You can manage Windows updates using the PowerShell module PSWindowsUpdate. This module, available for download from the PowerShell Gallery, enables administrators to scan, download, install, remove, or hide updates on local or remote Windows workstations and servers.
1. Installing the PSWindowsUpdate Module
In modern versions of Windows 10/11 and Windows Server 2022/2019/2016, you can install the PSWindowsUpdate module from the online PowerShell Gallery using the following command:
Install-Module -Name PSWindowsUpdate
Confirm adding the repository by pressing Y. To verify that the module is installed:
Get-Package -Name PSWindowsUpdate
You can also install PSWindowsUpdate in offline mode. In an isolated environment, you may need to update PowerShell beforehand.
To install the module remotely on other computers:
$Targets = "srv1.winitpro.loc", "srv2.winitpro.loc"
Update-WUModule -ComputerName $Targets -local
The default PowerShell script execution policy in Windows blocks the execution of cmdlets from third-party modules. To allow script execution, run:
Set-ExecutionPolicy –ExecutionPolicy RemoteSigned -force
Then, import the module into the PowerShell session:
Import-Module PSWindowsUpdate
Check the list of available commands in the module:
Get-command -module PSWindowsUpdate
To check the current Windows Update settings on your computer, run:
Get-WUSettings
Example output:
ComputerName : WKS22122
WUServer : http://MS-WSUS:8530
WUStatusServer : http://MS-WSUS:8530
AcceptTrustedPublisherCerts : 1
ElevateNonAdmins : 1
DoNotConnectToWindowsUpdateInternetLocations : 1
TargetGroupEnabled : 1
TargetGroup : WorkstationsProd
NoAutoUpdate : 0
AUOptions : 3 - Notify before installation
ScheduledInstallDay : 0 - Every Day
ScheduledInstallTime : 3
UseWUServer : 1
AutoInstallMinorUpdates : 0
AlwaysAutoRebootAtScheduledTime : 0
DetectionFrequencyEnabled : 1
DetectionFrequency : 4
In this example, the Windows Update client is configured via GPO to receive updates from a local WSUS server.
2. Scanning and Downloading Updates with PowerShell
To scan your computer for available updates, run:
Get-WindowsUpdate
Alternatively, use:
Get-WUList
This command will display a list of updates that need to be installed on your computer.
The Get-WindowsUpdate command may return an error on the first run:
Value does not fall within the expected range.
To fix this error, reset the Windows Update agent settings, re-register libraries, and restore the default state of the wuauserv service:
Reset-WUComponents -Verbose
To check the update sources (e.g., Microsoft servers or a local WSUS):
Get-WUServiceManager
In this example, the computer is configured to receive updates from a local WSUS server (Windows Server Update Service = True). You should see a list of updates approved for your computer on WSUS.
To scan for updates from Microsoft Update servers (including Office updates):
Get-WUlist -MicrosoftUpdate
If you receive a warning when trying to scan for updates:
Get-WUlist : Service Windows Update was not found on computer
To enable scanning from Microsoft Update, run:
Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -AddServiceFlag 7
To exclude specific products or KBs from the update list, filter by:
– Category (-NotCategory)
– Title (-NotTitle)
– KB number (-NotKBArticleID)
For example, to exclude driver updates, OneDrive, and a specific KB:
Get-WUlist -NotCategory "Drivers" -NotTitle OneDrive -NotKBArticleID KB4533002
To download all available updates to the computer (updates are saved to the local update cache in C:\Windows\SoftwareDistribution\Download):
Get-WindowsUpdate -Download -AcceptAll
Windows will download all available patches (MSU and CAB files) from the update server to the local update directory but will not automatically install them.
3. Installing Windows Updates with Install-WindowsUpdate
To automatically download and install all available updates for your Windows version from Windows Update servers (instead of a local WSUS), run:
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot
The AcceptAll parameter approves the installation of all packages, and AutoReboot allows automatic reboot after the updates are installed.
Additional parameters include:
– IgnoreReboot: Prevent automatic reboot.
– ScheduleReboot: Specify an exact reboot time.
Example command to save the update installation history to a log file:
Install-WindowsUpdate -AcceptAll -Install -AutoReboot | Out-File "c:\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force
To install only specific updates by KB numbers:
Get-WindowsUpdate -KBArticleID KB2267602, KB4533002 -Install
To exclude specific updates, such as drivers or OneDrive packages:
Install-WindowsUpdate -NotCategory "Drivers" -NotTitle OneDrive -NotKBArticleID KB4011670 -AcceptAll -IgnoreReboot
To check if a reboot is required after installing updates:
Get-WURebootStatus
4. Viewing the History of Installed Updates in Windows
To view a list of all installed updates, use:
Get-WUHistory
To find information about a specific update by its KB number:
Get-WUHistory | Where-Object {$_.Title -match "KB4517389"} | Select-Object *
To display the dates of the last successful scan and installation of updates:
Get-WULastResults | Select-Object LastSearchSuccessDate, LastInstallationSuccessDate
5. Removing Updates in Windows with PowerShell
To remove a specific update using its KB number:
Remove-WindowsUpdate -KBArticleID KB4011634
6. Hiding Unneeded Windows Updates with PowerShell
You can hide specific updates to prevent them from appearing in the list of available updates. For example, to hide updates KB2538243 and KB4524570:
$HideList = "KB2538243", "KB4524570"
Get-WindowsUpdate -KBArticleID $HideList -Hide
Or use the alias command:
Hide-WindowsUpdate -KBArticleID $HideList -Verbose
To unhide updates:
Show-WindowsUpdate -KBArticleID $HideList
To view a list of all hidden updates:
Get-WindowsUpdate –IsHidden
7. Managing Windows Updates on Remote Computers with PowerShell
All PSWindowsUpdate module cmdlets can be used to manage updates on remote computers using the -ComputerName Host1, Host2, Host3 parameter. The remote computers must have WinRM enabled and configured (this can be done manually or via GPO). The PSWindowsUpdate module works in both domain and workgroup environments.
To add computer names to the WinRM trusted hosts list:
winrm set winrm/config/client '@{TrustedHosts="HOST1,HOST2,…"}'
Or configure it using PowerShell:
Set-Item wsman:\localhost\client\TrustedHosts -Value "HOST1,HOST2" -Force
To deploy the PSWindowsUpdate module on remote computers and configure necessary ports:
Invoke-Command -ComputerName $computer -ScriptBlock {Set-ExecutionPolicy RemoteSigned -force}
Invoke-Command -ComputerName $computer -ScriptBlock {Import-Module PSWindowsUpdate; Enable-WURemoting}
To check available updates on remote computers:
Get-WUList –ComputerName server2
To install all available updates on multiple servers:
$ServerNames = "server1, server2, server3"
Invoke-WUJob -ComputerName $ServerNames -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate -AcceptAll | Out-File C:\Windows\PSWindowsUpdate.log} -RunNow -Confirm:$false -Verbose -ErrorAction Ignore
To specify an exact time for running the update installation task:
Invoke-WUJob -ComputerName $ServerNames -Script {ipmo PSWindowsUpdate; Install-WindowsUpdate –AcceptAll -AutoReboot | Out-File C:\Windows\PSWindowsUpdate.log} -Confirm:$false -TriggerDate (Get-Date -Hour 20 -Minute 0 -Second 0)
To check the status of tasks on remote computers:
Get-WUJob -ComputerName $ServerNames
If the command returns an empty list, the update installation task is complete on all computers.
To check for a specific update on multiple remote computers:
"server1","server2" | Get-WUHistory | Where-Object {$_.Title -match "KB4011634"} | Select-Object * | ft
To retrieve the date of the last update installation on all computers in a domain using the Get-ADComputer cmdlet from the Active Directory PowerShell module:
$Computers=Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows*' }
Foreach ($Computer in $Computers)
{
Get-WULastResults -ComputerName $Computer.Name | select ComputerName, LastSearchSuccessDate, LastInstallationSuccessDate
}
The PSWindowsUpdate PowerShell module is a convenient tool for downloading and installing Windows updates via the command line. This is particularly valuable for servers without a graphical interface, such as Windows Server Core and Hyper-V Server. Additionally, this module is essential for scenarios requiring simultaneous initiation and monitoring of the update installation process across multiple servers or workstations.
