Querying missing patches and installing them across many different Windows systems can be a chore if you don’t have the right tool. Many different commercial offerings exist, but if you want a free solution that requires a little bit of PowerShell know-how, you can use a free, community module called PSWindowsUpdate to do the trick.
Installing and getting to know PSWindowsUpdate
PSWindowsUpdate is a community module that’s available via the PowerShell Gallery. In your PowerShell session, run Install-Module PSWindowsUpdate to download and install the latest version. The download should be quick. Once downloaded, the module’s commands should be available to you. By running Get-Command -Module PSWindowsUpdate, you can see that we can do a lot of things other than just installing patches.
Querying missing patches
Before you can install patches, you need to know which patches you need across your systems. The PSWindowsUpdate module provides a command called Get-WindowsUpdate we can use to discover any missing patches. The Get-WindowsUpdate command supports querying the local computer or remote computers.
When run, you can see below that it returns a list of all of the missing updates on whatever computer you target.
Installing missing patches
Once you know what you’re missing, you can take that information and install the patches. Get-WindowsUpdate provides many different parameters to query and install updates. For example, if we’re happy with installing the list of patches provided with Get-WindowsUpdate with no parameters, we can take the next logical step and install them.
There are many “states” a patch can be, such as available, downloaded and installed. Some patches need a reboot to complete an install, while some don’t and so on. The Get-WindowsUpdate command gives you the flexibility to pick and choose what updates are installed.
For example, let’s say that we don’t care about anything other than getting the missing updates installed on my computer. In that case, we can provide the nuclear approach by telling Get-WindowsUpdate to install all missing patches, accepting every one that it finds and initiating a reboot if it needs one.
We could be a little more gentle and only pick specific updates using the KBArticleId parameter. The below command would install only that particular KB, and if it needed a reboot, it would let us know rather than automatically rebooting.
The PSWindowsUpdate module has many different options and way too much to cover in one article. I encourage you to download and try it out. Be sure to check out the extensive help documentation for each function if you’re unfamiliar with the syntax. If you have the patience to learn this module, you can build some advanced update management solutions.