I’ve pulled down a module from the gallery that is for managing updates on your member servers. Query’s for retreiving information on each remote member server works fine across the board but when i go to use the install command i get the following error. I’ve read the about_remote_troubleshooting, but am still having a hard time figuring out what it is that i need to do in order to enable this command to execute on the remote machine. I don’t want to mess with trustedhosts lists, and wanted to know if there was a better way, or if someone could narrow my area of study down, i would appreciate it. I tried utilizing the invoke command but this module is only on my local server and i don’t want to push to all member servers. Set me straight! Thanks for any pointers.
Install-WindowsUpdate : [RemotePCName] Connecting to remote server RemotePCName failed with the following error message : The WinRM client cannot process the request. Default credentials with Negotiate over HTTP can be used only
if the target machine is part of the TrustedHosts list or the Allow implicit credentials for Negotiate option is specified. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Install-WindowsUpdate -ComputerName "RemotePCName" -SendReport -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (RemotePCName:String) [Get-WindowsUpdate], PSRemotingTransportException
+ FullyQualifiedErrorId : ExplicitCredentialsRequired,PSSessionStateBroken
Can you share the script content here or the lines of code where you invoke it.
Sure thing.
So i grabbed the module
[pre] install-module pswindowsupdate [/pre]
I can use the following to query any of my member servers without issue. i get back status of current server and any needed updates:
[pre] get-windowsupate -computername “SERVERNAME” [/pre]
it’s when i go to actually try and do the installs that i get the error (psremoting is enabled):
[pre] install-windowsupdate -computername “SERVERNAME”
Install-WindowsUpdate : [SERVERNAME] Connecting to remote server SERVERNAME failed with the following error message : The WinRM client cannot process the request. Default credentials with Negotiate over HTTP can be used only
if the target machine is part of the TrustedHosts list or the Allow implicit credentials for Negotiate option is specified. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
- Install-WindowsUpdate -ComputerName “SERVERNAME”
-
- CategoryInfo : OpenError: (SERVERNAME:String) [Get-WindowsUpdate], PSRemotingTransportException
- FullyQualifiedErrorId : ExplicitCredentialsRequired,PSSessionStateBroken
[/pre]
Never used this module. Can you try by giving the credentials, try by adding the server to trusted hosts list as well. lets see what happens.
I think you have to use Set-PSWUSettings to use credentials and pass it to -PSWUSettings parameter of Get-WindowsUpdate cmdlet.
I’m not clear on how to give the credentials? The CMDLT doesn’t have a credential option and i can’t put the module on each server in order to utilize invoke cmd with credentials. How else can i specify the creds?
Remote operating system update is a functionality that admins have been asking about for more than a decade at this point, and Microsoft has repeatedly failed to implement a straightforward and reliable way to do it. You can manage updates with a local WSUS and group policy, but depending on your local system configuration that may not be available or convenient, and it doesn’t give you a way to manually force update installation right now or handle a reboot-to-finish-install.
However, there are a couple of things that you can do that are already built in, without needing to install extra modules. I have not had credential issues with these.
First, check out USOClient.
I’ve found that the most useful part of this is “ScanInstallWait”, which will force a check for updates and then immediately begin downloading them. You can execute this with a remote PS session, or via PsExec from the Windows SysInternals. The only problem with ScanInstallWait is that it doesn’t give you any feedback, it just runs until all discovered updates are downloaded and then exits.
“StartInteractiveScan” seems like it would be useful, but I’ve never been able to get it to work remotely. It seems like it was never fully implemented.
“RestartDevice” is extremely useful. If you run Restart-Computer remotely it will generally cause the system to reboot without installing updates, but USOClient’s restart command will install updates and then reboot.
To get some status information, you can use commands from the WindowsUpdateProvider module, which should already be present on your systems. The useful parts here are:
Get-WULastScanSuccessDate - returns the time and date of the last check for updates
Get-WULastInstallationDate - returns the time and date of the last update installation
Get-WUIsPendingReboot - returns ‘True’ if the computer needs to reboot to finish installation
The other commands in the module don’t work as far as I can tell - again, not fully implemented.
Ya they certainly fall short on updates. Pretty frustrating, especially with the issues you encounter with server 2016 and how long the updates are taking. We utilize WSUS with GPo’s to pull the updates, but the nature of our environment means we have to be rather selective on the order and timing of the installs. I liked that module i referenced b/c it would allow us to meet our deliverables. Thanks for the info on usoclient. I’ll take a look at that and also try to dig a little more on getting these cmds to work on remote servers.
Windows 2016 and it’s updates are pretty messed up, not sure what MS did with 2016.
Also it would be nice of them to create a new .ISO so you don’t have to install a 2018 cumulative and then 2019 cumulative 1.4GB each 
Yes you can create your own images but somewhere you need to do it from scratch.
From reading on the interwebz and my own experimentation (using Hashicorp Packer to create up-to-date images) it’s somewhat better to not run cumulative updates together with e.g. Windows Defender and Antimalware updates.
So run the cumulative updates first, then the other updates.
Cut the update time from a scratch install from 5+ hours to about 2 hours.
Kind of funny that Windows 2012R2 have about 120 updates after a scratch install but takes 30-45min to update it all.
Yes, MS really need to fix so that this can be done programtically with progress information and saving states between reboots.
Slade,
I am using the same thing … I found that to modify GPO setting WinRM TrustedHosts - TrustedHost GPO- and enable firewall to GPO Firewall
When I test I used the following powershell command to get-and install remotely: Get-WUInstall -ComputerName YADDA -MicrosoftUpdate -AcceptAll
I even used the example (Get-Help Install-WindowsUpdate) to email the report to a domain Distribution Group.