurred. To account for that, our script created a scheduled task to run at startup time to perform what I termed "phase 2". The script would again do any patch installs, delete the phase 2 scheduled task and then reboot a second time if necessary.

I don't know how SCCM works but you may have to use the scheduled task technique to get everything installed. All of our scripts ran as the SYSTEM account (via the task scheduler) and there was no interactive user interface. If you schedule a script to run ONSTART, you can't display a message box. You don't have a user. Might need a second script.

Answer 4

I ran into the same issue with the above script, I put "Start-Sleep -Seconds 60" on line 35 before checking for pending reboots and it seems to work fine.