Wednesday, May 10, 2017

Automating Windows updates using the PowerShell PSWindowsUpdate module

I will admit it. I love PowerShell and if my choice is to use PowerShell over another tool to do just about anything, I am choosing PowerShell even if it may not be the "best" tool for the job. The PowerShell community is getting larger and larger as great developers are adding quality modules to PSGallery, but perhaps my favorite module so far is PSWindowsUpdate. This is a module created by Michal Gajda and is one of the most popular modules (222k downloads).

There are only two cmdlets I use for the most part with PSWindowsUpdate, Invoke-WUInstall along with Get-WUInstall. Invoke-WUInstall allows you to kick off the installation of patches remotely and it works beautifully.

Get-WUInstall actually downloads and installs the updates. To install all available updates and reboot when finished you can run Get-WUInstall -AcceptAll -AutoReboot locally.

How does it work?

A look inside the Get-WUInstall code and you will see the remoting is actually done via the task scheduler. A scheduled task is created and runs on the remote computer under the system account due to certain methods not available with PowerShell remoting (pretty cool way to get around this). The scheduled task is a PowerShell command that you specify. In my case I use Invoke-WUInstall -ComputerName <ComputerName> -Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot  | Out-File C:\PSWindowsUpdate.log  } -Confirm:$false -Verbose. This allows me to start the update process on remote machines and log the output. One drawback for Invoke-WUInstall is that it does not monitor the output of the update process after you run it. A workaround I use for this is adding a few lines to Get-WUInstall to send an email to me when the computer is finished installing updates. The email includes which updates were installed and if they were successful or not.

In this example I want to install updates on all servers in my Active Directory domain at the same time:

