Scan, download and install Windows Updates with PowerShell

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• Change Windows network profiles between public and private - Wed, May 24 2023
• How to map a network drive with PowerShell - Wed, May 17 2023
• Troubleshooting no network or internet in VMware Workstation - Thu, May 4 2023

While most Windows features have long supported detailed automation via PowerShell, this option was missing for the update client; it is now available to a limited extent. Compared to the popular PSWindowsUpdate by Michal Gajda, Microsoft's own module is less powerful.

Availability as an advantage

The main advantages of Windows Update Provider are its official support by Microsoft and that all newer versions of the operating system already have it on board. Therefore, when using it for remote management, you can assume that the required functions are already available on the target computer. In contrast, third-party modules must first be installed on every managed PC.

However, it is not possible to copy Microsoft's Windows Update Provider to older versions of Windows, such as Server 2012 R2 or 2016, because the CIM class required by the functions does not exist on those versions.

More control over updates

Command line tools such as usoclient.exe, wuinstall, or PowerShell cmdlets give admins more control over the update process because they can explicitly request the scan, download, install, or restart. This is useful, for example, if you want to secure a freshly installed computer by installing the latest patches. In addition, PowerShell is useful on Server Core because there is no GUI for managing updates.

Overview of the range of functions

If you search for Windows Update modules using

Get-Module -Name *Update*

then the command returns two results. While one of them is WindowsUpdate, the module only contains a function called Get-WindowsUpdateLog.

The commands intended for the management of the update client can be found in WindowsUpdateProvider. They can be listed with:

Get-Command -Module WindowsUpdateProvider

As you can see, these are not cmdlets but only functions.

Functions of the WindowsUpdateProvider module

For example, if you want to display the contents of Start-WUScan with

Get-Content Function:\Start-WUScan

then you can see that this function operates on the basis of the CIM class MSFT_WUOperations. The same applies to Install-WUUpdates.

The functions of the WindowsUpdateProvider module use the methods of the CIM class MSFT WUOperations

While Get-WULastInstallationDate and Get-WULastScanSuccessDate are used to examine previous updates, and Get-WUAVersion outputs the version of the client, the three remaining functions provide the actual update management.

Checking for updates

As the name suggests, Start-WUScan looks for available updates. You cannot specify a source for updates; rather, the function queries the update server configured on the computer. This is a WSUS server in most cases.

If you don't specify any parameter, all updates that apply to the system will appear in the results. The only way to restrict the list is with SearchCriteria, which you have to pass a search expression:

Start-WUScan -SearchCriteria "Type='Software' AND IsInstalled=0"

The permitted search criteria follow the syntax described in the API documentation, but Microsoft does not offer any specific information on WindowsUpdateProvider as a whole.

As an alternative to the settings app, you can use Start WUScan to check for new updates

For example, it is practical to query remote computers to find out whether a specific update is installed there. Since the ComputerName parameter is not supported, you have to use the Invoke-Command:

$u = Invoke-Command -ComputerName MyPC -ScriptBlock {Start-WUScan -SearchCriteria "UpdateId='<GUID-of-Update>' AND IsInstalled=1"} -Credential admin\contoso

After executing the command, the variable $u will contain all updates which match the search criteria.

Downloading and installing updates

If you want to install pending updates, you have to save the result of Start-WUScan in a variable, as in the example above. You then pass this on to Install-WUUpdates. But first you establish a CIM session on the remote computer:

$cs = New-CimSession -ComputerName MyPC -Credential Credential admin\contoso
Install-WUUpdates -Updates $u -DownloadOnly -CimSession $cs

This example command only downloads the updates.

Find, download, and install updates on a remote PC with the WindowsUpdateProvider functions

You then initiate the actual installation by executing Install-WUUpdate once more without the DownloadOnly switch:

Install-WUUpdates -Updates $u -CimSession $cs

Querying pending reboot

If the computer must be restarted after installing updates, you cannot initiate it via Install-WUUpdates. However, it is possible to query whether a reboot is pending with another function of this module:

Get-WUIsPendingReboot

If the command yields the value $true, then you can reboot the PC at the desired time using the Cmdlet Restart-Computer.

After installing the updates, you can query a pending reboot with Get WUIsPendingReboot

Get-WUIsPendingReboot can also be used to query a pending reboot of a remote computer.

Check remotely whether a restart is required

The function simplifies this task considerably compared to the method that looks for it in the registry.

Conclusion

With the WindowsUpdateProvider module, Microsoft has provided the basic functions for managing updates via PowerShell, beginning with Windows 10 1709 and Server 2019. They are particularly suitable for updating computers remotely. However, the integrated module does not come close to the capabilities of PSWindowsUpdate.