PSWindowsUpdate: Managing Windows Updates from PowerShell

To manage Windows updates from the CLI on a separate computer, it is very convenient to use PSWindowsUpdate module for PowerShell. The PSWindowsUpdate is not integrated into Windows and is a third-party module available in Technet Script Gallery. PSWindowsUpdate allows administrators to remotely check for updates on Windows servers and workstations, install, remove and hide certain updates. The PSWindowsUpdate module is especially valuable to manage Windows updates in Windows Server Core having no graphic interface and during configuration of Windows image in the audit mode.

PSWindowsUpdate: Installation of the Update Management Module

You can install PSWindowsUpdate module in Windows 10 and Windows Server 2016 from the online repository using PackageManagement in a single command:

Install-Module -Name PSWindowsUpdate

If you have an older Windows version (Windows 7/8.1/ Windows Server 2008 R2/ 2012 R2) or you don’t have direct access to the Internet, you can install PSWindowsUpdate manually.

This module can be installed on any supported Windows versions starting from Vista / Windows Server 2008 with PowerShell 2.0 installed (though, PoSh 3.0 or later is recommended).

1. Download the latest PSWindowsUpdate version from this page: https://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc and unblock the downloaded file;
2. Extract the module archive into one of the following directories: %USERPROFILE%\Documents\WindowsPowerShell\Modules or %WINDIR%\System32\WindowsPowerShell\v1.0\Modules (the latter is better if you are going to use the module often);
3. Allow scripts execution: Set-ExecutionPolicy RemoteSigned
4. Import the module to your PowerShell session: Import-Module PSWindowsUpdate.
   Note. In Windows 7 / Server 2008 R2, when importing the PSWindowsUpdate module, the following error may appears: The term “Unblock-File” is not recognized as the name of a cmdlet. The matter is that the module uses some functions that appeared only in PowerShell 3.0. To use these functions, you will have either to update PowerShell or to delete the | Unblock-File line from PSWindowsUpdate.psm1 manually.

If you installed the Windows update management PowerShell module on your computer, you can remotely install it on other computers and/or servers. Use this script to copy the module to several specified remote servers:

$Targets = "lon-fs02", "lon-db01"
Update-WUModule -LocalPSWUSource "C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWindowsUpdate" -ComputerName $Targets
Invoke-Command -ComputerName $Targets -ScriptBlock{ Add-Content $Env:WINDIR\system32\WindowsPowerShell\v1.0\profile.ps1 “`nImport-Module PSWindowsUpdate”}

Overview of PSWindowsUpdate Cmdlets

You can display the list of available cmdlets in the PSWindowsUpdate module as follows:

get-command -module PSWindowsUpdate

Let’s describe the usage of the module commands in brief:

• Get-WindowsUpdate — alias for Get-WUList;
• Hide-WindowsUpdate – alias for Hide-WUUpdate;
• Install-WindowsUpdate — alias for Get-WUInstall;
• Uninstall-WindowsUpdate — alias for Get-WUUninstall;
• Add-WUOfflineSync – allows to install updates from the local cache using the file wsusscan.cab or wsusscn2.cab;
• Add-WUServiceManager – registers the update server on a computer;
• Get-WUHistory – displays the list of the installed updates;
• Get-WUInstall – is the main PSWindowsUpdate cmdlet. It allows to download and install updates from a WSUS server or Microsoft Update. Allows you to select update categories, specific updates and set the rules of a computer restart when installing the updates;
• Get-WUInstallerStatus – checks the status of Windows Installer service;
• Get-WURebootStatus – allows you to check if the restart is required in order a certain update to be applied;
• Get-WUList – displays the list of updates that meet the specified criteria, allows to find and install the update you need;
• Get-WUServiceManager – checks the update source;
• Get-WUUninstall – allows to uninstall an update by KB ID;
• Hide-WUUpdate — allows you to hide specific updates from being installed;
• Invoke-WUInstall – allows to manage remote update installation;
• Remove-WUOfflineSync – removes an offline sync source;
• Remove-WUServiceManager – removes an update server.

PowerShell: List All Windows Updates Available for a Computer

You can display the list of available updates for your computer:

Get-WUInstall -ListOnly

To check the list of available updates on a remote computer, run this command:

Get-WUList –ComputerName server2

You can check where your Windows should get updates from. Run the following command:

Get-WUServiceManager

ServiceID IsManaged IsDefault Name
--------- --------- --------- ----
8b24b027-1dee-babb-9a95-3517dfb9c552 False False DCat Flighting Prod
855e8a7c-ecb4-4ca3-b045-1dfa50104289 False False Windows Store (DCat Prod)
3da21691-e39d-4da6-8a4b-b43877bcb1b7 True True Windows Server Update Service
9482f4b4-e343-43b6-b170-9a65bc822c77 False False Windows Update

As you can see, the computer is configured to receive the updates from the local WSUS server and Windows Update.

If you want to scan your computer on Microsoft Update servers in the Internet(in addition to Windows updates, these servers contain Office and other product updates), run this command:

Get-WUinstall -MicrosoftUpdate –ListOnly

You will get this warning:

Can’t find registered service Microsoft Update. Use Get-WUServiceManager to get registered service.

To allow scanning on Microsoft Update, run this command:

Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -AddServiceFlag 7

Now you can scan your computer on Microsoft Update.

To remove certain products or packages from the list of updates received by your computer, you can exclude them by:

1. Category (-NotCategory);
2. Title (-NotCategory);
3. Update number (-NotKBArticleID).

For example, let’s exclude OneDrive, drivers and the specific KB from the list of updates:

Get-WUInstall -NotCategory "Drivers" -NotTitle "OneDrive" -NotKBArticleID KB4489873 -ListOnly

Install Windows Updates Using PSWindowsUpdate Module

To automatically download and install all available updates for your computer, run the following:

Get-WUInstall -AcceptAll –IgnoreReboot

The AcceptAll key accepts installation of all packages, and IgnoreReboot allows to suppresses automatic Windows restart after the updates are installed.

You can install only the specific update packages:

Get-WUInstall -KBArticleID KB4489873,KB4489883 –AcceptAll

If you want to remove some updates from the list in order not to install them, run this command:

Get-WUInstall -NotCategory "Drivers" -NotTitle OneDrive -NotKBArticleID KB4489873 -AcceptAll -IgnoreReboot

The module allows you install updates remotely on multiple workstations or servers (PSWindowsUpdate must be installed on these computer). It is very convenient since an administrator doesn’t have to log on to all servers when update installation is scheduled. The following command will install all available updates (with some exceptions) on three remote servers:

Invoke-WUInstall -ComputerName server1, server2, server1 -Script {Import-Modul PSWindowsUpdate; Get-WUInstall -NotCategory "Language packs" -NotTitle OneDrive -NotKBArticleID KB4489873 | Out-File C:\Windows\PSWindowsUpdate.log} -Confirm:$false -Verbose -SkipModuleTest –RunNow

How to check Windows Update History using PowerShell?

Using the Get-WUHistory cmdlet, you can get the list of updates installed on a computer earlier. You can get the information about the date of installation of a certain update:

Get-WUHistory| Where-Object {$_.Title -match "KB4489*"} | Select-Object *|ft

To find out if the update has been installed on multiple remote computers, you can use this code:

"server1","server2" | Get-WUHistory| Where-Object {$_.Title -match "KB4011634"} | Select-Object *|ft

Remove-WindowsUpdate: Uninstalling Windows Updates

To uninstall the updates from PowerShell, you can use the Remove-WindowsUpdate cmdlet. Just specify the KB number as an argument of the KBArticleID parameter. To restart your computer later, add the –NoRestart key:

Remove-WindowsUpdate -KBArticleID KB4489873 -NoRestart

How to Hide Windows Updates with PSWindowsUpdate?

You can hide the specific updates so they will be never installed by Windows Update service on your computer. For example, to hide the KB4489873 and KB4489883 updates, run these commands:

$HideList = "KB4489873", "KB4489883"
Hide-WindowsUpdate -KBArticleID $HideList –Hide

Now the next time you scan for updates using the Get-WUInstall –ListOnly command, the hidden updates won’t be displayed in the list of updates available for installation.

This is how you can display the list of updates hidden on this computer:

Get-WindowsUpdate -IsHidden

To remove an update from hidden ones, run this command:

Hide-WindowsUpdate -KBArticleID $HideList -Hide:$false

For those who are not good at working in the console, I would recommend a graphic  Windows Update MiniTool to manage Windows 10 updates.