How to Use PowerShell to Manage Windows Updates
As is well known, keeping systems updated is essential to protecting enterprises from malicious attacks and security breaches that may compromise confidential information or even cause sensitive data losses.
Installing Windows update patches has always been a tedious, complex, and long process. Although Microsoft eases these procedures through tools such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM), administrators still require command-line tools to automate the installation of the update in certain scenarios. The PowerShell Windows Update module, or PSWindowsUpdate, is one such tool.
How to install PSWindowsUpdate
PSWindowsUpdate is a third-party module that is not integrated into Windows by default. It can be downloaded from the PowerShell gallery, the most used repository for sharing PowerShell code. This module includes different cmdlets to manage the deployment of Windows updates from the command line.
- Download the latest PSWindowsUpdate version from the PowerShell gallery.
**Previous versions of the module are also available in the Microsoft Technet Gallery, but Microsoft has retired this repository and now remains in read-only mode.
- Create a new folder named “PSWindowsUpdate” in %WINDIR%\System32\WindowsPowerShell\v1.0\Modules and extract the content of the nupkg file.
**A NuGet package is a ZIP archive with some extra files. Some browsers, like Internet Explorer, automatically replace the .nupkg file extension with .zip
- Open an elevated PowerShell prompt and run Set-ExecutionPolicy RemoteSigned to allow the execution of scripts signed by a trusted publisher.
- Install Import-Module -Name PSWindowsUpdate.
If the PowerShell setup is already configured to allow online downloads, the PSWindowsUpdate module can also be installed directly from the online repository (PSGallery) running Install-Module -Name PSWindowsUpdate.
Commands in PSWindowsUpdate
Installed aliases and cmdlets can be displayed by typing Get-Command–module PSWindowsUpdate.
A brief description of principal commands is described below:
Get-WindowsUpdate: This is the main cmdlet of the module. It lists, downloads, installs, or hides a list of updates meeting predefined requisites and sets the rules of the restarts when installing the updates.
Remove-WindowsUpdate: Uninstalls an update.
Add-WUServiceManage: Registers a new Windows Update API Service Manager.
Get-WUHistory: Shows a list of installed updates.
Get-WUSettings: Gets Windows Update client settings.
Get-WUInstallerStatus: Gets Windows Update Installer Status, whether it is busy or not.
Enable-WURemoting: Enables firewall rules for PSWindowsUpdate remoting.
Invoke-WUJob: Invokes PSWindowsUpdate actions remotely.
Clear-WUJob: Clears the WUJob in Task Scheduler.
Get-WUInstall, Install-WindowsUpdate (alias for Get-WindowsUpdate –Install): Installs Windows updates.
Uninstall-WindowsUpdate: Removes updates using the Remove-WindowsUpdate command.
Get-WULastResults: Gets the dates for the last search and installation of updates.
Get-WURebootStatus: Checks if a reboot is needed to apply an update.
Remove-WUServiceManager: Disables the Windows Update Service Manager.
Set-PSWUSettings: Saves settings of the PSWindowsUpdate module to an XML file.
Set-WUSettings: Configures the Windows Update client’s settings.
Reset-WUComponents: Resets the Windows Update agent to its default state.
Like for all PowerShell cmdlets, different usage examples can be shown for each command by typing Get-Help “command” -examples.
PSWindowsUpdate Main Parameters
The previous section shows that the PSWindowsUpdate module includes different predefined aliases to ease patching processes. However, the main parameters for the Get-WindowsUpdate cmdlet will be listed and explained below:
Filtering Updates:
- AcceptAll: Downloads or installs all available updates.
- KBArticleID: Finds updates that contain a KBArticleID (or sets of KBArticleIDs).
- UpdateID: Specifies updates with a specific UUID (or sets of UUIDs).
- Category: Specifies updates that contain a specified category name, such as ‘Updates,’ ‘Security Updates’ or ‘Critical Updates’.
- Title: Finds updates that match part of title.
- Severity: Finds updates that match part of severity, such as ‘Important,’ ‘Critical’ or ‘Moderate’.
- UpdateType: Finds updates with a specific type, such as ‘Driver’ and ‘Software.’ Default value contains all updates.
Actions and Targets:
- Download: downloads approved updates but does not install them.
- Install: installs approved updates.
- Hide: hides specified updates to prevent them to being installed.
- ScheduleJob: specifies date when job will start.
- SendReport: sends a report from the installation process.
- ComputerName: specifies target server or computer.
Client Restart Behavior:
- AutoReboot: automatically reboots system if required.
- IgnoreReboot: suppresses automatic restarts.
- ScheduleReboot: specifies the date when the system will be rebooted.
How to Avoid Accidental Installs
Windows updates and patches improve the features and stability of the system. However, some updates can mess up your system and cause instability, especially automatic updates for legacy software such as graphic card drivers. To avoid automatic updates and accidental installs for such applications, you can pause Windows updates.
Alternatively, you can hide the specific updates for those features you don’t want to get updated. When you hide the updates, Windows can no longer download and install such updates. Before you can hide the update, you need to find out its details, including its knowledge base (KB) number and title. Type the cmdlet below to list all the available updates on your system:
Get-WUList
To hide a specific update using the KB number, use your mouse to copy that KB number. Next, type the command below:
Hide-WUUpdate -KBArticleID KB_Number
Highlight the “KB_Number” and click paste to replace that part with the actual KB number.
When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates, with hidden updates appearing with the symbol “H” under their status.
The KB number for the update may not be available for some updates. In this case, you can use the title to hide the update. To do this, list all the available updates via the cmdlet below:
Get-WUList
Next, use your mouse to copy the update title. Ensure it is distinct from other update titles. Now, type below command below to hide the update:
Hide-WUUpdate -Title “Update_Title”
Don’t forget to paste the actual update title in the “Update Title” section.
When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates. However, the status of hidden updates appears with the symbol “H” underneath them.
How to Determine Errors
It is of crucial importance to have as much information as possible about Windows Updates installation processes in order to be able to fix erroneous deployments. The Get-WindowsUpdate cmdlet and the rest of the cmdlets available in the module provide a very detailed log level when managing updates, including status, KB ID, Size, or Title.
Centralizing all of the computer logs and analyzing them to search for errors, administrators will always be able to know the patch level of their Windows computers and servers.
Check and Download Windows Updates with PowerShell
You can use PowerShell to check and download Windows updates from a server set up with Windows Server Update Services (WSUS).
To check where a computer gets its updates from, run the Get-WUServiceManager command. If you see a Windows Server Update Service = True in the results, that means that it is set to receive updates from your WSUS server.
To get a list of updates for a remote server or computer, run Get-WUList –Computername computername. For example, Get-WUList –ComputerName server1.
If you need updates for Microsoft Office and other Microsoft products, you can also scan for updates from Microsoft Update servers by running Get-WUList –MicrosoftUpdate. If you get a warning, run Add-WUServiceManager -ServiceID “7971f918-a847-4430-9279-4a52d1efe18d” -AddServiceFlag 7, then run the command again.
To install all updates without getting approval prompts for each package, run Install-WindowsUpdate –AcceptAll. To ignore reboots at the end without a prompt, add an –IgnoreReboot switch at the end, e.g., Install-WindowsUpdate –AcceptAll –IgnoreReboot.
Install Windows Updates on Remote Computers with PowerShell
You can use PowerShell to install updates to multiple remote servers simultaneously, so long as PSWindowsUpdate is also installed on the servers. To install Windows Updates on two remote servers, for example, you need to run:
Invoke-WUInstall -ComputerName server1, server2-Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot | Out-File C:\Windows\PSWindowsUpdate.log } -Confirm:$false -Verbose -SkipModuleTest –RunNow
Flexible PowerShell management with Parallels RAS
Parallels® Remote Application Server (RAS) is a remote work solution that provides 24/7 virtual access to applications and desktops from any device.
Many administrators decide to build their Parallels RAS farms based on templates to optimize the new machine’s deployment time and management efforts. When working with templates and cloning techniques, patching procedures are only done once in the master image. Deploying new machines based on the updated template will upgrade the environment within minutes.
Parallels RAS PowerShell SDK (Software Development Kit) includes a complete set of tools to manage and configure RAS farms, including specific cmdlets to create templates from existing virtual machines or deploy new machines based on those templates. By combining these commands with the PSWindowsUpdate PowerShell module, administrators will be able to automate the complete patching process of their infrastructure servers and their template-based machines.
Different RAS cmdlets can be used to automate the updates installation processes, as seen in this example: Parallels RAS PowerShell – VDI Example.
The complete set of RAS commands is available here: Parallels RAS PowerShell Reference.
See how Parallels RAS can simplify the Windows Updates management process!