How to use PowerShell to manage Microsoft updates on Windows

How to use PowerShell to manage Microsoft updates on Windows

Configure patch management on your Windows device fleet using PowerShell to deploy Microsoft authorized updates remotely.

Managing Windows updates is the cornerstone of the system administrator tasked with managing Windows computers. Any IT professional must be very familiar with “Patch Tuesday,” or the slot that Microsoft has determined when they release the latest updates for all their software applications, making it available on their catalog servers that feed individual devices with the metadata needed to search and download the latest improvement.

While it does not complicate the task itself, keeping Microsoft applications up-to-date becomes increasingly difficult and time-consuming as the number of devices increases. Among the combination of the number of patches available, previously missed or corrupt updates that can act as dependencies for newer updates, bandwidth considerations, and those who use the device to complete their work, the task can easily overwhelm even the most pro IT experienced though.

Fortunately, as with most things Microsoft, there are a number of ways to accomplish tasks, and patch management can be upgraded to repositories, third-party management suites, and my personal favorite PowerShell (PS). I say favorite because it is flexible, powerful, and original for every version of Windows going back several generations. It’s also easy to write down once you have the right parameters in place, and it’s very safe. And because there is no dependency on additional software or servers that may be expensive or prohibited from being used, the solution is largely free for use by any organization.

I will walk through the steps to set up your infrastructure to use PowerShell to complete patch management, even automating it according to the needs of your organization. But first, review the requirements below to make sure everything works smoothly:

Minimum Requirements:

  • Workstations running Windows 10, macOS, or Linux for administrative tasks
  • PowerShell v5.0 (or newer) on Windows; PowerShell v7.0 on macOS / Linux
  • Windows client computers with Windows 7 / Server 2008 (or later) installed
  • Network activated
  • Internet access
  • SMB-based server sharing (optional; but recommended for script and module references)

How to check your version of PowerShell

Launch PowerShell and enter the following command to verify the version of PS installed:

$ PSVersionTable.PSVersion

This will display a table with the main and small versions, with the main being the person who identifies the version number.

Install the PSWindowsUpdate Module

1. Before an update can be pushed to the device, the module for which PS information from the available cmdlet must be installed on each Windows computer first (see the section below to use this en masse). Enter the following command to install the module:

Install-Module PSWindowsUpdate

2. Once installed, you can enter the following cmdlets to print the list on the screen to familiarize yourself with all the cmdlets available for this module:

Get-Command -module PSWindowsUpdate

Microsoft vs. Update Service Windows Update Service (Windows only)

By default, the module will only search and provide Windows updates. However, if you support other Microsoft applications that you might want to update as well, we need to optionally register the Microsoft Update Service to obtain the ability to send these updates. To do this, enter the cmdlet below:

Add-WUServiceManager -MicrosoftUpdate

The cmdlet above is only supported on Windows-based systems since macOS or Linux. Use the Microsoft Update Service for their update repository.

Deploy updates to local computers

When performing the update process on the local computer, enter the following cmdlet:

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

This will search for missing updates for Microsoft products installed on the local computer against Microsoft Update Services, silently install them, accept the license agreement, and reboot the system automatically when finished.

If you want to make a log entry for each device to check for any problems that might occur with the update process, you must create a shared folder on the server to centralize log management. Once made with read / write permission to the directory, add the following line to the update cmdlet above to force log entries to be written to the shared folder for review.

| Out-File "\\server\share\log$($env.computername-Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force

Watch case sensitivity in date format. If incorrect, the date will not be timed correctly in the file name.

Deploy updates to remote computers

1. Create a variable with the name of the computer that you want to update. For the purposes of this example, we will call the $ Nodes variable. Type the command below to set the variable:

$Nodes = "computername01,computername02,etc"

2. Next, we will enter the cmdlet which will import the PSWindows Update module on the remote system, then call Microsoft Update to download and install the missing update. The update will run immediately after the cmdlet is run, export the output to the log file to the sharing server with the hostname and time stamp, finally rebooting the station after it’s done:

Invoke-WUJob -ComputerName $Nodes -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot} -RunNow -Confirm:$false | Out-File "\\server\share\logs\$Nodes-$(Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force

Only install specific updates

If you want to select certain updates only for installation, PS offers the flexibility to do so by KB article, using the cmdlet below:

Get-WindowsUpdate -KBArticleID "KB1111111","KB2222222","etc" -Install

Prevent specific updates from being installed by hiding them

There may be times when you want to exclude updates from the installation list. Microsoft has included several parameters that address this exception based on the name and ID of the individual update, KB article, and update category.

Similar to installing specific updates based on the KB article above, you can use the following command to prevent the installation of updates that match the KB article that is referenced:

Install-WindowsUpdate -NotKBArticle "KB1111111","etc" -AcceptAll

Maybe you chose not to update certain applications, like Team. The following command will install updates for all applications, except those that include “Team” in the title:

Install-WindowsUpdate -NotTitle "Teams" -AcceptAll

Finally, if you want to skip updates that fall into certain categories, for example, drivers or Feature Packages, the following command will block those updates when everything else is installed:

Install-WindowsUpdate -NotCategory "Drivers","FeaturePacks" -AcceptAll

It is important to remember that when creating the perfect script environment for your update method, please include not only your preferences but take the time to test them individually and then together as one all-encompassing script to make sure everything is functioning properly.

For best results

  • Make sure your infrastructure meets the minimum PowerShell requirements and versions.
  • Import modules on your device and register with Microsoft Update Service.
  • Make a list to hide unauthorized / untested updates.
  • Deploy only updates that are approved and previously approved for all devices.
  • Save cmdlets and logs to share to automate distributed update scripts.

Related posts

How to clean Windows


How to use Movie Maker on Windows 10


How to Uninstall Bitdefender From Windows, Android & iOS


How to Chat with Xbox Friends on Windows 10


How to Set Apps & Game Limits on Windows 10


How to Turn Your Windows 10 PC or Laptop into a Wifi Hotspot


How to Boot Windows 10 from a USB Flash Drive


How to make Ubuntu look like Windows XP


How to fix a Surface Pro 7 random shutdown bug