Powershell: How to maintain PowerShell in an Enterprise environment?

Created on 8 May 2019 · 9Comments · Source: PowerShell/PowerShell

_[NOTE: This is only about software provided by Microsoft, not anything by 3ed party or community provided]_

How to properly install and keep PowerShell up to date with the latest patches and updates

The documentation today tell how to do the initial installation in different ways depending on the platform, but there is no info on how to keep PowerShell up-to-date.

How do you manage, support, maintain and keep a PowerShell core up-to-date in a an enterprise environment?

There's need for a architectural overview on the life-cycle of the PowerShell Core runtime, as well as different modules.
- Exactly what is Powershell Core?
  - Is it "part of" the Windows operating system?
  - What is the support lifetime for PowerShell Core?
  - What about modules? Will the be around or can they be dropped without support at anytime without notice?
- Exactly how does powerShell core relate to WindowsPowershell?
  - When do Microsoft recommend Powershell Core (and when not) to be used?
  - When do Microsoft recommend WindowsPowerShell (and when not) to be used?
  - Is Windows Powershell still something Microsoft invest in, or is the way forward Powershell Core?
  - Will all Microsoft products, services, servers and so on provide cmdLets for both Windows PS and PS Core?
- What are the ambitions of PowerShell Core?
  - Will PS Core in the long run get all the features of Windows PS (like -Computerparameter, workFlows and so on)
  - Will PS Core replace Windows PS in the OS?
- Best practises for different scenarios of using, running, deploying and maintaining PS Core in a heterogeneous enterprise environment.
  We need to know not only only one way to make something work, but what is the intended way of using things, else it is way too risky to setup and implement it in a an enterprise environment where you have 10s of thousands of machines all over the world. You need to know that you do things the correct way, and the way things are intended to be done (as opposed to the way some guy on StackOverflow might have gotten something to work on "his machine").
There need to be information on how updates and patches are provided and distributed?
- Will they show up in Windows Update?
- Are we to manually check some resource for security and update information?
- OR what?
What are the recommended way of updating Powershell Core in an enterprise environment, where you have installations on multiple servers running different versions of Windows and other OS:es, as well as multiple clients running different versions windows. And where the OS on both servers and clients might be in different languages, cultures and time-Zones?
- Should you push out updates with SCCM/WSUS (or something similar)?
  If not here, than how do you get critical security updates and make sure you don't miss anything?
- Should you somehow run PowerShell commands on each individual machine (like Update-Module or something like that)? If so what is the recommended way of doing so?
How do you manage updates of modules that don't work with Update-Module (like for example PowerShellGet)?
How do you get/install/update the correct/latest documentation/help on all machines (for example, the help for Find-Module ends with this "Get-Help cannot find the Help files for this cmdlet on this computer. It is displaying only partial help.", still, Update-Help makes no difference, but when -Online is used, you are presented with this web page, which has the complete help: https://docs.microsoft.com/en-us/powershell/module/PowershellGet/Find-Module?view=powershell-5.1)?

Area-Maintainers-Documentation Issue-Question

Source

Bartolomeus-649

👍2

Most helpful comment

I have to agree with this request. I can easily install Powershell 7 on a system with an MSI. However, how do I ensure that it updates to 7.01 after it is released? How do I ensure that it is properly patched? We use SCCM but could use Windows Update or WSUS. I prefer the upgrades and updates to come through those channels.

JoelMiller74 on 17 Jun 2020

👍3

All 9 comments

Some information about the support life cycle can be found here: https://docs.microsoft.com/en-us/powershell/scripting/powershell-support-lifecycle?view=powershell-6

Some information about security issue announcements can be found here:
https://github.com/PowerShell/Announcements

Also see this blog about PowerShell 7: https://devblogs.microsoft.com/powershell/the-next-release-of-powershell-powershell-7/

Hopefully this answers some of your questions.

adityapatwardhan on 10 May 2019

👎2

I can not see any info on how WSUS/SCCM will pick up any updates, patches or security fixes. I can't even find a clear process on how you manually, on a single computer install, manage, patch, upgrade and keep a PowerShell installation up to date.

It looks like v7 might be more structured and adapted for an enterprise environment, because we can't have a guy surfing around and google to find out what's going on and if there's a new patch or something. Also, PowerShell without modules becomes dull quickly, but there need to be the same level of support, predictability, documentation and consistency as with PowerShell itself.
It need to be crystal clear which modules are supported, endorsed and maintained by Microsoft.

Bartolomeus-649 on 10 May 2019

👍2

Earlier MSFT team announced that they will publish updates in Windows Update channel but I never saw them there https://www.catalog.update.microsoft.com/Search.aspx?q=PowerShell%20Core
It is true for .Net Core too.

iSazonov on 11 May 2019

I am not a Microsoft employee

@Bartolomeus-649

I can't even find a clear process on how you manually, on a single computer install, manage, patch, upgrade and keep a PowerShell installation up to date.

I understand what you want but PowerShell 6+ is now a normal software that can be download as a MSI or ZIP (to manage multiversion on the same system).
How do you handle 3rd parties softwares update with SCCM ?

Have you got issue with the current documentation ? Installing PowerShell Core on Windows

because we can't have a guy surfing around and google to find out what's going on and if there's a new patch or something

In Europe, with GDPR, it's now a real job :)
As a workaround, Github has a option to be notified for each release on this repository.
Chocolatey is also compatible with SCCM and has a business options

It need to be crystal clear which modules are supported, endorsed and maintained by Microsoft.

There is a property on module to check that :
Get-Module -ListAvailable | Where { $_.ModuleBase -like "$env:windir\*" -and $_.CompatiblePSEditions -contains "Core" }

I found 61/110 modules on Windows 10 20TH1 with administrative tools installed.
Source : Windows PowerShell Module | Modules with compatible PowerShell Editions

I think until PowerShell is bring with Windows (as an optional features first), you have to wait. I'm surprised you don't ask for GPO settings too because it's another problem for an enterprise deployement.

In a Windows 10 or Windows Server environment, I prefer to stay with Windows PowerShell.

fMichaleczek on 12 May 2019

I'm surprised you don't ask for GPO settings too because it's another problem for an enterprise deployement.

Discussed here https://github.com/PowerShell/PowerShell-RFC/pull/111

iSazonov on 12 May 2019

In a Windows 10 or Windows Server environment, I prefer to stay with Windows PowerShell.

@fMichaleczek Please open new issue with feedback why you prefer Windows PowerShell.

iSazonov on 12 May 2019

@iSazonov I prefer the latest version :) So I can't provide feedback. Let's me give you a more detailed response.

In corporate environment, for my customers who want to have a full support from Microsoft Premier, my advice for a massive deployment is to wait PowerShell Core is part of Windows (and by consequence updated throught WSUS / SCCM, declared to AMSI, GPO implemented , firewall rules declared for PSRemoting). This is the bare minimum for them to be reassuring.

As I see it, some old Microsoft customers have a particular mindset and this situation is a consequence of years of lobbying against FOSS ... So don't think it will change until a moment.

In my opinion, the issue is around integration in Windows, not PowerShell by itself.

fMichaleczek on 14 May 2019

👍2

I am not a Microsoft employee

@Bartolomeus-649

I can't even find a clear process on how you manually, on a single computer install, manage, patch, upgrade and keep a PowerShell installation up to date.

I understand what you want but PowerShell 6+ is now a normal software that can be download as a MSI or ZIP (to manage multiversion on the same system).
How do you handle 3rd parties softwares update with SCCM ?

How about smaller environments which only have a WSUS server but don't have SCCM?
As far as I understand it, Powershell Core is a Microsoft product, even if it is open source. I don't see any point in not updating it via Microsoft Update.

That way:

updates are found easily without searching on web sites for new releases
the administrator can see whether all PCs and servers are on a patched version
updates can be installed without logging onto each PC to start an update (normal user accounts shouldn't have admin permissions) or trying to automate it with GPO startup scripts

I would like to use the new PowerShell Core, but without a proper update management I won't install it in our environment. Not every user is a DevOp that updates his own PC.

I just saw that on linux, Powershell can be installed by apt-get: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-7#ubuntu-1804
I assume that updates will also be found by apt-get update?

_Why are updates for a Microsoft product easier on linux than on Windows?_