Managing Windows Updates with PowerShell

Recently, I ran into a challenge while creating a Windows 8.1 deployment image. I create my images just like many other IT pros do using Microsoft’s Sysprep utility. A good deployment image is current with all critical Windows Updates applied. In many cases, there are also a number of recommended and optional updates that I want incorporated into an image using PowerShell Windows update techniques.

Unfortunately, while creating an image using Sysprep’s Audit Mode in Windows 8.1, the standard Windows Update GUI isn’t an option. While in Audit Mode, Windows believes the Setup Out-of-Box Experience (OOBE) is running. By design, Windows Update will not run during the OOBE phase. This is primarily to prevent an unexpected reboot during the setup process. Leveraging the power of PowerShell windows update scripts and the ingenuity of fellow Microsoft MVP Michal Gajda, an elegant and easy solution is available. Today I’ll show you how to manage Windows updates using the PowerShell PSWindowsUpdate module.

Before I go further, let me mention that options do exist for applying updates to Windows deployment images after the fact. Primary among these is the Deployment Image Servicing and Management tool (DISM), which is great, but in some instances using this tool is an extra complexity IT pros just don’t need. These are the cases where being able to find and apply Windows Updates from within Sysprep’s Audit Mode is a major boon.

Using PowerShell to Manage Windows Updates:  PSWindowsUpdate

The secret to deploying Windows Updates from within Audit Mode is an excellent PowerShell module created by Michal Gajda. This module, aptly called PSWindowsUpdate, allows managing Windows Update on any computer running PowerShell 2.0 or higher. This module even enables Windows admins to check for and install updates on remote PCs and servers. PSWindowsUpdate is particularly handy for installing updates on Server Core machines that have no GUI, or in instances such as Sysprep’s Audit Mode where the Windows Update GUI doesn’t work.

• Get started by downloading the latest version of PSWindowsUpdate.zip.

• Once downloaded, extract the contents of the zip file to C:WindowsSystem32WindowsPowerShellv1.0Modules.

• Click Continue if a UAC prompt appears.

• When the files have been extracted into the PowerShell Modules folder, open an elevated PowerShell prompt. Change PowerShell’s Execution Policy to RemoteSigned. The RemoteSigned Execution Policy allows PowerShell scripts downloaded from the Internet to run on a PC as long as they are signed by a trusted publisher.
• Type Set-ExecutionPolicy RemoteSigned and press Enter. When prompted, confirm the change by pressing Y and then Enter.

This completes the one-time configuration of the module! Now it’s time to put PSWindowsUpdate to use!

• If running PowerShell v2.0, type Import-Module PSWindowsUpdate and hit Enter. This isn’t necessary in PowerShell v3 and higher, but it doesn’t hurt anything either. This step simply guarantees that the modules cmdlets will be available to the PowerShell v2.0 session.
• Display a list of all the module’s available cmdlets by typing Get-Command –module PSWindowsUpdate and hitting Enter.

• Possibly the most important function for getting and installing updates is Get-WUInstall. Help for each cmdlet is available, so to see full help for Get-WUInstall type Help Get-WUInstall –full and press Enter.

When applying updates, I prefer connecting to the Microsoft Update servers. Using these instead of the standard Windows Update servers allows installing updates to Office and other Microsoft products in addition to the normal Windows updates. Unfortunately, trying to connect to the Microsoft Update servers using the PSWindowsUpdate module from a fresh Windows installation will produce an error, as shown below.

• The reason for this error is because Windows is registered to use only the standard Windows Update servers by default. To use the Microsoft Update servers, the Microsoft Update Service must be registered on the computer. In the GUI, this is done by selecting the checkbox for Give me updates for other Microsoft products when I update Windows from the Control Panel – Windows Update – Change Settings applet.
• In the PSWindowsUpdate module, the same process is completed by using the Add-WUServiceManager cmdlet with the ServiceID for the Microsoft Update service specified. Type Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d and press Enter. When prompted, confirm registering the service by typing Y and pressing Enter one more time.

• List available updates from the Microsoft Update servers by typing Get-WUInstall –MicrosoftUpdate –ListOnly and pressing Enter. After a few moments, the system will return a list of the available updates for the current machine. No error this time!

• The same results are produced by typing Get-WUList –MicrosoftUpdate and pressing Enter.

• Type Get-WUInstall –MicrosoftUpdate and press Enter to go through the available updates, confirming installation of each one manually. This ensures that you have comprehensive control over Windows updates using PowerShell windows update methods.

PSWindowsUpdate and Parameter Support

Another awesome feature of the PSWindowsUpdate module is its support of parameters. For example, using the –AcceptAll and the –AutoReboot parameters with the Get-WUInstall cmdlet changes the manual process into an automated one. Type Get-WUInstall –MicrosoftUpdate –AcceptAll –AutoReboot and press Enter. The system will download and install all available updates and then automatically reboot if any of the updates require a reboot.

Don’t want a particular update to be installed? No problem! Use Hide-WUUpdate. Selection parameters such as –Title or –KBArticleID narrow in and hide specific updates. Feel free to use wildcards with these parameters. As an example, type Hide-WUUpdate –Title “Bing*” –KBArticleID “KB2673774” –MicrosoftUpdate –Confirm:$false and press Enter to hide the Bing Bar 7.3 update.

Notice that I used the –Confirm parameter, along with the $false switch, to automatically confirm hiding the selected update. In the future the update won’t appear when listing available updates.

Did you make a mistake and hide the wrong update? No problem! Hide-WUUpdate can unhide an update by using the –HideStatus parameter with the $false switch. To unhide the update hidden earlier, type Hide-WUUpdate –Title “Bing*” –KBArticleID “KB2673774” –MicrosoftUpdate –HideStatus:$false –Confirm:$false then press Enter. As before, I used the –Confirm:$false parameter to keep everything streamlined.

I started out seeking simply to solve a challenge installing updates within Sysprep’s Audit mode. The PSWindowsUpdate module goes far beyond simply solving this problem. It offers to automate and simplify dealing with Windows Updates. In addition to all the functionality discussed in this article, it can be scripted and even used to process updates on remote computers. Want my advice? Download PSWindowsUpdate and put it to use on your systems today!

FAQs

How can I automate PowerShell Windows Update installations across multiple remote servers?

Using PowerShell Windows Update commands like Invoke-WUJob and Get-WUInstall with the -ComputerName parameter, you can schedule and execute updates across multiple servers. Create a server list file and use ForEach-Object loops to process Windows Updates in parallel, significantly reducing maintenance windows.

What are the security implications of using PowerShell Windows Update in an enterprise environment?

PowerShell Windows Update operations require proper security configurations, including RunAs Administrator privileges and specific execution policies. Implement RBAC (Role-Based Access Control) and use signed scripts to ensure secure Windows Update management through PowerShell.

Can PowerShell Windows Update handle driver updates and firmware installations?

Yes, PowerShell Windows Update can manage driver and firmware updates by utilizing the -Category parameter with Get-WUList and Get-WUInstall cmdlets. Specify “Drivers” or “Microsoft” as categories to filter and install specific update types.

How do I track and report PowerShell Windows Update installation status across my network?

Create custom PowerShell Windows Update reporting scripts that leverage Get-WUHistory and Get-HotFix cmdlets. Export results to CSV files or integrate with System Center Configuration Manager (SCCM) for comprehensive update tracking.

What are the best practices for scheduling PowerShell Windows Update maintenance windows?

Implement PowerShell Windows Update scheduling using Task Scheduler or PowerShell jobs. Create maintenance windows during off-peak hours, set proper timeout values, and include error handling routines to manage failed updates automatically.