Windows Update using Powershell Remotely

I have

Windows 7 Windows 8.1 Windows 10

Windows 2012 R2 Windows 2016 and Windows 2019

All running Power Shell version 5 or above.

I ran this on all the computers

Install-module pswindowsupdate -force

From My Computer Windows 10 I try various way to run install-windowsupdate command with no luck

If I run the install-windowsupdate command locally it runs

Here is what I tried.

 

This is a Windows 10 Computer

PS C:\util> install-windowsupdate -computername TGKW004
install-windowsupdate : TGKW004: Connection failure, check firewall on destination machine.
At line:1 char:1

  • install-windowsupdate -computername TGKW004
  • CategoryInfo : ResourceUnavailable: (:slight_smile: [Get-WindowsUpdate], Exception
  • FullyQualifiedErrorId : 800706BA,PSWindowsUpdate.GetWindowsUpdate

This is a windows 2012 R2 Server

PS C:\util> install-windowsupdate -computername TGCS011
install-windowsupdate : TGCS011: Unknown failure.
At line:1 char:1

  • install-windowsupdate -computername TGCS011
  • CategoryInfo : PermissionDenied: (:slight_smile: [Get-WindowsUpdate], Exception
  • FullyQualifiedErrorId : Unknown,PSWindowsUpdate.GetWindowsUpdate

 

 

Then I tried enter-possession

 

PS C:\util> Enter-PSSession -ComputerName tgcs004
[tgcs004]: PS C:\Users\Thomas R Grassi Jr\Documents> install-windowsupdate -ACCEPTALL -autoreboot -verbose
WARNING: Support local instance only, Continue…
VERBOSE: Connecting to Windows Server Update Service server. Please wait…
VERBOSE: Found [4] Updates in pre search criteria
VERBOSE: Found [4] Updates in post search criteria

X Status KB Size Title


2 Accepted KB890830 4 MB Windows Malicious Software Removal Tool x64 - June 2019 (KB890830)
2 Accepted KB4503290 57 MB 2019-06 Security Only Quality Update for Windows Server 2012 R2 for x64-based Systems …
2 Accepted KB4503259 55 MB 2019-06 Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2…
2 Accepted KB4503276 456 MB 2019-06 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Syste…
VERBOSE: Accept [4] Updates to Download
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At C:\windows\system32\windowspowershell\v1.0\Modules\PSWindowsUpdate\1.5.2.2\Get-WUInstall.ps1:807 char:5

  •             $Downloader = $objSession.CreateUpdateDownloader()
    
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
  • CategoryInfo : OperationStopped: (:slight_smile: [], UnauthorizedAccessException
  • FullyQualifiedErrorId : System.UnauthorizedAccessException

The property ‘Updates’ cannot be found on this object. Verify that the property exists and can be set.
At C:\windows\system32\windowspowershell\v1.0\Modules\PSWindowsUpdate\1.5.2.2\Get-WUInstall.ps1:808 char:5

  •             $Downloader.Updates = $objCollectionTmp
    
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
  • CategoryInfo : InvalidOperation: (:slight_smile: [], RuntimeException
  • FullyQualifiedErrorId : PropertyNotFound

 

Any ideas?

 

Thank you,

 

Tom

 

 

Try following some replies in below thread, seems similar.

https://powershell.org/forums/topic/ps-remoting-for-windows-update-module/

Thanks but his problem is different.

 

I had the same error as he had and I ran this

Set-Item WSMan:localhost\client\trustedhosts -value *

Also I have tried usoclient and that does nothing. no output updates never install do not know the purpose of that program very useless.

 

So we are now back to my problem why does it think I have a firewall issue?

 

I can run invoke-command to any computer/server on my network.

I can enter-possession to any computer/server

So WINRM is working every where.

I even tried this

Enable-psremoting

What else can it be?

 

The output you included in your first post says:

It looks like you should be using Invoke-WUInstall (from the PSWindowsUpdate module) to get the results you want. Install-WindowsUpdate appears to be an alias included with that module, but I’m not sure what function it is specifically aliased to, so you should try Invoke-WUInstall directly as explained in that blog.

PS C:\util> Invoke-WUInstall -ComputerName TGCS005-N1 -Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll | Out-File
C:\PSWindowsUpdate.log } -Confirm:$false –Verbose
Invoke-WUInstall : The term ‘Invoke-WUInstall’ is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1

  • Invoke-WUInstall -ComputerName TGCS005-N1 -Script {ipmo PSWindowsUpda …
  • CategoryInfo : ObjectNotFound: (Invoke-WUInstall:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

 

That did not work either

I created a script on the remote computer

clear-host
install-windowsupdate -acceptall -autoreboot -verbose | out-file c:\util\logs\currentupdates.log

Then did

Enter-possession -computername TGCS002-2016

VERBOSE: TGCS002-2016 (6/15/2019 8:08:00 PM): Connecting to Windows Server Update Service
(http://wsus.our.network.tgcsnet.com:8530) server. Please wait…
VERBOSE: Found [3] Updates in pre search criteria
VERBOSE: Found [3] Updates in post search criteria
VERBOSE: Accepted [3] Updates ready to Download
install-windowsupdate : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At C:\util\wu.ps1:2 char:1

  • install-windowsupdate -acceptall -autoreboot -verbose | out-file c:\u …
  • CategoryInfo : NotSpecified: (:slight_smile: [Get-WindowsUpdate], UnauthorizedAccessException
  • FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate

 

I even tried this

invoke-command -ComputerName tgcs002-2016 -ScriptBlock {c:\util\wu.ps1}

 

VERBOSE: TGCS002-2016 (6/15/2019 8:20:43 PM): Connecting to Windows Server Update Service
(http://wsus.our.network.tgcsnet.com:8530) server. Please wait…
VERBOSE: Found [3] Updates in pre search criteria
VERBOSE: Found [3] Updates in post search criteria
VERBOSE: Accepted [3] Updates ready to Download
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

  • CategoryInfo : NotSpecified: (:slight_smile: [Get-WindowsUpdate], UnauthorizedAccessException
  • FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate
  • PSComputerName : tgcs002-2016.home.tgcsnet.com

 

 

Why am I getting access denied.

It’s odd that you couldn’t find Invoke-WUInstall. What do you get from

Get-Command -Module PSWindowsUpdate
?

You can use Set-PSWUSettings to use a credential and use the output with Install-WindowsUpdate -PSWUSettings. Otherwise it could be related to double hoping issue. Better if you can read the enable credential delegation. You can refer below documentation.

https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/

Please provide code example.

PS C:\util> Get-Command -Module PSWindowsUpdate

CommandType Name Version Source


Alias Clear-WUJob 2.1.1.2 PSWindowsUpdate
Alias Download-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Alias Get-WUInstall 2.1.1.2 PSWindowsUpdate
Alias Get-WUList 2.1.1.2 PSWindowsUpdate
Alias Hide-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Alias Install-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Alias Show-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Alias UnHide-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Alias Uninstall-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Cmdlet Add-WUServiceManager 2.1.1.2 PSWindowsUpdate
Cmdlet Enable-WURemoting 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WUApiVersion 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WUHistory 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WUInstallerStatus 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WUJob 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WULastResults 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WURebootStatus 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WUServiceManager 2.1.1.2 PSWindowsUpdate
Cmdlet Get-WUSettings 2.1.1.2 PSWindowsUpdate
Cmdlet Invoke-WUJob 2.1.1.2 PSWindowsUpdate
Cmdlet Remove-WindowsUpdate 2.1.1.2 PSWindowsUpdate
Cmdlet Remove-WUServiceManager 2.1.1.2 PSWindowsUpdate
Cmdlet Set-PSWUSettings 2.1.1.2 PSWindowsUpdate
Cmdlet Set-WUSettings 2.1.1.2 PSWindowsUpdate
Cmdlet Update-WUModule 2.1.1.2 PSWindowsUpdate

 

Don’t have a system to test and never used this module. The suggestions are based on the documentation. I coulf suggest below code (not tested)

$PSWUSettings = Set-PSWUSettings -Credential (Get-Credential) #user with admin access in $server
Install-WindowsUpdate -ComputerName $Server -PSWUSettings $PSWUSettings -ACCEPTALL -autoreboot -verbose

Oh, right, he’s referring to an older version of PSWindowsUpdate in that blog post (specifically 1.5.2.6). You could try installing the older version of the module to get the Invoke-WUInstall command if you want. But, upon further reading it seems that command is actually a bit of a kludge, so at-your-own-risk.

There are a lot of barriers in place to prevent you from forcing a Windows update remotely, placed there by Microsoft. Theoretically this is for “security reasons”, but that seems a bit hypocritical when M$ has demonstrated the ability to force install updates and reboot user machines without the user’s permission. It’s possible to do what you want, but you shouldn’t expect it to be straightforward, because M$ has specifically taken steps to prevent it. Sysadmins used to rely on wuacult, but M$ has removed that functionality.

I would still recommend USOClient, specifically using ScanInstallWait and then RestartDevice. I can confirm that it works on Windows 10 up to r1803.

kvprasoon is probably correct that the ‘Permission Denied’ error is due to the double-hop problem. Solving this problem for your network may allow you to use Install-WindowsUpdate remotely as you originally wanted to, but I don’t recommend CredSSP because of security concerns. It can be done securely with Kerberos, but you should read that blog thoroughly and understand exactly how that method would apply to your network. With so many different versions of Windows running, if you do it wrong you’ll expose your system to security problems.

PS C:\util> $Server = “TGCS002-2016.home.tgcsnet.com
PS C:\util> $PSWUSettings = Set-PSWUSettings -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\util> Install-WindowsUpdate -ComputerName $Server -PSWUSettings $PSWUSettings -ACCEPTALL -autoreboot -verbose
Get-WindowsUpdate : Cannot convert ‘’ to the type ‘System.Collections.Hashtable’ required by parameter ‘PSWUSettings’.
Specified method is not supported.
At line:1 char:59

  • … ndowsUpdate -ComputerName $Server -PSWUSettings $PSWUSettings -ACCEPT …
  •                                                 ~~~~~~~~~~~~~
    
  • CategoryInfo : InvalidArgument: (:slight_smile: [Get-WindowsUpdate], ParameterBindingException
  • FullyQualifiedErrorId : CannotConvertArgument,PSWindowsUpdate.GetWindowsUpdate

PS C:\util>

Hello Everyone

I figured out a method.

First I created a small script and copied to each computer.

Then created a scheduled task

The script

clear-host
write-host "Starting Patches Service"
# service places host in maint mode on Nagios
start-service patches
$Server = hostname 
get-windowsupdate -computername $Server -acceptall -autoreboot -install -verbose | out-file c:\util\logs\currentupdates.log

$bigbody += Get-Content -Path "C:\util\Logs\currentupdates.log" | out-string 

$Params = @{
   Subject = "$Server Monthly Update Report"
   Body = " $bigbody"
   From = "no-reply@tgcsnet.com"
   To = "systems-alert@home.com"
   smtpserver = "InternalRelay.HOME.COM"
}


Send-MailMessage @Params

Then from my desktop I run this command

Invoke-Command -ComputerName test01 -ScriptBlock {Start-scheduledtask -taskname “Install-Updates”}

This works great