You can also copy the pswinupdate module to “C:\Program Files\WindowsPowerShell\Modules\PSWindowsUpdate” - (https://www.powershellgallery.com/packages/PSWindowsUpdate/2.0.0.4) on machines and run updates from it.
I would highly advise setting TargetReleaseVersionInfo to the the current OS version before doing so. this setting prevents the machine from picking up “Feature Updates” even when someone runs windows updates manually.
Pre-req Task:
Example Relevance:
exists matches(regex"(\(1809\))") of (operating system as string)
Example Action:
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "TargetReleaseVersionInfo"="1809"
Task to run Windows updates (timeout after 1 hour):
Relevance:
exists value "TargetReleaseVersionInfo" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" of registry
Something like this for the Action.:
// Delete possible WSUS registry entries that may prevent windows update from working if gpo is set.
regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "WUServer"
regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]" "WUStatusServer"
// Run Updates
delete __createfile
delete "c:\windows\temp\win_updates.ps1"
createfile until EOF
import-module PSWindowsUpdate
# Windows update advanced options > enable Receive updates for other Microsoft products when you update Windows.
Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -Confirm:$false
# Set filename + todays date.log
$filenameformat = "win_updates$(Get-Date -Format "yyyyMMdd").log"
# Run windows updates and exclude feature updates or "Upgrades"
Get-WUList -MicrosoftUpdate -NotCategory "Upgrade" -Install -AcceptAll -IgnoreReboot | Out-File "C:\Windows\Temp\$filenameformat" -Append
EOF
copy __createfile "c:\windows\temp\win_updates.ps1"
override wait
hidden=true
timeout_seconds=3600
disposition=terminate
wait powershell.exe -ExecutionPolicy Bypass "c:\windows\temp\win_updates.ps1"
the log ends up looking something like:
-
machinename Accepted KB4570505 2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window...
-
machinename Accepted KB2267602 Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...
-
machinename Accepted KB4565349 2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....
-
machinename Downloaded KB4570505 2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window...
-
machinename Downloaded KB2267602 Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...
-
machinename Downloaded KB4565349 2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....
-
machinename Installed KB4570505 2020-08 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Window.
-
machinename Installed KB2267602 Security Intelligence Update for Microsoft Defender Antivirus - KB226702 (...
-
machinename Installed KB4565349 2020-08 Cumulative Update for Windows 10 Version 1809 for x64-based Systems....