Special PowerShell script — PSWindowsUpdate is a great way to run Windows updates remotely from the command line on a separate computer. The PSWindowsUpdate module is not built into Windows and it is a third-party module available in the PowerShell Gallery. PSWindowsUpdate allows administrators to remotely check for updates on computers and workstations, install, remove and hide certain updates. The PSWindowsUpdate module is especially valuable when used to manage Windows updates in the Core editions of Windows Server, which do not have a graphical interface, as well as when setting up a Windows image in audit mode.
In this article, we will use Powershell for patch management. I will show a Powershell script to install Windows updates remotely also you will find another module that helps to get a list of all the missing Windows updates, as well quick guide on how to push Windows Updates remotely on multiple computers using Action1 security patch management feature.
How to update Windows using PSWindowsUpdate?
Before diving into remote update management, understanding Windows’ built-in update tools is essential, as these form the foundation for both local and remote update processes. Updating Windows can be a daunting task for many users, and understandably so. Update failures can potentially impact system stability, leading many to delay these crucial updates.
However, there’s a reliable method using Windows’ built-in tools—specifically PowerShell with its PSWindowsUpdate module—that can make the process more manageable, efficient, and secure, giving you greater control over update installation while minimizing the risk of system complications.
We’ve prepared a comprehensive, step-by-step guide to help you navigate this process effectively. Whether you’re managing a single computer or multiple systems, these guides will help you implement Windows updates safely and efficiently. Before proceeding with the installation steps, review these PSWindowsUpdate compatibility requirements:
-
Windows 11/10: Full support
-
Windows Server 2022/2019/2016: Full support
-
Windows Server 2012 R2: Limited support (requires PowerShell 5.1)
Step1. Installing the Update Management Module PsWindowsUpdate
If your computer is currently using Windows 10/11, you can install the PSWindowsUpdate module from the online repository via the Package Manager PackageManagement with just one command:
Install-Module -Name PSWindowsUpdate
You have and a second option to install the PSWindowsUpdate module manually.
-
Download the latest version of the PSWindowsUpdate module from the PowerShell Gallery: https://www.powershellgallery.com/packages/PSWindowsUpdate/2.2.1.5 and unblock the downloaded file.
-
Unpack the archive with the module into one of the %USERPROFILE% \ Documents \ WindowsPowerShell \ Modules or% WINDIR% \ System32 \ WindowsPowerShell \ v1.0 \ Modules directories (using the module permanently is the best option).
-
Allow script execution: Set-ExecutionPolicy RemoteSigned
-
Now you can import a module into your PowerShell session: Import-Module PSWindowsUpdate
If you installed the Windows Update Management Module on your computer, you can install it remotely on other computers and / or servers. Use this script to copy the module to the two specified remote servers:
$Targets = “PC1-name”, “PC2-name”
Invoke-Command ($Targets) { If ($null -eq (Get-Module -Name PSWindowsUpdate -ListAvailable) ) { Install-PackageProvider -Name NuGet -MinimumVersion 3.0.0.1 -Force Install-Module PSWindowsUpdate -Force Import-Module PSWindowsUpdate } }
Step 2. Overview Module PSWindowsUpdate Commands
The list of available cmdlets for the module can be displayed as:
Get-Command-Module PSWindowsUpdate
Briefly describe the purpose of the module commands:
Get-WindowsUpdate — an alias for Get-WUList.
Hide-WindowsUpdate — alias for Hide-WUUpdate.
Install-WindowsUpdate — alias for Get-WUInstall.
Uninstall-WindowsUpdate — alias for Get-WUUninstall.
Add-WUOfflineSync — the function allows you to install updates from the local cache using the file wsusscan.cab or wsusscn2.cab.
Add-WUServiceManager — register the update server on a computer.
Get-WUHistory — displays a list of installed updates.
Get-WUInstall is the main cmdlet of the PSWindowsUpdate module. Allows you to download and install updates from the server WSUS or Microsoft Update. Allows you to select categories of updates, specific updates and specify the rules for restarting the computer when installing updates.
Get-WUInstallerStatus — check the status of the Windows Installer service.
Get-WURebootStatus — allows you to check whether a reboot is necessary to apply a specific update.
Get-WUList — lists the updates that meet the specified criteria, allows you to find and install the desired update.
Get-WUServiceManager — check for update sources.
Get-WUUninstall — cmdlet allows you to remove a specific update by KB ID.
Hide-WUUpdate — allows you to hide certain updates from the installation.
Invoke-WUInstall — manage remote installation of updates.
Remove-WUOfflineSync — remove offline scan source.
Remove-WUServiceManager — remove update server.
Step 3. Get a List of Available Updates for the Computer
List the available updates for your computer on the update server:
Get-WUInstall -ListOnly
To check the list of available updates on a remote computer, run:
Get-WUList –ComputerName server2
You can check where your Windows should get updates from. Run the command:
Get-WUServiceManager
ServiceID IsManaged IsDefault Name
As you can see, the computer is configured to receive updates from the local WSUS and Windows Update service. If you want to scan your computer on Microsoft Windows Update servers (besides Windows updates, these servers contain Office updates and other products) on the Internet, run the following command:
Get-WUinstall -MicrosoftUpdate –ListOnly
You get a warning:
Can’t find registered service Microsoft Update. Use Get-WUServiceManager to get registered service.
To enable scanning on Microsoft Update, run the following command:
Add-WUServiceManager -ServiceID “7971f918-a847-4430-9279-4a52d1efe18d” -AddServiceFlag 7
Now you can perform a scan on Microsoft Update.
To remove certain products or specific packages from the list of updates your computer receives, you can exclude them by:
-
Categories (-NotCategory);
-
Name (-NotTitle);
-
Update number (-NotKBArticleID).
For example, exclude from the list of updates for drivers, OneDrive, and one specific KB:
Get-WUInstall -NotCategory “Drivers” -NotTitle OneDrive -NotKBArticleID KB4011670 -ListOnly
What is the Script to Install Windows Updates Remotely in PsWindowsUpdate?
To automatically download and install all available updates for your operating system, run:
Get-WUInstall -AcceptAll –IgnoreReboot
The AcceptAll key includes installation approval for all packages, and IgnoreReboot suppresses automatic restarts of Windows after installing updates.
Some users prefer to install updates and auto reboot the system; in such a case, use the same command, just write at the end –AutoReboot.
Get-WUInstall -AcceptAll –AutoReboot
You can install only specific update packages:
Get-WUInstall -KBArticleID KB4011670,KB4456655 –AcceptAll
If you want to remove some updates from the installation list, run:
Get-WUInstall -NotCategory “Drivers” -NotTitle OneDrive -NotKBArticleID KB4011670 -AcceptAll -IgnoreReboot
To automate the installation of updates with exceptions on multiple computers, you can use the following script:
PowerShell -ExecutionPolicy RemoteSigned -Command Import-Module PSWindowsUpdate; Get-WUInstall -NotCategory “Language packs” -NotTitle OneDrive -NotKBArticleID KB4011670 -AcceptAll –IgnoreReboot
The module allows you to remotely start the installation of updates on several computers at once or on a server (the PSWindowsUpdate module should be present on the computers). This is especially convenient, as it allows the administrator not to go manually to all servers during the scheduled installation of updates. The following command will install all available updates on three remote servers:
Invoke-WUInstall -ComputerName server1, server2, server1-Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot | Out-File C:\Windows\PSWindowsUpdate.log } -Confirm:$false -Verbose -SkipModuleTest –RunNow
How to View the Windows Update History?
Using the Get-WUHistory command, you can get a list of updates installed on your computer earlier. You can get information about the date of installation of a specific update:
Get-WUHistory| Where-Object {$_.Title -match “KB4011*”} | Select-Object *|ft
To obtain information about the presence of an installed update on several remote computers, you can use the following code:
“server1”,“server2” | Get-WUHistory| Where-Object {$_.Title -match “KB4011634”} | Select-Object *|ft
How to uninstall updates via PowerShell script?
To remove updates, use the Remove-WindowsUpdate cmdlet. You only need to specify the KB number as an argument to the KBArticleID parameter. To postpone the automatic restart of the computer, you can add the –NoRestart key:
Remove-WindowsUpdate -KBArticleID KB4011634 -NoRestart
How to Hide Unnecessary Updates Using Powershell?
You can hide certain updates so that they are never installed by Windows Update on your computer. For example, to hide the KB4011670 and KB4456655 updates, run the following commands:
$HideList = “KB4011670”, “KB4456655”
Hide-WindowsUpdate -KBArticleID $HideList –Hide
The next time you scan for updates using the Get-WUInstall –ListOnly command, hidden updates will not be displayed in the list of patches available for installation.
You can list the updates that are hidden on this computer as follows:
Get-WindowsUpdate -IsHidden
To remove updates from hidden, run:
Hide-WindowsUpdate -KBArticleID $HideList -Hide:$false
Which is the script to list of all the missing windows updates in PowerShell?
To list all of the missing Windows updates in PowerShell, just use the following one-liner:
(New-Object -ComObject Microsoft.Update.Session).CreateupdateSearcher().Search(“IsHidden=0 and IsInstalled=0”).Updates | Select-Object Title
Voilà; it is really that simple. Now, you will see all of the missing Windows updates on your system.
How to Install Windows Updates Using Action1?
Using the Action1 platform, you can install all of the missing Windows updates across your entire network. Wondering how to do it? Just follow these steps after you have signed up for Free:
Step 1: Enter AD Domain in Discovery Settings
Step 2: See All Managed Computers
Action1 will automatically find all domain computers and show them in the list of managed endpoints:
Step 3: Review Available and Missing Updates
Navigate to Patch Management to see the entire list of all patches and updates available for all computers on your entire network. To ease your work, Action1 combines all types of updates, including both Windows feature updates and third-party updates (such as Google Chrome, Dropbox etc), into one uniform view.
Step 4: Option 1 — Install Missing Updates Immediately or Later
Select one or more computers to update and click Deploy Update in the list of actions. You will then be prompted to deploy immediately or schedule at a later time.
Step 5: Option 2 — Approve Updates for Deployment
For more streamlined workflow, you can approve updates for deployment at pre-configured maintenance windows, such as over the weekend or during non-business hours, to avoid disrupting your users.
Action1 is the only Autonomous Endpoint Management Solution you will ever need!
Action1 reinvents patching with an infinitely scalable, highly secure, cloud-native platform configurable in 5 minutes — it just works and is always free for the first 200 endpoints, with no functional limits. Featuring unified OS and third-party patching with peer-to-peer patch distribution and real-time vulnerability assessment with no VPN needed, it enables autonomous endpoint management that preempts ransomware and security risks, all while eliminating costly routine labor. Trusted by thousands of enterprises managing millions of endpoints globally, Action1 is certified for SOC 2 and ISO 27001.
The company is founder-led by industry veterans Alex Vovk and Mike Walters, who founded Netwrix, which has grown into a multi-billion-dollar industry-leading cybersecurity company.
