How to use PowerShell to manage Microsoft updates on Windows

Configure patch management on your fleet of Windows devices using PowerShell to remotely deploy pre-authorized Microsoft updates.

Microsoft Corporation logo outside the Executive Briefing Center at company's Redmond campus

Image: rvolkan/ Getty Images

Administering Windows updates is a cornerstone of any systems administrator tasked with managing Windows computers. Any IT professional is surely intimately familiar with "Patch Tuesday," or Microsoft's predetermined slot when they release the latest updates for all their software applications, making them available on their catalog servers that feed individual devices with the metadata required to locate and download the newest fixes.

SEE: Windows 10 Start menu hacks (TechRepublic Premium)

While not a daunting task itself, keeping Microsoft applications up to date becomes increasingly more difficult and time-consuming as the device count increases. Between a combination of the number of patches made available, previously missed or corrupt updates that may act as dependencies for newer updates, bandwidth considerations, and those using the devices to accomplish their work, the task can easily overwhelm even the most seasoned IT pro.

Luckily, as with most things Microsoft, there are multiple ways to complete a task, and performing patch management can be leveraged against repositories, third-party management suites, and my personal favorite PowerShell (PS). I say favorite because it is flexible, powerful, and native to every version of Windows going back several generations. It's also easily scripted once you've got the correct parameters in place, and it's highly secure. And since there is no reliance on additional software or servers that may be costly or otherwise prohibited from being used, the solution is largely free for any organization to use.

I will walk through the steps to set up your infrastructure to use PowerShell to accomplish patch management, even automating it to suit your organization's needs. But first, review the requirements below to ensure it all goes off without a hitch:

Minimum requirements:

  • Workstation running Windows 10, macOS, or Linux for administrative tasks
  • PowerShell v5.0 (or newer) on Windows; PowerShell v7.0 on macOS/Linux
  • Windows client computers with Windows 7/Server 2008 (or newer) installed
  • Switched network
  • Internet access
  • SMB-based server share (optional; but recommended for referencing scripts and modules)

How to check your PowerShell version

Launch PowerShell and enter the following command to verify the version of PS installed:

$PSVersionTable.PSVersion

It will display a table with the major and minor versions, with the major being the one that identifies the version number.

SEE: Cheat sheet: Windows 10 PowerToys (free PDF) (TechRepublic)

Install the PSWindowsUpdate Module

1. Before updates can be pushed out to devices, the module that informs PS of the cmdlets available must be installed on each Windows computer first (see the section below for deploying this en masse). Enter the following command to install the module:

Install-Module PSWindowsUpdate

2. Once installed, you may enter the following cmdlet to print a list on-screen to familiarize yourself with all the cmdlets available for this module:

Get-Command -module PSWindowsUpdate 

Microsoft Update Service vs. Windows Update Service (Windows only)

By default, the module will only look for and deliver Windows updates. However, if you support other Microsoft applications that you may wish to update as well, we will need to optionally register the Microsoft Update Service to obtain the ability to deliver those updates. To do so, enter the cmdlet below:

Add-WUServiceManager -MicrosoftUpdate 

The above cmdlet is only supported on Windows-based systems since macOS nor Linux use Microsoft Update Services for their update repositories.

Deploying updates to local computers

When performing the update process on a local computer, enter the following cmdlet:

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot 

This will perform the search for missing updates for Microsoft products installed on the local computer against Microsoft Update Services, silently install them, accept any license agreements, and reboot the system automatically when completed.

If you wish to create a log entry for each device to examine any issues that may be encountered with the update process, you should create a shared folder on a server to centralize log management. Once created with the read/write permissions to the directory, append the following line to the update cmdlet above to force log entries to be written to the shared folder for review.

| Out-File "\\server\share\log$($env.computername-Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force  

Note: Watch the case sensitivity on the date format. If incorrect, the date will not be timestamped correctly in the file name.

Deploying updates to remote computers

1. Create a variable with the names of the computers you wish to update. For the purpose of this example, we'll call the variable $Nodes. Type in the command below to set the variable:

$Nodes = "computername01,computername02,etc" 

2. Next, we'll enter the cmdlet that will import the PSWindowsUpdate module on the remote system, then call on Microsoft Update to download and install any missing updates. The update will run immediately once the cmdlet is executed, exporting the output to the log file to a server share with the hostname and timestamp, finally rebooting the stations upon completion:

Invoke-WUJob -ComputerName $Nodes -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot} -RunNow -Confirm:$false | Out-File "\\server\share\logs\$Nodes-$(Get-Date -f yyyy-MM-dd)-MSUpdates.log" -Force 

Installing specific updates only

If you wish to cherry-pick specific updates for installation only, PS offers the flexibility to do so by KB article, using the cmdlet below:

Get-WindowsUpdate -KBArticleID "KB1111111","KB2222222","etc" -Install 

Prevent specific updates from installing by hiding them

There may be times when you wish to exclude updates from the installation list. Microsoft has included several parameters that address these exceptions based on individual update names and IDs, KB articles, and categories of updates.

Similar to installing specific updates by KB article above, you can use the following command to prevent the installation of any updates that match the KB articles referenced:

Install-WindowsUpdate -NotKBArticle "KB1111111","etc" -AcceptAll 

Perhaps you prefer to not update specific applications, like Teams. The following command will install updates for all applications, except those that include "Teams" in the title:

Install-WindowsUpdate -NotTitle "Teams" -AcceptAll 

Lastly, if you wish to skip updates that fall under a particular category, for example, drivers or FeaturePacks, then the following command would block those updates while all others are installed:

Install-WindowsUpdate -NotCategory "Drivers","FeaturePacks" -AcceptAll 

Note: It is important to keep in mind that when creating the perfect scripting environment for your update methods, please include not only your preferences but take the time to test them individually and then again together as one all-encompassing script to ensure it all works properly.

For best results

  • Ensure your infrastructure meets the requirements and minimum PowerShell versions.
  • Import the module on your devices and register with Microsoft Update Services.
  • Create lists to hide unauthorized/untested updates.
  • Deploy only managed, pre-approved updates to all devices.
  • Store cmdlets and logs to shares to automate the scripting of deployed updates.

Also see