Overview
The PSWindowsUpdate module provides a reliable alternative to WSUS/Microsoft Update for checking and applying Microsoft updates to a machine. While we typically avoid third-party tools, this well-established module enables direct downloads of Microsoft Updates from Microsoft servers instead of using an on-premise server. This approach particularly benefits Connect customers by eliminating the need for traditional on-premise update servers.
Federal or government organizations should review this PowerShell Module before production deployment to ensure compliance with security standards.
Publisher/Download: PowerShellGallery
VirusTotal: Report
Requirements
- Endpoints must have internet access (not compatible with air-gapped networks)
- PowerShell scripts must be enabled and allowed to run on endpoints
- Endpoints must have access to Microsoft servers for update downloads
Available Packages
The Package Library includes these packages:
- PSWindowsUpdate - Get All Applicable Updates from Microsoft (Audit Only)
- PSWindowsUpdate - Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)
- PSWindowsUpdate - Install All Applicable Critical and Security Updates from Microsoft
- PSWindowsUpdate - Install All Applicable Drivers from Microsoft
- PSWindowsUpdate - Install All Applicable Feature Updates from Microsoft
- PSWindowsUpdate - Install Specific Microsoft KB
Package Workflow
Each package follows these automated steps to manage Windows updates:
- Verify NuGet Package Provider installation and install if needed
- Verify PSWindowsUpdate module installation and install if needed
- Back up existing WSUS/Windows Update registry settings before removal
- Run PSWindowsUpdate module to check for available Microsoft patches
- Install updates based on selected package type
- Complete installation (system restart might be required)
- Restore original WSUS/Windows Update registry settings if applicable
Get All Applicable Updates from Microsoft (Audit Only)
This package is an Audit-Only package. You can run this and then view the Output log to see what applicable Microsoft Updates are available for the endpoint. You can then choose which other PSWindowsUpdate packages to use to install a subset or all of the updates on the machine.
Install All Applicable Updates from Microsoft (No Drivers, No Feature Updates)
This package will install ALL applicable updates from Microsoft, but will not install hardware drivers or feature updates.
Install All Applicable Critical and Security Updates from Microsoft
This package will install Critical and Security Patches ONLY. This package will install cumulative updates as well as other critical updates and security updates.
Install All Applicable Drivers from Microsoft
There are many hardware drivers now available from Microsoft to update, including but not limited to printers, video, mice, keyboards, network, and third-party firmware drivers. We strongly recommend additional testing, especially with network and firmware drivers on test machines or a test lab before deploying to remote machines and risking OS or network connectivity issues with installation failure.
Install All Applicable Feature Updates from Microsoft
This package will specifically install Feature Updates. Please note that Feature Updates can take quite a bit of time to download and install, so you may need additional contact with end users to coordinate a block of time for a feature update (overnight deployment).
Install Specific Microsoft KB
This package currently is only applicable for PDQ Deploy and gives you the ability to directly modify the KB Number you wish to deploy in the Parameters field in Step 1. Please pay close attention to preserving the exact syntax in the Parameters field:
Example 1 with one KB Number:
-KBArticleID 'KB8675309'
Example 2 with 2 or more KB Numbers to install:
-KBArticleID 'KB8675309, KB9274836, KB3371337'
Customizing PSWindowsUpdate
While the default packages provide a suitable WSUS/Microsoft Update alternative for most customers, you can create custom update configurations if you're familiar with PowerShell. To customize a package:
- Download any PSWindowsUpdate package (except Specific Microsoft KB)
- Convert the auto-download package to a standard package
- Navigate to the PowerShell file in Step 1
- Modify the script using the options below
General Categories
- Critical Updates
- Definition Updates
- Drivers
- Feature Packs
- Security Updates
- Service Packs
- Tools
- Update Rollups
- Updates
- Upgrades
Category IDs
Application - 5C9376AB-8CE6-464A-B136-22113DD69801
Connectors - 434DE588-ED14-48F5-8EED-A15E09A991F6
Critical Updates - E6CF1350-C01B-414D-A61F-263D14D133B4
Definition Updates - E0789628-CE08-4437-BE74-2495B842F43B
Developer Kits - E140075D-8433-45C3-AD87-E72345B36078
Feature Packs - B54E7D24-7ADD-428F-8B75-90A396FA584F
Guidance - 9511D615-35B2-47BB-927F-F73D8E9260BB
Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
Service Packs - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
Update Rollups - 28BC880E-0592-4CBF-8F95-C79B17911D5F
Updates - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
Example Command Line Options
Get all available patches from Microsoft
Get-WindowsUpdate -MicrosoftUpdate -Verbose
Exclude information:
Get-WindowsUpdate -MicrosoftUpdate -Verbose -NotCategory 'Drivers' -NotTitle 'OneDrive' -NotKBArticleID 'KB4489873'
Install updates by Category
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -Category 'Critical Updates', 'Security Updates', 'Updates'
Install updates by CategoryID
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -CategoryIDs 'E6CF1350-C01B-414D-A61F-263D14D133B4', 'CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83', '0FA1201D-4330-4FA8-8AE9-B877473B6441'
Install updates by KB number:
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -Verbose -IgnoreReboot -KBArticleID 'KB2267602', 'KB4533002'
FAQ
The packages will save and clear out any existing WSUS registry keys and then once complete, it will restore the registry keys