PDQ Package Library and the PSWindowsUpdate PowerShell Module

Overview

The PSWindowsUpdate module provides a reliable alternative to WSUS/Microsoft Update for checking and applying Microsoft updates to a machine. While we typically avoid third-party tools, this well-established module enables direct downloads of Microsoft Updates from Microsoft servers instead of using an on-premise server. This approach particularly benefits Connect customers by eliminating the need for traditional on-premise update servers.

Federal or government organizations should review this PowerShell Module before production deployment to ensure compliance with security standards.

Publisher: PowerShellGallery

Download: PSWindowsUpdate

VirusTotal: Report

Requirements

  • Endpoints must have internet access (not compatible with air-gapped networks)
  • PowerShell scripts must be enabled and allowed to run on endpoints
  • Endpoints must have access to Microsoft servers for update downloads

Available Packages

The Package Library includes these packages:

  • PSWindowsUpdate - Get All Applicable Updates from Microsoft (Audit Only)
  • PSWindowsUpdate - Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)
  • PSWindowsUpdate - Install All Applicable Critical and Security Updates from Microsoft
  • PSWindowsUpdate - Install All Applicable Drivers from Microsoft
  • PSWindowsUpdate - Install All Applicable Feature Updates from Microsoft
  • PSWindowsUpdate - Install Specific Microsoft KB

Package Workflow

Each package follows these automated steps to manage Windows updates:

  1. Verify NuGet Package Provider installation and install if needed
  2. Verify PSWindowsUpdate module installation and install if needed
  3. Back up existing WSUS/Windows Update registry settings before removal
  4. Run PSWindowsUpdate module to check for available Microsoft patches
  5. Install updates based on selected package type
  6. Complete installation (system restart might be required)
  7. Restore original WSUS/Windows Update registry settings if applicable

Get All Applicable Updates from Microsoft (Audit Only)

This package is an Audit-Only package. You can run this and then view the Output log to see what applicable Microsoft Updates are available for the endpoint. You can then choose which other PSWindowsUpdate packages to use to install a subset or all of the updates on the machine.

IMPORTANT! Additional setup for PDQ Deploy and Inventory customers:

1. To extend this audit functionality for PDQ Inventory users, there are additional files that have been bundled with this package. Once the package is downloaded, you can find them here:

$(Repository)\PSWindowsUpdate\InventoryScanner_GetApplicableMicrosoftUpdates.xml
$(Repository)\PSWindowsUpdate\InventoryReport_GetApplicableMicrosoftUpdates.xml

(The default path for $(Repository) is typically: C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository)

2. Open PDQ Inventory / Right-click on Scan Profiles and choose Import. Navigate to:

 $(Repository)\PSWindowsUpdate\InventoryScanner_GetApplicableMicrosoftUpdates.xml

and choose Open. (If you require signed PowerShell scripts in your environment, you will need to edit the scanner you just imported and instead of the included script, you will need to change to File and browse to the signed PowerShell script $(Repository)\PSWindowsUpdate\InventoryScanner_GetAllApplicableUpdates.ps1.)

3. You can now right-click and Scan Computers or Scan Collection with the newly imported Get Applicable Microsoft Updates scanner

4. You can view the results of these scans by opening a computer's inventory, clicking on the PowerShell section, and then choosing PowerShell (Get Applicable Microsoft Updates) from the drop-down box.
Available updates will appear, or you may notice a single entry indicating: No applicable updates.

5. Additionally, for a report of all computers scanned, if you can return to the Inventory home screen, Right-click on Reports and choose Import. Navigate to:

 $(Repository)\PSWindowsUpdate\InventoryReport_GetApplicableMicrosoftUpdates.xml

and choose Open and now run the Get Applicable Updates from Microsoft report. This will report on all machines that you have scanned with the Get Applicable Microsoft Updates scanner (Step 4) and help you identify which Microsoft updates are applicable to your environment.

6. You can then take action to install the updates you choose with one of the following PSWindowsUpdate Packages:

Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)

This package will install ALL applicable updates from Microsoft, but will not install hardware drivers or feature updates.

Install All Applicable Critical and Security Updates from Microsoft

This package will install Critical and Security Patches ONLY. This package will install cumulative updates as well as other critical updates and security updates.

Install All Applicable Drivers from Microsoft

There are many hardware drivers now available from Microsoft to update, including but not limited to printers, video, mice, keyboards, network, and third-party firmware drivers. We strongly recommend additional testing, especially with network and firmware drivers on test machines or a test lab before deploying to remote machines and risking OS or network connectivity issues with installation failure.

Install All Applicable Feature Updates from Microsoft

This package will specifically install Feature Updates. Please note that Feature Updates can take quite a bit of time to download and install, so you may need additional contact with end users to coordinate a block of time for a feature update (overnight deployment).

Install Specific Microsoft KB

This package currently is only applicable for PDQ Deploy and gives you the ability to directly modify the KB Number you wish to deploy in the Parameters field in Step 1. Please pay close attention to preserving the exact syntax in the Parameters field:

Example 1 with one KB Number:

-KBArticleID 'KB8675309'

Example 2 with 2 or more KB Numbers to install:

-KBArticleID 'KB8675309, KB9274836, KB3371337'

Customizing PSWindowsUpdate

While the default packages provide a suitable WSUS/Microsoft Update alternative for most customers, you can create custom update configurations if you're familiar with PowerShell. To customize a package:

  1. Download any PSWindowsUpdate package (except Specific Microsoft KB)
  2. Convert the auto-download package to a standard package
  3. Navigate to the PowerShell file in Step 1
  4. Modify the script using the options below

General Categories

  • Critical Updates
  • Definition Updates
  • Drivers
  • Feature Packs
  • Security Updates
  • Service Packs
  • Tools
  • Update Rollups
  • Updates
  • Upgrades

Category IDs

Application - 5C9376AB-8CE6-464A-B136-22113DD69801

Connectors - 434DE588-ED14-48F5-8EED-A15E09A991F6

Critical Updates - E6CF1350-C01B-414D-A61F-263D14D133B4

Definition Updates - E0789628-CE08-4437-BE74-2495B842F43B

Developer Kits - E140075D-8433-45C3-AD87-E72345B36078

Feature Packs - B54E7D24-7ADD-428F-8B75-90A396FA584F

Guidance - 9511D615-35B2-47BB-927F-F73D8E9260BB

Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441

Service Packs - 68C5B0A3-D1A6-4553-AE49-01D3A7827828

Tools - B4832BD8-E735-4761-8DAF-37F882276DAB

Update Rollups - 28BC880E-0592-4CBF-8F95-C79B17911D5F

Updates - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83

Microsoft Reference

Example Command Line Options

Get all available patches from Microsoft

Get-WindowsUpdate -MicrosoftUpdate -Verbose

Exclude information:

Get-WindowsUpdate -MicrosoftUpdate -Verbose -NotCategory 'Drivers' -NotTitle 'OneDrive' -NotKBArticleID 'KB4489873'

Install updates by Category

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -Category 'Critical Updates', 'Security Updates', 'Updates'

Install updates by CategoryID

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -CategoryIDs 'E6CF1350-C01B-414D-A61F-263D14D133B4', 'CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83', '0FA1201D-4330-4FA8-8AE9-B877473B6441'

Install updates by KB number:

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -KBArticleID 'KB2267602', 'KB4533002'

 

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.