Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / PowerShell / PSWindowsUpdate: Managing Windows Updates from PowerShell

December 23, 2019 PowerShellWindows 10Windows Server 2012 R2Windows Server 2016

PSWindowsUpdate: Managing Windows Updates from PowerShell

It is very convenient to use the special PSWindowsUpdate module for PowerShell to manage Windows updates from the command line interface. The PSWindowsUpdate is not integrated into Windows and is a third-party module available in Technet Script Gallery. PSWindowsUpdate allows administrators to remotely check, install, remove and hide updates on Windows servers and workstations. The PSWindowsUpdate module is especially valuable to manage updates on Windows Server Core, Hyper-V editions having no graphic interface, as well as when configuring a Windows image in the audit mode.

Contents:
  • PSWindowsUpdate: Install Windows Update PowerShell Module
  • Overview of PSWindowsUpdate Cmdlets
  • PowerShell: List All Windows Updates Available for a Computer
  • Install-WindowsUpdate: Installing Windows Updates with PowerShell
  • Install Windows Update on Remote Computers with PowerShell
  • Get-WUHistory: Viewing Windows Update History using PowerShell
  • Remove-WindowsUpdate: Uninstalling Windows Updates
  • Hide-WindowsUpdate: How to Hide Windows Updates with PowerShell?

PSWindowsUpdate: Install Windows Update PowerShell Module

You can install the PSWindowsUpdate module on Windows 10 and Windows Server 2016 from the online repository (PSGallery) using the PackageManagement with a single command:

Install-Module -Name PSWindowsUpdate

In my case, a warning appeared that PSWindowsUpdate 1.5.2.6 was already installed appeared. To install a newer module version, you need to run the command:

Install-Module -Name PSWindowsUpdate –Force

After the installation is complete, you need to check the package:

Get-Package -Name PSWindowsUpdate

Install-Module PSWindowsUpdate from PSGallery

If you have an older Windows version (Windows 7/8.1/Windows Server 2008 R2/2012 R2) or you don’t have direct Internet access, you can install PSWindowsUpdate manually.

This module can be installed on any supported Windows versions starting from Vista / Windows Server 2008 with PowerShell 2.0 installed (though, PoSh 3.0 or newer is recommended).

  1. Download the latest PSWindowsUpdate version from this page: https://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc and unblock the downloaded file;
    Please note that only the old version of the module is available in the TechNet script gallery – v 1.5.6. While the NuGet package manager installs PSWindowsUpdate 2.1.1.2 from the PowershellGallery. Available PowerShell cmdlets and parameters may vary in different versions of the module.
    download and unblock the PSWindowsUpdate Module
  2. Extract the archive with the PS module into one of the following directories: %USERPROFILE%\Documents\WindowsPowerShell\Modules or %WINDIR%\System32\WindowsPowerShell\v1.0\Modules (the last one is better if you are going to use the module often);
  3. Allow PowerShell scripts execution: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
  4. Import the module into your PowerShell session: Import-Module PSWindowsUpdate Import-Module PSWindowsUpdate
    Note. In Windows 7/ Windows Server 2008 R2, when importing the PSWindowsUpdate module, the following error may appear: The term “Unblock-File” is not recognized as the name of a cmdlet. The cause is that the module uses some functions that appeared only in PowerShell 3.0. To use these functions, you will have either to update the PowerShell version or to delete the | Unblock-File line from the PSWindowsUpdate.psm1 file manually.

After installing the PSWindowsUpdate module on your computer, you can remotely install it on other computers or servers using the Update-WUModule cmdlet. For example, to copy the PSWindowsUpdate module from your computer to two remote servers, run the commands (you need to access the remote servers via SMB protocol, TCP port 445):

$Targets = "lon-fs02", "lon-db01"
Update-WUModule -ComputerName $Targets –Local

To save (export) the PoSh module to a shared network folder for further importing of the module on other computers, run:

Save-Module -Name PSWindowsUpdate –Path \\lon-fs02\psmodules\

Overview of PSWindowsUpdate Cmdlets

You can display the list of available cmdlets in the PSWindowsUpdate module as follows:

get-command -module PSWindowsUpdate

Let’s describe the usage of the module commands in brief:

  • Clear-WUJob – use the Get-WUJob to call the WUJob in Task Scheduler;
  • Download-WindowsUpdate (alias for Get-WindowsUpdate –Download) — get a list of updates and download them;
  • Get-WUInstall, Install-WindowsUpdate (alias for Get-WindowsUpdate –Install) – install updates;
  • Hide-WindowsUpdate (alias for Get-WindowsUpdate -Hide:$false) – hide update;
  • Uninstall-WindowsUpdate – remove update using Remove-WindowsUpdate;
  • Add-WUServiceManager – register the update server (Windows Update Service Manager) on the computer;
  • Enable-WURemoting — enable Windows firewall rules to allow remote use of the PSWindowsUpdate cmdlets;
  • Get-WindowsUpdate (Get-WUList) — displays a list of updates that match the specified criteria, allows you to find and install the updates. This is the main cmdlet of the PSWindowsUpdate module. Allows to download and install updates from a WSUS server or Microsoft Update. Allows you to select update categories, specific updates and set the rules of a computer restart when installing the updates;
  • Get-WUApiVersion – get the Windows Update Agent version on the computer;
  • Get-WUHistory – display a list of installed updates (update history);
  • Get-WUInstallerStatus — check the Windows Installer service status;
  • Get-WUJob – run WUJob update tasks in the Task Scheduler;
  • Get-WULastResults — dates of the last search and installation of updates (LastSearchSuccessDate and LastInstallationSuccessDate);
  • Get-WURebootStatus — allows you to check whether a reboot is needed to apply a specific update;
  • Get-WUServiceManager – list update sources;
  • Get-WUSettings – get Windows Update client settings;
  • Invoke-WUJob – remotely call WUJobs jobs in the Task Scheduler to immediately execute PSWindowsUpdate commands;
  • Remove-WindowsUpdate – allows to uninstall an update by KB ID;
  • Remove-WUServiceManager – disable Windows Update Service Manager;
  • Set-PSWUSettings – save PSWindowsUpdate module settings to the XML file;
  • Set-WUSettings – configure Windows Update client settings;
  • Update-WUModule – update the PSWindowsUpdate module version (you can update the module on a remote computer by copying it from the current one, or updating from PSGallery).

list PSWindowsUpdate module commands

 

PowerShell: List All Windows Updates Available for a Computer

You can list the updates available for this computer on the update server using the Get-WindowsUpdate or Get-WUList commands.

Get-WUList - view available windows updates

To check the list of available updates on a remote computer, run this command:

Get-WUList –ComputerName server2

You can check where your Windows should get updates from. Run the following command:

Get-WUServiceManager

ServiceID IsManaged IsDefault Name
--------- --------- --------- ----
8b24b027-1dee-babb-9a95-3517dfb9c552 False False DCat Flighting Prod
855e8a7c-ecb4-4ca3-b045-1dfa50104289 False False Windows Store (DCat Prod)
3da21691-e39d-4da6-8a4b-b43877bcb1b7 True True Windows Server Update Service
9482f4b4-e343-43b6-b170-9a65bc822c77 False False Windows Update

Get-WUServiceManager – get update sources

As you can see, the computer is configured to receive updates from the local WSUS server (Windows Server Update Service = True). In this case, you should see a list of updates approved for your computer.

If you want to scan your computer on Microsoft Update servers in the Internet (in addition to Windows updates, these servers contain Office and other Microsoft product updates), run this command:

Get-WUlist -MicrosoftUpdate

You will get this warning:

Get-WUlist : Service Windows Update was not found on computer. Use Get-WUServiceManager to get registered service.

To allow scanning on Microsoft Update, run this command:

Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -AddServiceFlag 7

You can now scan to Microsoft Update. As you can see, in this case, additional updates were found for Microsoft Visual C ++ 2008 and Microsoft Silverlight.

get updates from Microsoft Update for additional microsoft products

To check the version of the Windows Update Agent on the computer, run the command:

Get-WUApiVersion

ComputerName PSWindowsUpdate PSWUModuleDll ApiVersion WuapiDllVersion
------------ --------------- ------------- ---------- ---------------
DESKTOP-J... 2.1.1.2 2.0.6995.28496 8.0 10.0.18362.387

Get-WUApiVersion - check windows update client version

To remove certain products or packages from the list of updates received by your computer, you can exclude them by:

  1. Category (-NotCategory);
  2. Title (-NotCategory);
  3. Update number (-NotKBArticleID).

For example, let’s exclude OneDrive, drivers and the specific KB from the list of updates:

Get-WUlist -NotCategory "Drivers" -NotTitle "OneDrive" -NotKBArticleID KB4489873

Install-WindowsUpdate: Installing Windows Updates with PowerShell

To automatically download and install all available updates for your computer, run the command:

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

The AcceptAll key accepts installation of all update packages, and AutoReboot allows Windows to automatically restart after the updates are installed.

You can save the update installation history to the log file (you can use it instead of WindowsUpdate.log file).

Install-WindowsUpdate -AcceptAll -Install -AutoReboot | Out-File "c:\logs\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force

You can install only the specific update packages by KB number:

Get-WindowsUpdate -KBArticleID KB2267602, KB4533002 -Install

Get-WindowsUpdate Install updates powershell

In this case, you need to confirm the installation of each update manually.

If you want to exclude some updates from the installation list, run this command:

Install-WindowsUpdate -NotCategory "Drivers" -NotTitle OneDrive -NotKBArticleID KB4011670 -AcceptAll -IgnoreReboot

Install Windows Update on Remote Computers with PowerShell

The PSWindowsUpdate  module allows you to install updates remotely on multiple workstations or servers at once (the PSWindowsUpdate must be installed/imported on these computers). It is very convenient since an administrator doesn’t have to log on manually to all servers when update installation is scheduled.

Almost all PSWindowsUpdate module cmdlets allow you to manage and install updates on remote computers. To do this, use the attribute: -Computername server1, server2, server3

In order to manage updates on remote computers, you need to add host names to your winrm trusted host list:

winrm set winrm/config/client ‘@{TrustedHosts="server1,server2,…"}’

Install the PSWindowsUpdate module on remote computers and allow to access the process dllhost.exe via dynamic RPC ports in the Windows Defender Firewall.

The following command will install all available updates on three remote servers:

Invoke-WUInstall -ComputerName server1, server2, server3 -Script {ipmo PSWindowsUpdate; Get-WindowsUpdate -Install -AcceptAll -AutoReboot| Out-File C:\Windows\PSWindowsUpdate.log } -Confirm:$false -Verbose -SkipModuleTest –RunNow

In PSWindowsUpdate 2.1, you must use Invoke-WUJob instead of the Invoke-WUInstall cmdlet. This cmdlet creates a scheduler task on a remote computer that is run under SYSTEM.

In newer versions of the PSWindowsUpdate module, use the following command to remotely install updates on multiple computers:

$ServerNames = "server1, server2, server3"
Invoke-WUJob -ComputerName $ServerNames -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate -AcceptAll | Out-File C:\Windows\PSWindowsUpdate.log } -RunNow -Confirm:$false

You can install updates on a remote computer and send an email report to the administrator:

Install-WindowsUpdate -ComputerName nysrv1 -MicrosoftUpdate -AcceptAll - IgnoreReboot -SendReport –PSWUSettings @{SmtpServer="smtp.woshub.com";From="update_alert@woshub.com";To="wsus_admin@woshub.com";Port=25} -Verbose

Get-WUHistory: Viewing Windows Update History using PowerShell

Using the Get-WUHistory cmdlet, you can get the list of updates installed on a computer earlier automatically or manually.

Get-WUHistory - checking windows update history

You can get the information about the date of installation of a specific update:

Get-WUHistory| Where-Object {$_.Title -match "KB4517389"} | Select-Object *|ft

Get-WUHistory for a specific KB

To find out if the update has been installed on multiple remote computers, you can use this PowerShell code:

"server1","server2" | Get-WUHistory| Where-Object {$_.Title -match "KB4011634"} | Select-Object *|ft

Remove-WindowsUpdate: Uninstalling Windows Updates

To correctly uninstall the updates from PowerShell, you can use the Remove-WindowsUpdate cmdlet. Just specify the KB number as an argument of the KBArticleID parameter. To delay automatic computer restart, add the –NoRestart key:

Remove-WindowsUpdate -KBArticleID KB4489873 -NoRestart

Hide-WindowsUpdate: How to Hide Windows Updates with PowerShell?

You can hide the specific updates so they will be never installed by Windows Update service on your computer (most often you need to hide the driver updates). For example, to hide the KB4489873 and KB4489243 updates, run these commands:

$HideList = "KB4489873", "KB4489243"
Get-WindowsUpdate -KBArticleID $HideList –Hide

powershell - hide specific KBs in windows update

Now the next time you scan for updates using the Get-WUInstall command, the hidden updates won’t be displayed in the list of updates available for installation.

This is how you can display the list of updates hidden on this computer:

Get-WindowsUpdate –IsHidden

Notice that the H (Hidden) attribute has appeared in the Status column of hidden updates.

Get-WindowsUpdate –IsHidden - find hidden updates

To remove an update from hidden ones, run this command:

Get-WindowsUpdate -KBArticleID $HideList -WithHidden -Hide:$false

or:

Show-WindowsUpdate -KBArticleID $HideList

For those who feel uncomfortable in the PowerShell console, I would recommend a graphic Windows Update MiniTool to manage Windows 10 updates.

 

14 comments
3
Facebook Twitter Google + Pinterest
previous post
Fix: Photos App in Windows 10 Opens Extremely Slow
next post
Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

Related Reading

How to Troubleshoot, Repair and Rebuild the WMI...

March 2, 2021

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

14 comments

Paul Smith June 6, 2019 - 7:52 pm

Excellent piece. One surprise though was it was published in Mar of 2019 and I notice it uses Invoke-WUInstall which seems to have been removed from the current version of PSWindowsUpdate so wondering what version you based the article on

Reply
Afonso Alves September 25, 2019 - 1:26 pm

Excellent Article. Thanks

Reply
Daniel Jonasson October 11, 2019 - 1:56 pm

I get “Update-WUModule : A parameter cannot be found that matches parameter name ‘LocalPSWUSource’.”

Reply
scribe_pl November 18, 2019 - 10:24 am

did anyone try to run remotely, massively on several computers, install downloaded updates (from WSUS) and restart?

Reply
asfasfasfasf November 18, 2019 - 8:05 pm

It looks like Invoke-WUInstall is now Invoke-WUJob

Reply
kriske November 19, 2019 - 3:32 pm

can you also let a client check for update to a nother computer in your VPN network and what ports and ^protocols needs to be open on a firewall? the client whit the updates is only reachable by ip so can we search whit client x on client y for updates by IP?

Reply
akim December 23, 2019 - 10:06 am

awesome post , thanks for the same.

Reply
Akos March 4, 2020 - 10:28 am

I get a following error message, when I tried to run this command: Get-WUInstall -MicrosoftUpdate -IgnoreUserInput -AcceptAll -IgnoreReboot -Verbose
Error message: WARNING: Can’t find registered service Microsoft Update. Use Get-WUServiceManager to get registered service.
Do you have idea why cannot run this command?

Reply
Max Strzelecki April 6, 2020 - 6:52 pm

Awesome script, thanks! I found one issue though, after I disabled Windows Update access using the command “set-wusettings DisableWindowsUpdateAccess”, I can’t re-enable it. I tried adding “False” at the end of the command, but it throws an error. Is there a different way to re-enable Windows Update Access?

Thanks

Reply
admin April 14, 2020 - 8:11 am

Please show me the Set-ClientWSUSSetting command that you are using and the full PowerShell error test.

Reply
Ict Test April 23, 2020 - 7:24 pm

What happens with with install Windows Updates on remote computers sections;
…Invoke-WUInstall : A parameter cannot be found that matches parameter name ‘RunNow’.
…Invoke-WUInstall : A parameter cannot be found that matches parameter name ‘SkipModuleTest’.

Reply
Alex May 19, 2020 - 2:14 pm

Total PS noob here. I’ve got PSWindowsUpdate (v2.2.0.2) installed on various Windows Server 2016 VMs and a Windows 10 VM I am executing their commands remotely from. I was able to update all of my server VMs successfully using PSWU commands. But, after restarting, a few of the VMs no longer respond to remote commands though the same commands work from the VMs’ consoles.

The problems some servers experience are one of two issues:
1) The command seemingly executes but nothing is returned.
For instance, on my Win10 VM I enter “get-wuhistory -computername SERVER -verbose” and get “Connecting to default for SERVER. Please wait…” No data is returned. I just come back to the PS prompt within a couple of seconds. Executing the command in PS at the server’s console results in the full history of applied Windows updates.
2) I enter the command “get-wuhistory -computername SERVER -verbose” and get the following results

—————————————————–
VERBOSE: Performing the operation “(5/19/2020 8:58:35 AM) Get Windows Update History” on target “SERVER”.
get-wuhistory : CORP-SYS-DC-01: Unknown failure.
At line:1 char:1
+ get-wuhistory -computername SERVER -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Get-WUHistory], Exception
+ FullyQualifiedErrorId : Unknown,PSWindowsUpdate.GetWUHistory
—————————————————–

Again, these commands worked fine until I restarted some of the servers. Oddly, the problem affects only a few of my servers.

Reply
admin May 21, 2020 - 7:32 am

Try if you can connect to these computers through PowerShell remoting. For example,
Enter-PSSession -ComputerName server
or try to get WU history with the command:
Invoke-Command -ComputerName Server1, Server2 -ScriptBlock {get-wuhistory -verbose}

Reply
Shawn October 15, 2020 - 9:24 pm

I have been successful in getting some updates to run, but i have two that are sitting in pending install state, and they never install. is there a parameter that needs to be input to get these pending install updates to go?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Install RSAT Feature on Demand on Windows 10 1809 and Later
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • How to Create a UEFI Bootable USB Drive to Install Windows 10 or 7?
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Managing Printers and Drivers with PowerShell in Windows 10 / Server 2016
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • PowerShell: Get Folder Sizes on Disk in Windows
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top