Special PowerShell script — PSWindowsUpdate is a great way to run Windows updates remotely from the command line on a separate computer. The PSWindowsUpdate module is not built into Windows and it is a third-party module available in the Technet Script Gallery. PSWindowsUpdate allows administrators to remotely check for updates on computers and workstations, install, remove and hide certain updates. The PSWindowsUpdate module is especially valuable when used to manage Windows updates in the Core editions of Windows Server, which do not have a graphical interface, as well as when setting up a Windows image in audit mode.
In this article, we will use Powershell for patch management. I will show a Powershell script to install Windows updates remotely also you will find another module that helps to get a list of all the missing Windows updates, as well quick guide on how to push Windows updates remotely on multiple computers using Action1 security patch management feature.
Using Builtin Tools:
1. Installing the Update Management Module PsWindowsUpdate
If you have Windows 10 installed, you can install the PSWindowsUpdate module from the online repository via the Package Manager PackageManagement with just one command:
Install-Module -Name PSWindowsUpdate
If you have an older version of Windows (Windows 7 / 8.1 / Windows Server 2008 R2 / 2012 R2) or do not have direct Internet access, you can install the PSWindowsUpdate module manually.
This module can be installed on any supported version of Windows, starting with Vista / Windows Server 2008 with PowerShell 2.0 installed (but PoSh 3.0 and higher is recommended).
- Download the latest version of the PSWindowsUpdate module from the page: https://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc and unlock the downloaded file.
- Unpack the archive with the module into one of the% USERPROFILE% \ Documents \ WindowsPowerShell \ Modules or% WINDIR% \ System32 \ WindowsPowerShell \ v1.0 \ Modules directories (using the module permanently is the best option).
- Allow script execution: Set-ExecutionPolicy RemoteSigned
- Now you can import a module into your PowerShell session: Import-Module PSWindowsUpdate
$Targets = "PC1-name", "PC2-name"
Invoke-Command ($Targets) {
If ($null -eq (Get-Module -Name PSWindowsUpdate -ListAvailable) ) {
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate
}
}
2. Overview Module PSWindowsUpdate Commands
The list of available cmdlets for the module can be displayed as:
get-command-module PSWindowsUpdate
Briefly describe the purpose of the module commands:
Get-WindowsUpdate — an alias for Get-WUList.
Hide-WindowsUpdate — alias for Hide-WUUpdate.
Install-WindowsUpdate — alias for Get-WUInstall.
Uninstall-WindowsUpdate — alias for Get-WUUninstall.
Add-WUOfflineSync — the function allows you to install updates from the local cache using the file wsusscan.cab or wsusscn2.cab.
Add-WUServiceManager — register the update server on a computer.
Get-WUHistory — displays a list of installed updates.
Get-WUInstall is the main cmdlet of the PSWindowsUpdate module. Allows you to download and install updates from the server WSUS or Microsoft Update. Allows you to select categories of updates, specific updates and specify the rules for restarting the computer when installing updates.
Get-WUInstallerStatus — check the status of the Windows Installer service.
Get-WURebootStatus — allows you to check whether a reboot is necessary to apply a specific update.
Get-WUList — lists the updates that meet the specified criteria, allows you to find and install the desired update.
Get-WUServiceManager — check for update sources.
Get-WUUninstall — cmdlet allows you to remove a specific update by KB ID.
Hide-WUUpdate — allows you to hide certain updates from the installation.
Invoke-WUInstall — manage remote installation of updates.
Remove-WUOfflineSync — remove offline scan source.
Remove-WUServiceManager — remove update server.
3. Get a List of Available Updates for the Computer
List the available updates for your computer on the update server:
Get-WUInstall -ListOnly
To check the list of available updates on a remote computer, run:
Get-WUList –ComputerName server2
You can check where your Windows should get updates from. Run the command:
Get-WUServiceManager
ServiceID IsManaged IsDefault Name
Get-WUinstall -MicrosoftUpdate –ListOnly
You get a warning:
Can’t find registered service Microsoft Update. Use Get-WUServiceManager to get registered service.
To enable scanning on Microsoft Update, run the following command:
Add-WUServiceManager -ServiceID “7971f918-a847-4430-9279-4a52d1efe18d” -AddServiceFlag 7
Now you can perform a scan on Microsoft Update.
To remove certain products or specific packages from the list of updates your computer receives, you can exclude them by:
- Categories (-NotCategory);
- Name (-NotTitle);
- Update number (-NotKBArticleID).
For example, exclude from the list of updates for drivers, OneDrive, and one specific KB:
Get-WUInstall -NotCategory “Drivers” -NotTitle OneDrive -NotKBArticleID KB4011670 -ListOnly
4. Powershell Script to Install Windows Updates Remotely — PsWindowsUpdate
To automatically download and install all available updates for your operating system, run:
Get-WUInstall -AcceptAll –IgnoreReboot
The AcceptAll key includes installation approval for all packages, and IgnoreReboot suppresses automatic restarts of Windows after installing updates.
You can install only specific update packages:
Get-WUInstall -KBArticleID KB4011670,KB4456655 –AcceptAll
If you want to remove some updates from the installation list, run:
Get-WUInstall -NotCategory “Drivers” -NotTitle OneDrive -NotKBArticleID KB4011670 -AcceptAll -IgnoreReboot
To automate the installation of updates with exceptions on multiple computers, you can use the following script:
PowerShell -ExecutionPolicy RemoteSigned -Command Import-Module PSWindowsUpdate; Get-WUInstall -NotCategory “Language packs” -NotTitle OneDrive -NotKBArticleID KB4011670 -AcceptAll –IgnoreReboot
The module allows you to remotely start the installation of updates on several computers at once or on a server (the PSWindowsUpdate module should be present on the computers). This is especially convenient, as it allows the administrator not to go manually to all servers during the scheduled installation of updates. The following command will install all available updates on three remote servers:
Invoke-WUInstall -ComputerName server1, server2, server1-Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot | Out-File C:\Windows\PSWindowsUpdate.log } -Confirm:$false -Verbose -SkipModuleTest –RunNow
5. View the History of Installed Updates
Using the Get-WUHistory command, you can get a list of updates installed on your computer earlier. You can get information about the date of installation of a specific update:
Get-WUHistory| Where-Object {$_.Title -match “KB4011*”} | Select-Object *|ft
To obtain information about the presence of an installed update on several remote computers, you can use the following code:
“server1”,“server2” | Get-WUHistory| Where-Object {$_.Title -match “KB4011634”} | Select-Object *|ft
6. The Next Feature Is Uninstalling Updates
To remove updates, use the Remove-WindowsUpdate cmdlet. You only need to specify the KB number as an argument to the KBArticleID parameter. To postpone the automatic restart of the computer, you can add the –NoRestart key:
Remove-WindowsUpdate -KBArticleID KB4011634 -NoRestart
7. How to Hide Unnecessary Updates Using Powershell
You can hide certain updates so that they are never installed by Windows Update on your computer. For example, to hide the KB4011670 and KB4456655 updates, run the following commands:
$HideList = “KB4011670”, “KB4456655”
Hide-WindowsUpdate -KBArticleID $HideList –Hide
The next time you scan for updates using the Get-WUInstall –ListOnly command, hidden updates will not be displayed in the list of patches available for installation.
You can list the updates that are hidden on this computer as follows:
Get-WindowsUpdate -IsHidden
To remove updates from hidden, run:
Hide-WindowsUpdate -KBArticleID $HideList -Hide:$false
8. Additionally: As a Bonus Use Script for Getting a List of All the Missing Windows Updates
Unlock the full code below:
Install Windows Updates Using Action1:
Step 1: Sign-up for Free
Step 2: Enter AD Domain in Discovery Settings
Step 3: See All Managed Computers
Action1 will automatically find all domain computers and show them in the list of managed endpoints:
Step 4: Review Available and Missing Updates
Navigate to Patch Management to see the entire list of all patches and updates available for all computers on your entire network. To ease your work, Action1 combines all types of updates, including both Window updates and 3rd party updates (such as Google Chrome, Dropbox etc), into one uniform view.
Step 5: Option 1 — Install Missing Updates Immediately or Later
Select one or more computers to update and click Deploy Update in the list of actions. You will then be prompted to deploy immediately or schedule at a later time.
Step 6: Option 2 — Approve Updates for Deployment
For more streamlined workflow, you can approve updates for deployment at pre-configured maintenance windows, such as over the weekend or during non-business hours, to avoid disrupting your users.
Consider Using Action1 to Install Windows Updates Remotely if:
- You need to run Windows updates remotely.
- You wish to identify missing patches within your endpoint network.
- You require tools for 3rd party software patch management.
- You need to patch Windows servers.
- You need to automate patch management in your organization to speed up IT task delivery.
- You need to test and approve patches centrally and remotely.
