How to Use PowerShell to Manage Windows Updates

As is well known, keeping systems updated is essential to protecting enterprises from malicious attacks and security breaches that may compromise confidential information or even cause sensitive data losses.

Installing Windows update patches has always been a tedious, complex, and long process. Although Microsoft eases these procedures through tools such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM), administrators still require command-line tools to automate the installation of the update in certain scenarios. The PowerShell Windows Update module, or PSWindowsUpdate, is one such tool.

How to install PSWindowsUpdate

PSWindowsUpdate is a third-party module that is not integrated into Windows by default. It can be downloaded from the PowerShell gallery, the most used repository for sharing PowerShell code. This module includes different cmdlets to manage the deployment of Windows updates from the command line.

  1. Download the latest PSWindowsUpdate version from the PowerShell gallery.
    **Previous versions of the module are also available in the Microsoft Technet Gallery, but Microsoft has retired this repository and now remains in read-only mode.
  1. Create a new folder named “PSWindowsUpdate” in %WINDIR%\System32\WindowsPowerShell\v1.0\Modules and extract the content of the nupkg file.
    **A NuGet package is a ZIP archive with some extra files. Some browsers, like Internet Explorer, automatically replace the .nupkg file extension with .zip
  1. Open an elevated PowerShell prompt and run Set-ExecutionPolicy RemoteSigned to allow the execution of scripts signed by a trusted publisher.
  1. Install Import-Module -Name PSWindowsUpdate.

If the PowerShell setup is already configured to allow online downloads, the PSWindowsUpdate module can also be installed directly from the online repository (PSGallery) running Install-Module -Name PSWindowsUpdate.

How to install PSWindowsUpdate

Commands in PSWindowsUpdate

Installed aliases and cmdlets can be displayed by typing Get-Command–module PSWindowsUpdate.

Commands in PSWindowsUpdate

A brief description of principal commands is described below:

Get-WindowsUpdate: This is the main cmdlet of the module. It lists, downloads, installs, or hides a list of updates meeting predefined requisites and sets the rules of the restarts when installing the updates.

Remove-WindowsUpdate: Uninstalls an update.

Add-WUServiceManage: Registers a new Windows Update API Service Manager.

Get-WUHistory: Shows a list of installed updates.

Get-WUSettings: Gets Windows Update client settings.

Get-WUInstallerStatus: Gets Windows Update Installer Status, whether it is busy or not.

Enable-WURemoting: Enables firewall rules for PSWindowsUpdate remoting.

Invoke-WUJob: Invokes PSWindowsUpdate actions remotely.

Clear-WUJob: Clears the WUJob in Task Scheduler.

Get-WUInstall, Install-WindowsUpdate (alias for Get-WindowsUpdate –Install): Installs Windows updates.

Uninstall-WindowsUpdate: Removes updates using the Remove-WindowsUpdate command.

Get-WULastResults: Gets the dates for the last search and installation of updates.

Get-WURebootStatus: Checks if a reboot is needed to apply an update.

Remove-WUServiceManager: Disables the Windows Update Service Manager.

Set-PSWUSettings: Saves settings of the PSWindowsUpdate module to an XML file.

Set-WUSettings: Configures the Windows Update client’s settings.

Reset-WUComponents: Resets the Windows Update agent to its default state.

Like for all PowerShell cmdlets, different usage examples can be shown for each command by typing Get-Help “command” -examples.

PSWindowsUpdate Main Parameters

The previous section shows that the PSWindowsUpdate module includes different predefined aliases to ease patching processes. However, the main parameters for the Get-WindowsUpdate cmdlet will be listed and explained below:

Filtering Updates:

Actions and Targets:

Client Restart Behavior:

How to Avoid Accidental Installs

Windows updates and patches improve the features and stability of the system. However, some updates can mess up your system and cause instability, especially automatic updates for legacy software such as graphic card drivers. To avoid automatic updates and accidental installs for such applications, you can pause Windows updates.

Alternatively, you can hide the specific updates for those features you don’t want to get updated. When you hide the updates, Windows can no longer download and install such updates. Before you can hide the update, you need to find out its details, including its knowledge base (KB) number and title. Type the cmdlet below to list all the available updates on your system:

Get-WUList

To hide a specific update using the KB number, use your mouse to copy that KB number. Next, type the command below:

Hide-WUUpdate -KBArticleID KB_Number

Highlight the “KB_Number” and click paste to replace that part with the actual KB number.

When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates, with hidden updates appearing with the symbol “H” under their status.

The KB number for the update may not be available for some updates. In this case, you can use the title to hide the update. To do this, list all the available updates via the cmdlet below:

Get-WUList

Next, use your mouse to copy the update title. Ensure it is distinct from other update titles. Now, type below command below to hide the update:

Hide-WUUpdate -Title “Update_Title”

Don’t forget to paste the actual update title in the “Update Title” section.

When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates. However, the status of hidden updates appears with the symbol “H” underneath them.

How to Determine Errors

It is of crucial importance to have as much information as possible about Windows Updates installation processes in order to be able to fix erroneous deployments. The Get-WindowsUpdate cmdlet and the rest of the cmdlets available in the module provide a very detailed log level when managing updates, including status, KB ID, Size, or Title.

Centralizing all of the computer logs and analyzing them to search for errors, administrators will always be able to know the patch level of their Windows computers and servers.

Check and Download Windows Updates with PowerShell

You can use PowerShell to check and download Windows updates from a server set up with Windows Server Update Services (WSUS).

To check where a computer gets its updates from, run the Get-WUServiceManager command. If you see a Windows Server Update Service = True in the results, that means that it is set to receive updates from your WSUS server.

To get a list of updates for a remote server or computer, run Get-WUList –Computername computername. For example, Get-WUList –ComputerName server1.

If you need updates for Microsoft Office and other Microsoft products, you can also scan for updates from Microsoft Update servers by running Get-WUList –MicrosoftUpdate. If you get a warning, run Add-WUServiceManager -ServiceID “7971f918-a847-4430-9279-4a52d1efe18d” -AddServiceFlag 7, then run the command again.

To install all updates without getting approval prompts for each package, run Install-WindowsUpdate –AcceptAll. To ignore reboots at the end without a prompt, add an –IgnoreReboot switch at the end, e.g., Install-WindowsUpdate –AcceptAll –IgnoreReboot.

Install Windows Updates on Remote Computers with PowerShell

You can use PowerShell to install updates to multiple remote servers simultaneously, so long as PSWindowsUpdate is also installed on the servers. To install Windows Updates on two remote servers, for example, you need to run:

Invoke-WUInstall -ComputerName server1, server2-Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot | Out-File C:\Windows\PSWindowsUpdate.log } -Confirm:$false -Verbose -SkipModuleTest –RunNow

Flexible PowerShell management with Parallels RAS

Parallels® Remote Application Server (RAS) is a remote work solution that provides 24/7 virtual access to applications and desktops from any device.

Many administrators decide to build their Parallels RAS farms based on templates to optimize the new machine’s deployment time and management efforts. When working with templates and cloning techniques, patching procedures are only done once in the master image. Deploying new machines based on the updated template will upgrade the environment within minutes.

Parallels RAS PowerShell SDK (Software Development Kit) includes a complete set of tools to manage and configure RAS farms, including specific cmdlets to create templates from existing virtual machines or deploy new machines based on those templates. By combining these commands with the PSWindowsUpdate PowerShell module, administrators will be able to automate the complete patching process of their infrastructure servers and their template-based machines.

Different RAS cmdlets can be used to automate the updates installation processes, as seen in this example: Parallels RAS PowerShell – VDI Example.

The complete set of RAS commands is available here: Parallels RAS PowerShell Reference.

See how Parallels RAS can simplify the Windows Updates management process!

Download the Trial