Overview
The PSWindowsUpdate module provides a reliable alternative to WSUS/Microsoft Update for checking and applying Microsoft updates to a machine. While we typically avoid third-party tools, this well-established module enables direct downloads of Microsoft Updates from Microsoft servers instead of using an on-premise server. This approach particularly benefits Connect customers by eliminating the need for traditional on-premise update servers.
Federal or government organizations should review this PowerShell Module before production deployment to ensure compliance with security standards.
Publisher: PowerShellGallery
Download: PSWindowsUpdate
VirusTotal: Report
Requirements
- Endpoints must have internet access (not compatible with air-gapped networks)
- PowerShell scripts must be enabled and allowed to run on endpoints
- Endpoints must have access to Microsoft servers for update downloads
Available Packages
The Package Library includes these packages:
- PSWindowsUpdate - Get All Applicable Updates from Microsoft (Audit Only)
- PSWindowsUpdate - Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)
- PSWindowsUpdate - Install All Applicable Critical and Security Updates from Microsoft
- PSWindowsUpdate - Install All Applicable Drivers from Microsoft
- PSWindowsUpdate - Install All Applicable Feature Updates from Microsoft
- PSWindowsUpdate - Install Specific Microsoft KB
Package Workflow
Each package follows these automated steps to manage Windows updates:
- Verify NuGet Package Provider installation and install if needed
- Verify PSWindowsUpdate module installation and install if needed
- Back up existing WSUS/Windows Update registry settings before removal
- Run PSWindowsUpdate module to check for available Microsoft patches
- Install updates based on selected package type
- Complete installation (system restart might be required)
- Restore original WSUS/Windows Update registry settings if applicable
Get All Applicable Updates from Microsoft (Audit Only)
This package is an Audit-Only package. You can run this and then view the Output log to see what applicable Microsoft Updates are available for the endpoint. You can then choose which other PSWindowsUpdate packages to use to install a subset or all of the updates on the machine.
IMPORTANT! Additional setup for PDQ Deploy and Inventory customers:
1. To extend this audit functionality for PDQ Inventory users, there are additional files that have been bundled with this package. Once the package is downloaded, you can find them here:
$(Repository)\PSWindowsUpdate\InventoryScanner_GetApplicableMicrosoftUpdates.xml
$(Repository)\PSWindowsUpdate\InventoryReport_GetApplicableMicrosoftUpdates.xml
(The default path for $(Repository) is typically: C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository)
2. Open PDQ Inventory / Right-click on Scan Profiles and choose Import. Navigate to:
$(Repository)\PSWindowsUpdate\InventoryScanner_GetApplicableMicrosoftUpdates.xml
and choose Open. (If you require signed PowerShell scripts in your environment, you will need to edit the scanner you just imported and instead of the included script, you will need to change to File and browse to the signed PowerShell script $(Repository)\PSWindowsUpdate\InventoryScanner_GetAllApplicableUpdates.ps1.)
3. You can now right-click and Scan Computers or Scan Collection with the newly imported Get Applicable Microsoft Updates scanner
4. You can view the results of these scans by opening a computer's inventory, clicking on the PowerShell section, and then choosing PowerShell (Get Applicable Microsoft Updates) from the drop-down box.
Available updates will appear, or you may notice a single entry indicating: No applicable updates.
5. Additionally, for a report of all computers scanned, if you can return to the Inventory home screen, Right-click on Reports and choose Import. Navigate to:
$(Repository)\PSWindowsUpdate\InventoryReport_GetApplicableMicrosoftUpdates.xml
and choose Open and now run the Get Applicable Updates from Microsoft report. This will report on all machines that you have scanned with the Get Applicable Microsoft Updates scanner (Step 4) and help you identify which Microsoft updates are applicable to your environment.
6. You can then take action to install the updates you choose with one of the following PSWindowsUpdate Packages:
Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)
This package will install ALL applicable updates from Microsoft, but will not install hardware drivers or feature updates.
Install All Applicable Critical and Security Updates from Microsoft
This package will install Critical and Security Patches ONLY. This package will install cumulative updates as well as other critical updates and security updates.
Install All Applicable Drivers from Microsoft
There are many hardware drivers now available from Microsoft to update, including but not limited to printers, video, mice, keyboards, network, and third-party firmware drivers. We strongly recommend additional testing, especially with network and firmware drivers on test machines or a test lab before deploying to remote machines and risking OS or network connectivity issues with installation failure.
Install All Applicable Feature Updates from Microsoft
This package will specifically install Feature Updates. Please note that Feature Updates can take quite a bit of time to download and install, so you may need additional contact with end users to coordinate a block of time for a feature update (overnight deployment).
Install Specific Microsoft KB
This package currently is only applicable for PDQ Deploy and gives you the ability to directly modify the KB Number you wish to deploy in the Parameters field in Step 1. Please pay close attention to preserving the exact syntax in the Parameters field:
Example 1 with one KB Number:
-KBArticleID 'KB8675309'
Example 2 with 2 or more KB Numbers to install:
-KBArticleID 'KB8675309, KB9274836, KB3371337'
Customizing PSWindowsUpdate
While the default packages provide a suitable WSUS/Microsoft Update alternative for most customers, you can create custom update configurations if you're familiar with PowerShell. To customize a package:
- Download any PSWindowsUpdate package (except Specific Microsoft KB)
- Convert the auto-download package to a standard package
- Navigate to the PowerShell file in Step 1
- Modify the script using the options below
General Categories
- Critical Updates
- Definition Updates
- Drivers
- Feature Packs
- Security Updates
- Service Packs
- Tools
- Update Rollups
- Updates
- Upgrades
Category IDs
Application - 5C9376AB-8CE6-464A-B136-22113DD69801
Connectors - 434DE588-ED14-48F5-8EED-A15E09A991F6
Critical Updates - E6CF1350-C01B-414D-A61F-263D14D133B4
Definition Updates - E0789628-CE08-4437-BE74-2495B842F43B
Developer Kits - E140075D-8433-45C3-AD87-E72345B36078
Feature Packs - B54E7D24-7ADD-428F-8B75-90A396FA584F
Guidance - 9511D615-35B2-47BB-927F-F73D8E9260BB
Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
Service Packs - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
Update Rollups - 28BC880E-0592-4CBF-8F95-C79B17911D5F
Updates - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
Example Command Line Options
Get all available patches from Microsoft
Get-WindowsUpdate -MicrosoftUpdate -Verbose
Exclude information:
Get-WindowsUpdate -MicrosoftUpdate -Verbose -NotCategory 'Drivers' -NotTitle 'OneDrive' -NotKBArticleID 'KB4489873'
Install updates by Category
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -Category 'Critical Updates', 'Security Updates', 'Updates'
Install updates by CategoryID
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -CategoryIDs 'E6CF1350-C01B-414D-A61F-263D14D133B4', 'CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83', '0FA1201D-4330-4FA8-8AE9-B877473B6441'
Install updates by KB number:
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -KBArticleID 'KB2267602', 'KB4533002'