Doing Windows Updates has always been a mess. When working with unixoid OSes you are really looking out for something like “
Natively pre-installed Windows comes with a thing called 1
usoclient
Unfortunately though, you won’t receive any visual feedback if the command you just typed was entered correctly and what the result of your actions were,
Luckily, the Windows community has developed a PowerShell script called 1
PSWindowsUpdate
This nice so-called PowerShell Module can be installed via Microsoft’s NuGet mechanism by calling simply:
1
Install-Module PSWindowsUpdate
Once the Module is installed you can already use it on your local machine. The following commands are now available:
- Add-WUOfflineSync
- Add-WUServiceManager
- Get-WUHistory
- Get-WUInstall
- Get-WUInstallerStatus
- Get-WUList
- Hide-WUUpdate
- Invoke-WUInstall
- Get-WURebootStatus
- Get-WUServiceManager
- Get-WUUninstall
- Remove-WUOfflineSync
- Remove-WUServiceManager
- Update-WUModule
Building an all-in-one command, it would probably look something like this:
1
Install-WindowsUpdate -Verbose -IgnoreReboot -AcceptAll
But what about installing updates also on another (remote) computer?
With the parameter 1
-Computername <Host1>,<Host2>,..
- Add the machines you want to manage updates for to the winrm TrustedHost List: `winrm set winrm/config/client ‘@{TrustedHosts=”HOST1,HOST2,…”}’
- Run the module install command on every machine, see above
- Add a firewall exception to your target machines (either through active directory gpo, via netsh or manually via the GUI) with the following specifics:
- Allowed program: %windir%\System32\dllhost.exe
- Protocol: TCP
- Local Ports: Dynamic RPC Ports
- Remote Ports: All Ports
- set the rest according to your company policies
That’s it!
You should now be able to fully enjoy easy patch management (even without WSUS) and are only a few steps far from automating the whole process via background jobs/scheduling.
(Article might follow)