SCVMM : Automatic Baseline update script

SCVMM (System Center: Virtual Machine Manager) 2012 and 2012R2 can manage the patch compliance on your servers. That’s a great feature but normally involves some manual work as you have to add each update to the Baselines manually.

My colleague Mikael Nyström (MVP)  made a script to handle this automatically, which I’ve developed a bit further.

The script has a few Pre-Requisites;

  • A WSUS Server defined in SCVMM
  • Approved patches for “Windows Server 2012” and “Windows Server 2012 R2” in WSUS
  • Pre-Defined Baselines (you can use Add-Baseline to create them) with these names;
    • Security Updates
    • Critical Updates
    • Updates
    • Update Rollups

That’s it! You can now run the script and automatically import all matching updates.

The following actions will be performed;

  • Synchronize updates with WSUS
  • Check if there are any updates in the Baseline already
    • If the baseline is empty, import ALL matching updates
    • If the baseline is NOT empty, check the Newest 500 updates and import all matching updates
  • Remove inactive updates
  • Repeat for all Baselines
  • Start a compliance scan

The script will not initiate any remediation. And as the script normally only checks the newest 500 updates, it has to be run fairly regular. In my environment, 500 updates is about 1 month of updates. Though to be safe, run it once a week.

11 thoughts on “SCVMM : Automatic Baseline update script”

  1. I’v approved the updates in WSUS and synced but noting gets to baselines.
    Checked the updates in VMM with Get-SCUpdate and there they are all IsApproved = False.
    If i manualy add an update to a baseline i can see with get-scupdate that it changes to IsApproved = true.

    What am i missing ?

  2. It could be this line (54);
    $LatestUpdates = Get-SCUpdate -Newest 500 | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value “True” | Where-Object -Property IsDeclined -Like -Value “False”| Where-Object -Property IsExpired -Like -Value “False” | Where-Object -Property IsSuperseded -Like -Value “False” | Where-Object -Property Products -like “*Windows Server 2012*”

    It’s only checking the latest 500 updates in WSUS. And if there are no “Windows Server 2012*” updates in the last 500 (can be a lot of anti-virus definition updates) it won’t import anything. And if you don’t run the script often enough, it may miss updates due to that.

    So I’ve changed that in my production environment to look like this;

    $LatestUpdates = Get-SCUpdate | Where-Object -Property UpdateClassification -EQ -Value $BaseLineName | Where-Object -Property IsApproved -Like -Value “True” | Where-Object -Property IsDeclined -Like -Value “False”| Where-Object -Property IsExpired -Like -Value “False” | Where-Object -Property IsSuperseded -Like -Value “False”

    So it’s importing all updates for all products and not just checking the last 500.
    Also as I noticed it would be miss for example IE and .NET Framework updates.

  3. I found the issue, at least i think.
    If i do a Start-SCUpdateServerSynchronization it says it syncing but IsApproved status doesn’t update in vmm (get-scupdate). But if i do Start-SCUpdateServerSynchronization -ForceFullUpdateCatalogImport the IsApproved status is uppdated from Wsus.
    Tried a couple og updates and I’m able to reproduce the issue every time.

  4. I’m sorry Patrik but I’ve not been able to reproduce the problem in three different environments, or find any relevant logfiles to dig deeper into. Sorry 🙁

  5. Ok, well the workaround works for me. Too bad I couldn’t get confirmation that it wasn’t me that was doing someting wrong but. Might to some more test installs in different ways just for fun. Will let you know if I get different results.

  6. Tried as vanilla as possible but still same result. Giving up and using full sync. But for reference if anyone else is searching and finds this post.

    Get-SCUpdate -KBArticle 2884846 = False

    Get-SCUpdateServer | Start-SCUpdateServerSynchronization

    Get-SCUpdate -KBArticle 2884846 = False

    Get-SCUpdateServer | Start-SCUpdateServerSynchronization -ForceFullUpdateCatalogImport

    Get-SCUpdate -KBArticle 2884846 = True

  7. Hi there.
    Thank you for this solution. It works with my SCVMM 2012 R2.

    I would like to schedule this script but it doesn’t work properly (Task Scheduler is configured to run this script as SYSTEM).
    TS returns 0 (success) after running task manually, but SCVMM Jobs doesn’t show any changes….

    Any ideas how to Schedule it?

Leave a Reply