Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Manage Windows Updates with PSWindowsUpdate PowerShell Module

May 10, 2023 PowerShellWindows 10Windows 11Windows Server 2019

Manage Windows Updates with PSWindowsUpdate PowerShell Module

You can use the PSWindowsUpdate PowerShell module to manage Windows updates from the command line. The PSWindowsUpdate module is not built into Windows and is available for installation from the PowerShell Gallery repository. PSWindowsUpdate allows administrators to remotely check, install, remove, and hide updates on Windows servers and workstations. The PSWindowsUpdate module is especially valuable to manage updates on Windows Server Core or Hyper-V Server (which don’t have a GUI), and when configuring a Windows image in the audit mode.

Contents:
  • Installing the PSWindowsUpdate Module
  • PSWindowsUpdate Cmdlets List
  • Scan and Download Windows Updates with PowerShell
  • Installing Windows Updates with PowerShell (Install-WindowsUpdate)
  • Install Windows Update on Remote Computers with PowerShell
  • Check Windows Update History with PowerShell (Get-WUHistory)
  • Uninstalling Windows Updates with PowerShell (Remove-WindowsUpdate)
  • How to Hide Windows Updates with PowerShell?

Installing the PSWindowsUpdate Module

You can install the PSWindowsUpdate module on Windows 10/11 and Windows Server 2022/2019/2016 from the online repository (PSGallery) using the command:

Install-Module -Name PSWindowsUpdate -Force

After the installation is complete, you need to check the package:

Get-Package -Name PSWindowsUpdate

Install-Module PSWindowsUpdate from PSGallery

When installing the PowerShell module on earlier versions of Windows 2012R2/Windows 8.1 and below, you may receive an error:

Install-Module: Unable to download from URI.Unable to download the list of available providers. Check your internet connection.

To install the module, you need to use the TLS 1.2 protocol for connection. Enable it for the current PowerShell session with the command:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

https://woshub.com/powershell-install-module-unable-download-uri/

If you have an older Windows version (Windows 7/8.1/Windows Server 2008 R2/2012 R2) or you don’t have direct Internet access, you can install PSWindowsUpdate manually (check the guide “How to install PowerShell modules offline?”).

  1. Download the PSWindowsUpdate module to any online computer: Save-Module –Name PSWindowsUpdate –Path C:\ps\;
  2. Copy the module to the following folder on the target computer %WINDIR%\System32\WindowsPowerShell\v1.0\Modules;copy pswindowsupdate module to offline windows computer
  3. Configure the PowerShell script execution policy: Set-ExecutionPolicy –ExecutionPolicy RemoteSigned -force
  4. You can now import the module into your PowerShell session: Import-Module PSWindowsUpdate
Note. In Windows 7/Windows Server 2008 R2, when importing the PSWindowsUpdate module, the following error may appear: The term “Unblock-File” is not recognized as the name of a cmdlet. The cause is that the module uses some functions that appeared only in PowerShell 3.0. To use these functions, you will have either to update the PowerShell version or delete the | Unblock-File line from the PSWindowsUpdate.psm1 file manually.

After installing the PSWindowsUpdate module on your computer, you can remotely install it on other computers or servers using the Update-WUModule cmdlet. For example, to copy the PSWindowsUpdate module from your computer to two remote hosts, run the commands (you need access to the remote servers via the WinRM protocol):

$Targets = "lon-fs02", "lon-db01"
Update-WUModule -ComputerName $Targets –Local

To save (export) the PoSh module to a shared network folder for further importing on other computers, run:

Save-Module -Name PSWindowsUpdate –Path \\lon-fs02\psmodules\

PSWindowsUpdate Cmdlets List

You can display the list of available cmdlets in the PSWindowsUpdate module as follows:

get-command -module PSWindowsUpdate

Let’s describe the usage of the module commands in brief:

  • Clear-WUJob – use the Get-WUJob to clear the WUJob in Task Scheduler;
  • Download-WindowsUpdate (alias for Get-WindowsUpdate –Download) — get a list of updates and download them;
  • Get-WUInstall, Install-WindowsUpdate (alias for Get-WindowsUpdate –Install) – install Windows updates;
  • Hide-WindowsUpdate (alias for Get-WindowsUpdate -Hide:$false) – hide update;
  • Uninstall-WindowsUpdate – remove update using the Remove-WindowsUpdate;
  • Add-WUServiceManager – register the update server (Windows Update Service Manager) on the computer;
  • Enable-WURemoting — enable Windows Defender firewall rules to allow remote use of the PSWindowsUpdate cmdlets;
  • Get-WindowsUpdate (Get-WUList) — displays a list of updates that match the specified criteria, allows you to find and install the updates. This is the main cmdlet of the PSWindowsUpdate module. Allows to download and install updates from a WSUS server or Microsoft Update. Allows you to select update categories, specific updates and set the rules of a computer restart when installing the updates;
  • Get-WUApiVersion – get the Windows Update Agent version on the computer;
  • Get-WUHistory – display a list of installed updates (update history);
  • Get-WUInstallerStatus — check the Windows Installer service status;
  • Get-WUJob – check for WUJob update tasks in the Task Scheduler;
  • Get-WULastResults — dates of the last search and installation of updates (LastSearchSuccessDate and LastInstallationSuccessDate);
  • Get-WURebootStatus — allows you to check whether a reboot is needed to apply a specific update;
  • Get-WUServiceManager – list update sources;
  • Get-WUSettings – get Windows Update client settings;
  • Invoke-WUJob – remotely call WUJobs task in the Task Scheduler to immediately execute PSWindowsUpdate commands;
  • Remove-WindowsUpdate – allows to uninstall an update by KB ID;
  • Remove-WUServiceManager – disable Windows Update Service Manager;
  • Set-PSWUSettings – save PSWindowsUpdate module settings to the XML file;
  • Set-WUSettings – configure Windows Update client settings;
  • Update-WUModule – update the PSWindowsUpdate module (you can update the module on a remote computer by copying it from the current one, or updating from PSGallery);
  • Reset-WUComponents – allows you to reset the Windows Update agent on the computer to the default state.

list PSWindowsUpdate module commands

To check the current Windows Update client settings, run the command:

Get-WUSettings

ComputerName                                 : WKS5S2N39S2
WUServer                                     : http://MN-WSUS:8530
WUStatusServer                               : http://MN-WSUS:8530
AcceptTrustedPublisherCerts                  : 1
ElevateNonAdmins                             : 1
DoNotConnectToWindowsUpdateInternetLocations : 1
TargetGroupEnabled                           : 1
TargetGroup                                  : ServersProd
NoAutoUpdate                                 : 0
AUOptions                                    : 3 - Notify before installation
ScheduledInstallDay                          : 0 - Every Day
ScheduledInstallTime                         : 3
UseWUServer                                  : 1
AutoInstallMinorUpdates                      : 0
AlwaysAutoRebootAtScheduledTime              : 0
DetectionFrequencyEnabled                    : 1
DetectionFrequency                         : 4

In this example, the Windows Update agent on the computer is configured with a GPO to receive updates from the local WSUS server.

The Reset-WUComponents -Verbose cmdlet allows you to reset all Windows Update Agent settings, re-register libraries, and restore the wususerv service to its default state.

reset windows update components with powershell

Scan and Download Windows Updates with PowerShell

You can list the updates available for the current computer on the update server using the Get-WindowsUpdate or Get-WUList commands.

Get-WUList - view available windows updates

To check the list of available updates on a remote computer, run this command:

Get-WUList –ComputerName server2

You can check where your Windows should receive updates from. Run the following command:

Get-WUServiceManager

ServiceID IsManaged IsDefault Name
--------- --------- --------- ----
8b24b027-1dee-babb-9a95-3517dfb9c552 False False DCat Flighting Prod
855e8a7c-ecb4-4ca3-b045-1dfa50104289 False False Windows Store (DCat Prod)
3da21691-e39d-4da6-8a4b-b43877bcb1b7 True True Windows Server Update Service
9482f4b4-e343-43b6-b170-9a65bc822c77 False False Windows Update

Get-WUServiceManager – get update sources

As you can see, the computer is configured to receive updates from the local WSUS server (Windows Server Update Service = True). In this case, you should see a list of updates approved for your computer.

If you want to scan your computer against Microsoft Update servers on the Internet (in addition to Windows updates, these servers contain Office and other Microsoft product updates), run this command:

Get-WUlist -MicrosoftUpdate

You will get this warning:

Get-WUlist : Service Windows Update was not found on computer. Use Get-WUServiceManager to get registered service.

To allow scanning on Microsoft Update, run this command:

Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -AddServiceFlag 7

You can now scan against Microsoft Update. In this case, additional updates were found for Microsoft Visual C ++ 2008 and Microsoft Silverlight.

get updates from Microsoft Update for additional microsoft products

To check the version of the Windows Update Agent on the computer, run the command:

Get-WUApiVersion

ComputerName PSWindowsUpdate PSWUModuleDll ApiVersion WuapiDllVersion
------------ --------------- ------------- ---------- ---------------
DESKTOP-J... 2.1.1.2 2.2.0.2 8.0 10.0.19041.1320

Get-WUApiVersion - check windows update client version

To remove specific products or KBs from the list of updates received by your computer, you can exclude them by:

  • Category (-NotCategory);
  • Title (-NotCategory);
  • Update number (-NotKBArticleID).

For example, let’s exclude OneDrive, driver updates, and the specific KB from the list:

Get-WUlist -NotCategory "Drivers" -NotTitle "OneDrive" -NotKBArticleID KB4489873

Installing Windows Updates with PowerShell (Install-WindowsUpdate)

To automatically download and install all available updates for your Windows device from Windows Update servers (instead of local WSUS), run the command:

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

The AcceptAll parameter accepts the installation of all update packages, and AutoReboot allows Windows to automatically restart after the updates are installed.

You can also use the following options:

  • IgnoreReboot – disable automatic reboot;
  • ScheduleReboot – set the exact time to restart the computer.

You can save the update installation history to a log file (you can use it instead of WindowsUpdate.log file).

Install-WindowsUpdate -AcceptAll -Install -AutoReboot | Out-File "c:\logs\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force

You can install only the specific update packages by KB numbers:

Get-WindowsUpdate -KBArticleID KB2267602, KB4533002 -Install

Get-WindowsUpdate Install updates powershell

In this case, you need to confirm the installation of each update manually.

If you want to exclude certain updates from the installation list, run this command:

Install-WindowsUpdate -NotCategory "Drivers" -NotTitle OneDrive -NotKBArticleID KB4011670 -AcceptAll -IgnoreReboot

Install Windows Update on Remote Computers with PowerShell

The PSWindowsUpdate module allows you to install updates remotely on multiple workstations or servers at once (the PSWindowsUpdate must be installed/imported on these computers). This is very convenient because the administrator doesn’t have to manually log on to remote Windows hosts to install updates. WinRM must be enabled and configured on remote computers (manually or via GPO).

Almost all PSWindowsUpdate module cmdlets allow you to manage and install Windows updates on remote computers with the –Computername attribute.

Install the PSWindowsUpdate module on remote computers and allow access via dynamic RPC ports to the dllhost.exe process in the Windows Defender Firewall. You can use the Invoke-Command cmdlet to configure the PSWindowsUpdate module on remote computers:

$Targets = "lon-fs02", "lon-db01"
Invoke-Command -ComputerName $Target -ScriptBlock {Set-ExecutionPolicy RemoteSigned -force }
Invoke-Command -ComputerName $Target -ScriptBlock {Import-Module PSWindowsUpdate; Enable-WURemoting}

The PSWindowsUpdate module can be used to remotely manage Windows updates both on computers in an AD domain and in a workgroup (requires PowerShell Remoting configuration for workgroup environment).

In order to manage updates on remote computers, you need to add hostnames to your winrm trusted host list or configure PowerShell Remoting (WinRM) via HTTPS:

winrm set winrm/config/client '@{TrustedHosts="server1,server2,…"}'

Or with PowerShell :
Set-Item wsman:\localhost\client\TrustedHosts -Value server1 -Force

The following command will install all available updates on three remote Windows hosts:

$ServerNames = "server1, server2, server3"
Invoke-WUJob -ComputerName $ServerNames -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate -AcceptAll | Out-File C:\Windows\PSWindowsUpdate.log } -RunNow -Confirm:$false -Verbose -ErrorAction Ignore

The Invoke-WUJob cmdlet (previously called Invoke-WUInstall) will create a scheduler task on the remote computer that runs under a local SYSTEM account.

You can specify the exact time to install Windows updates:

Invoke-WUJob -ComputerName $ServerNames -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate –AcceptAll -AutoReboot | Out-File C:\Windows\PSWindowsUpdate.log } -Confirm:$false -TriggerDate (Get-Date -Hour 22 -Minute 0 -Second 0)

You can check the status of the update installation task using the Get-WUJob:

Get-WUJob -ComputerName $ServerNames

If the command returns an empty list, then the update installation task on all computers has been completed.

You can install updates on a remote computer and send an email report to the administrator:

Install-WindowsUpdate -ComputerName nysrv1 -MicrosoftUpdate -AcceptAll - IgnoreReboot -SendReport –PSWUSettings @{SmtpServer="smtp.woshub.com";From="updat[email protected]";To="[email protected]";Port=25} -Verbose

Check Windows Update History with PowerShell (Get-WUHistory)

Using the Get-WUHistory cmdlet, you can get the list of updates installed on a computer earlier automatically or manually.

Get-WUHistory - checking windows update history

You can get the information about the installation date of a specific update:

Get-WUHistory| Where-Object {$_.Title -match "KB4517389"} | Select-Object *|ft

Get-WUHistory for a specific KB

To find out if the specific update has been installed on multiple remote computers, you can use this PowerShell code:

"server1","server2" | Get-WUHistory| Where-Object {$_.Title -match "KB4011634"} | Select-Object *|ft

Check if the computer needs to be restarted after installing the update (pending reboot):

Get-WURebootStatus –ComputerName WKS21TJS

check for pending reboot with powershell Get-WURebootStatus

Check the value of the RebootRequired and RebootScheduled attributes.

You can generate a report with the dates when updates were last installed on all computers in the domain using the Get-ADComputer cmdlet (from the Active Directory for PowerShell module):

$Computers=Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows*' }
Foreach ($Computer in $Computers)
{
Get-WULastResults -ComputerName $Computer.Name|select ComputerName, LastSearchSuccessDate, LastInstallationSuccessDate
}

By analogy, you can find computers that have not installed updates for more than 60 days and display the result in the Out-GridView interactive table:

$result=@()
Foreach ($Computer in $Computers) {
$result+= Get-WULastResults -ComputerName $Computer.Name
}
$result| Where-Object { $_.LastInstallationSuccessDate -lt ((Get-Date).AddDays(-60)) }| Out-GridView

Uninstalling Windows Updates with PowerShell (Remove-WindowsUpdate)

You can use the Remove-WindowsUpdate cmdlet to correctly uninstall the updates with PowerShell. Just specify the KB number as an argument of the KBArticleID parameter. To delay automatic computer restart, add the –NoRestart option:

Remove-WindowsUpdate -KBArticleID KB4489873 -NoRestart

How to Hide Windows Updates with PowerShell?

You can hide the specific updates so they will be never installed by the Windows Update service on your computer (most often you need to hide the driver updates). For example, to hide the KB4489873 and KB4489243 updates, run these commands:
$HideList = "KB4489873", "KB4489243"
Get-WindowsUpdate -KBArticleID $HideList –Hide

powershell - hide specific KBs in windows update

Now the next time you scan for updates using the Get-WUlist command, the hidden updates won’t be displayed in the list of updates available for installation.

This is how you can display the list of updates hidden on this computer:

Get-WindowsUpdate –IsHidden

Notice that the H (Hidden) attribute has appeared in the Status column of hidden updates.

Get-WindowsUpdate –IsHidden - find hidden updates

To unhide some updates, run this command:

Get-WindowsUpdate -KBArticleID $HideList -WithHidden -Hide:$false

or:

Show-WindowsUpdate -KBArticleID $HideList

For those who feel uncomfortable in the PowerShell console, I would recommend a graphic Windows Update MiniTool to manage updates in Windows 10/11 and Windows Server 2022/2019.

34 comments
6
Facebook Twitter Google + Pinterest
previous post
Checking User Sign-in Logs in Azure AD (Microsoft 365)
next post
The Application Failed To Start Because Its Side-by-Side Configuration is Incorrect

Related Reading

Installing Language Pack in Windows 10/11 with PowerShell

September 15, 2023

Configure Email Forwarding for Mailbox on Exchange Server/Microsoft...

September 14, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

How to Create UEFI Bootable USB Drive to...

September 11, 2023

Redirect HTTP to HTTPS in IIS (Windows Server)

September 7, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Installing Language Pack in Windows 10/11 with PowerShell

    September 15, 2023
  • Configure Email Forwarding for Mailbox on Exchange Server/Microsoft 365

    September 14, 2023
  • How to View and Change BIOS (UEFI) Settings with PowerShell

    September 13, 2023
  • How to Create UEFI Bootable USB Drive to Install Windows

    September 11, 2023
  • Redirect HTTP to HTTPS in IIS (Windows Server)

    September 7, 2023
  • Add an Additional Domain Controller to an Existing AD Domain

    September 6, 2023
  • How to Install an SSL Certificate on IIS (Windows Server)

    September 5, 2023
  • Managing Windows Firewall Rules with PowerShell

    August 31, 2023
  • Fixing ‘The Network Path Was Not Found’ 0x80070035 Error Code on Windows

    August 30, 2023
  • Disable Welcome Message for Microsoft 365 Groups

    August 28, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Configuring Port Forwarding in Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • How to Install Remote Server Administration Tools (RSAT) on Windows
  • How to Delete Old User Profiles in Windows
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Hide Installed Programs in Windows 10 and 11
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top