How to Use PowerShell to Manage Windows Updates

As is well known, keeping systems updated is essential to protecting enterprises from malicious attacks and security breaches that may compromise confidential information or even cause sensitive data losses.

Installing Windows update patches has always been a tedious, complex and long process. Although Microsoft eases these procedures through tools such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM), administrators still require command-line tools to automate the updates installation in certain scenarios.

How to install PSWindowsUpdate

PSWindowsUpdate is a third-party module that is not integrated into Windows by default. It can be downloaded from the PowerShell gallery, the most used repository for sharing PowerShell code. This module includes different cmdlets to manage the deployment of Windows updates from the command line.

  1. Download the latest PSWindowsUpdate version from the PowerShell gallery https://www.powershellgallery.com/
    **Previous versions of the module are also available in the Microsoft Technet Gallery, but Microsoft has retired this repository and now remains in read-only mode.
  1. Create a new folder named “PSWindowsUpdate” in %WINDIR%\System32\WindowsPowerShell\v1.0\Modules and extract the content of the nupkg file.
    **A NuGet package is a ZIP archive with some extra files. Some browsers, like Internet Explorer, automatically replace the .nupkg file extension with .zip
  1. Open an elevated PowerShell prompt and run Set-ExecutionPolicy RemoteSigned to allow the execution of scripts signed by a trusted publisher.
  1. Install Import-Module -Name PSWindowsUpdate.

If the PowerShell setup is already configured to allow online downloads, the PSWindowsUpdate module can also be installed directly from the online repository (PSGallery) running Install-Module -Name PSWindowsUpdate.

How to install PSWindowsUpdate

Commands in PSWindowsUpdate

Installed aliases and cmdlets can be displayed typing Get-Command–module PSWindowsUpdate.

Commands in PSWindowsUpdate

A brief description of principal commands is described below:

Get-WindowsUpdate: This is the main cmdlet of the module. It lists, downloads, installs or hides a list of updates meeting predefined requisites and sets the rules of the restarts when installing the updates.

Remove-WindowsUpdate: Uninstalls an update

Add-WUServiceManage: Registers a new Windows Update API Service Manager

Get-WUHistory: Shows a list of installed updates

Get-WUSettings: Gets Windows Update client settings

Get-WUInstallerStatus: Gets Windows Update Installer Status, whether it is busy or not

Enable-WURemoting: Enables firewall rules for PSWindowsUpdate remoting

Invoke-WUJob: Invokes PSWindowsUpdate actions remotely

Like for all PowerShell cmdlets, different usage examples can be shown for each command typing Get-Help “command” -examples.

PSWindowsUpdate main parameters

As shown in the previous section, the PSWindowsUpdate module includes different predefined aliases to ease patching processes. However, main parameters for the Get-WindowsUpdate cmdlet will be listed and explained below:

Filtering updates:

Actions and targets:

Client restart behavior:

How to avoid accidental installs

Windows updates and patches improve the features and stability of the system. However, some updates can mess up your system and cause instability, especially automatic updates for legacy software such as graphic card drivers. To avoid automatic updates and accidental installs for such applications, you can pause Windows updates.

Alternatively, you can hide the specific updates for those features you don’t want to get updated. When you hide the updates, Windows can no longer download and install such updates. Before you can hide the update, you need to find out its details, including its knowledge base (KB) number and title. Type the cmdlet below to list all the available updates on your system:

Get-WUList

To hide a specific update using the KB number, use your mouse to copy that KB number. Next, type the command below:

Hide-WUUpdate -KBArticleID KB_Number

Highlight the “KB_Number” and click paste to replace that part with the actual KB number.

When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates, with hidden updates appearing with the symbol “H” under their status.

The KB number for the update may not be available for some updates. In this case, you can use the title to hide the update. To do this, list all the available updates via the cmdlet below:

Get-WUList

Next, use your mouse to copy the update title. Ensure it is distinct from other update titles. Now, type below command below to hide the update:

Hide-WUUpdate -Title “Update_Title”

Don’t forget to paste the actual update title in the “Update Title” section.

When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates. However, the status of hidden updates appears with the symbol “H” underneath them.

How to determine errors

It is of crucial importance to have as much information as possible about Windows Updates installation processes in order to be able to fix erroneous deployments. The Get-WindowsUpdate cmdlet and the rest of cmdlets available in the module, provide a very detailed log level when managing updates, including status, KB ID, Size or Title.

Centralizing all of the computer logs and analyzing them searching for errors, administrators will always be able to know the patch level of their Windows computers and servers.

Flexible PowerShell management with Parallels RAS

In order to optimize new machines deployment time and management efforts, many administrators decide to build their RAS farms based on templates. When working with templates and cloning techniques, patching procedures are only made once in the master image. Deploying new machines based on the updated template will upgrade the environment within minutes.

Parallels® Remote Application Server (RAS) PowerShell SDK includes a complete set of tools to manage and configure RAS farms, including specific cmdlets to create templates from existing virtual machines or to deploy new machines based on those templates. Combining these commands with the PSWindowsUpdate PowerShell module, administrators will be able to automate the complete patching process of both their infrastructure servers and their templated-based machines.

Different RAS cmdlets that can be used to automate the updates installation processes, will be found in the following link: Parallels RAS PowerShell – VDI Example. The complete set of RAS commands is available here: RAS PowerShell Reference.

If you have any questions, please feel free to get in touch!


References

PowerShell Gallery 

Manual Package Download

Managing Windows Updates with PowerShell

Install Windows updates remotely