Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows Server 2019

How to Manage Windows Updates with PowerShell

Managing Windows Update with PowerShell has until recently only been possible using a third-party module. But starting in Windows Server 2019, Microsoft’s WindowsUpdateProvider PowerShell module is included out-of-the-box and it allows you to perform simple Windows Update management tasks, like starting a scan and installing updates.

In this article, I will show you how to manage Windows updates using Microsoft’s Windows Update provider for PowerShell in Windows Server 2019. And I’ll show you how to use the third-party PSWindowsUpdate PowerShell module that most system administrators still prefer to use. The instructions also work in up-to-date releases of Windows 10, Windows 11, and Windows Server 2022.

One use case for managing Windows updates with PowerShell is when preparing a system image using SYSPREP. When you go into Audit Mode, you shouldn’t use Windows Update to install patches because it can cause SYSPREP to fail. But you could use PowerShell to carefully install quality updates. The ability to manage Windows updates with PowerShell might also be useful in Server Core, where there is no GUI.

Microsoft’s Windows Update PowerShell provider

Microsoft’s Windows Update PowerShell provider (WindowsUpdateProvider) comes preinstalled in Windows Server 2019 and later versions of Windows. You can list the available cmdlets in the module installed using Get-Command:

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Get-Command -Module WindowsUpdateProvider

The Start-WUScan cmdlet initiates a scan without installing any updates. It looks for available updates that apply to the device. You can add filters to search for updates in specific categories, like software for example. The command below scans the device for updates that are not already applied to installed software:

$Updates = Start-WUScan -SearchCriteria "Type='Software' AND IsInstalled=0"

Microsoft doesn’t have any comprehensive online documentation on WindowsUpdateProvider but you can find information about the syntax you should use for -SearchCriteria in the API documentation here.

Once you’ve performed a scan, use the object we created ($Updates) to install the updates with Install-WUUpdates:

Install-WUUpdates -Updates $Updates

Install Windows updates using the Install-WUUpdates PowerShell cmdlet
Install Windows updates using the Install-WUUpdates PowerShell cmdlet

You can also add the -DownloadOnly switch to download the updates but not install them:

Install-WUUpdates -Updates $Updates -DownloadOnly

Another useful command, Get-WUIsPendingReboot, shows you whether the device is waiting to be rebooted after updates have been installed.

Get-WUIsPendingReboot

Let’s create a share on the local server for storing Windows Update logs generated by PowerShell. The computer name of my server is ‘dc1’.

New-Item 'c:\share\logs' –Type Directory
New-SMBShare –Name logs –Path 'c:\share\logs' -Description 'Windows Update logs' -FullAccess Everyone

Now we can output the results of Start-WUScan to a text file using Out-File. The computer name of my server is ‘dc1’. You will need to replace dc1 in the command below with the name of the server on which you created the network share for storing Windows Update log files.

Start-WUScan -SearchCriteria "Type='Software' AND IsInstalled=0" | Out-File "\\dc1\logs\($env.computername-Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force

To open the log file in a terminal window, use Get-Content:

Get-Content "\\dc1\logs\($env.computername-Get-Date -f yyyy-MM-dd)-MSUpdates.log"

Third-Party Windows Update PowerShell Module (PSWindowsUpdate)

The third-party Windows Update module in the PowerShell Gallery provides more flexibility than Microsoft’s Windows Update module for PowerShell. PSWindowsUpdate was created by Michal Gajda and it has been a long-time favorite tool for Windows admins. It works on the device where it is installed, and it can also be used to check and install updates on remote devices and servers.

The latest version of the module, version 2.2.0, was released in 2020 and it has several new commands. Reset-WUComponents can be used to reset Windows Update to the default configuration. And Get-WUOfflineMSU is for downloading offline MSU packages from the Microsoft Update Catalog.

PSWindowsUpdate works with Windows PowerShell v3.0 and later. If you are not sure which version of PowerShell you are running, you can run the following command in a PowerShell window and check the Major value.

$PSVersionTable.PSVersion

Here’s the full list of available commands:

·        Add-WUServiceManager

·        Enable-WURemoting

·        Get-WindowsUpdate

·        Get-WUApiVersion

·        Get-WUHistory

·        Get-WUInstallerStatus

·        Get-WUJob

·        Get-WULastResults

·        Get-WURebootStatus

·        Get-WUServiceManager

·        Get-WUSettings

·        Invoke-WUJob

·        Remove-WindowsUpdate

·        Remove-WUServiceManager

·        Set-WUSettings

·        Update-WUModule

·        Set-PSWUSettings

·        Reset-WUComponents

·        Get-WUOfflineMSU

Let’s see how it works. First you need to install the module:

Install-Module PSWindowsUpdate

Install the PSWindowsUpdate PowerShell module
Install the PSWindowsUpdate PowerShell module

If you want to use Windows Update to also update software installed on the device, you can configure Windows Update using Add-WUServiceManager:

Add-WUServiceManager -MicrosoftUpdate

Now we can use the Install-WindowsUpdate cmdlet to install all available updates for the device and record the logs. Install-WindowsUpdate is actually an alias for Get-WindowsUpdate -Install.

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot | Out-File "\\dc1\logs\($env.computername-Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force

Let’s install updates on several remote servers at the same time. In the commands below, we use the $Computers variable to store the names of the remote servers that we want to update. Then Invoke-WUJob is used to initiate updates on the remote computers. And like before, we write the logs to our server file share:

$Computers = "srv2,srv3,srv4"

Invoke-WUJob -ComputerName $Computers -Script {Import-Module PSWindowsUpdate; Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot} -RunNow -Confirm:$false | Out-File "\\dc1\logs\$Computers-$(Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force

Install-WindowsUpdate can be used in several different ways. In the example below, the cmdlet installs everything except KB47857 and KB47859

Install-WindowsUpdate -NotKBArticle "KB47857"," KB47859" -AcceptAll

Use Install-WindowsUpdate to install everything apart from drivers and feature packs.
Use Install-WindowsUpdate to install everything apart from drivers and feature packs.

The next example installs everything except drivers and feature packs:

Install-WindowsUpdate -NotCategory "Drivers","FeaturePacks" -AcceptAll

And the last example updates everything except Microsoft Teams:

Install-WindowsUpdate -NotTitle "Teams" -AcceptAll

Get-WindowsUpdate lists updates that match the criteria you specify. The cmdlet can also be used to install updates by adding the -Install parameter:

Get-WindowsUpdate -KBArticleID "KB47857"," KB47859" -Install

To get a full list of the commands available in PSWindowsUpdate, use Get-Command:

Get-Command -Module PSWindowsUpdate

WindowsUpdateProvider has the advantage of availability in newer versions of Windows

PSWindowsUpdate is more flexible than WindowsUpdateProvider, but Microsoft’s module has the advantage of availability in Windows Server 2019 and later versions of Windows. I.e., you don’t need to download and install it. You can also use both modules at the same time. My advice is to see whether WindowsUpdateProvider meets your needs. If not, then look at working with PSWindowsUpdate.

Microsoft would prefer that you use Endpoint Manager, WSUS, or other automated solution to manage Windows updates. There’s also Windows Update for Business (WUfB), which is available in Windows 10, Windows Server 2016, and all later versions of Windows. Because of the existence of preferred automated solutions, Microsoft has never heavily invested in managing Windows updates from the command line. But it’s nice to know that if you need to, you do have options for managing Windows updates with PowerShell.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.