Doing Windows Updates has always been a mess. When working with unixoid OSes you are really looking out for something like “ upgrade".

Natively pre-installed Windows comes with a thing called

which let’s you at least choose between searching, downloading and installing updates.

Unfortunately though, you won’t receive any visual feedback if the command you just typed was entered correctly and what the result of your actions were,

Luckily, the Windows community has developed a PowerShell script called

. It’s featured within the PowerShell Gallery.

This nice so-called PowerShell Module can be installed via Microsoft’s NuGet mechanism by calling simply:

Install-Module PSWindowsUpdate

Once the Module is installed you can already use it on your local machine. The following commands are now available:

  • Add-WUOfflineSync
  • Add-WUServiceManager
  • Get-WUHistory
  • Get-WUInstall
  • Get-WUInstallerStatus
  • Get-WUList
  • Hide-WUUpdate
  • Invoke-WUInstall
  • Get-WURebootStatus
  • Get-WUServiceManager
  • Get-WUUninstall
  • Remove-WUOfflineSync
  • Remove-WUServiceManager
  • Update-WUModule

Building an all-in-one command, it would probably look something like this:

Install-WindowsUpdate -Verbose -IgnoreReboot -AcceptAll

But what about installing updates also on another (remote) computer?

With the parameter

-Computername <Host1>,<Host2>,..
you can also run and install updates on remote computers. But you will soon learn that you have to do the following things to get it working:

  1. Add the machines you want to manage updates for to the winrm TrustedHost List: `winrm set winrm/config/client ‘@{TrustedHosts=”HOST1,HOST2,…”}’
  2. Run the module install command on every machine, see above
  3. Add a firewall exception to your target machines (either through active directory gpo, via netsh or manually via the GUI) with the following specifics:
    • Allowed program: %windir%\System32\dllhost.exe
    • Protocol: TCP
    • Local Ports: Dynamic RPC Ports
    • Remote Ports: All Ports
    • set the rest according to your company policies

That’s it!

You should now be able to fully enjoy easy patch management (even without WSUS) and are only a few steps far from automating the whole process via background jobs/scheduling.

(Article might follow)