[Root] Access is an advice column for IT professionals.

I’m Struggling to Update My Hybrid IT Environment—Can Powershell Help?

An IT pro seeks to streamline patch deployment using PowerShell.

Brien Posey

November 1, 2024

4 Min Read
an IT pro is thinking inside a data center as several clouds part to reveal the powershell logo

[Root] Access is an advice column for questions about IT issues, career moves, and workplace concerns.

Submit questions anonymously using this form.

Dear [Root] Access,

I currently manage a hybrid IT environment that combines on-premises servers and cloud services. Keeping everything up to date is a constant challenge, and I want to streamline the process of deploying patches and updates.

I’ve heard that PowerShell can be a powerful tool for automating these updates, but I’m unsure where to start. How do I use PowerShell to manage this task across my hybrid setup? Also, any tips on handling potential issues or ensuring compliance would be greatly appreciated.

—Hybrid IT Headache

Dear Hybrid IT Headache,

PowerShell is a valuable tool for managing and automating updates, but the specific scripts and techniques you will need depend heavily on your organization’s structure. As such, I will explain a few basic ways you can interact with Windows Update. From there, you can customize a script to fit your requirements. If your organization uses WSUS (Window Server Update Services) or a third-party patch management solution, you can incorporate additional commands to enhance your update process.

Step 1: Import the PowerShell module

The first thing to do is import the appropriate PowerShell module.

Related:How I Built My Own PowerShell Multi-File Search Tool

The PSWindowsUpdate module contains PowerShell cmdlets for managing Windows Update. Import the module using this command:

Import-Module PSWindowsUpdate

If you use WSUS, import WSUS-related cmdlets via a different module called UpdateServices:

Import-Module UpdateServices

Install the module if it isn’t already on your system:

Install-Module -Name <the name of the module> -Force

Step 2: Get to know the module’s cmdlets

After importing the module, I recommend learning about its cmdlets. You can list all the available cmdlets by running Get-Command, followed by the module name. For example, to see the cmdlets in the PSWindowsUpdate module, you would type:

Get-Command PSWindowsUpdate

From there, you can get detailed information about a specific module, including its syntax, by typing Get-Help, followed by the name of the cmdlet. For more details, you can append the -Detailed or -Full parameter to expand the provided information.

Step 3: Put the commands to work

Let’s explore how you can use the PSWindowsUpdate module. Keep in mind that update-related commands generally must run in an elevated PowerShell session.

The first cmdlet you should know is Get-WUHistory, which lists all updates installed to date. Interestingly, you can use this command to see more than the update name. The cmdlet shows when an update installation occurred and whether the installation succeeded. I am highlighting this command because it is invaluable for managing updates across multiple computers. For example, you could use Get-WUHistory as the basis for a script that generates organization-wide compliance reports. Alternatively, you could build a script to scan each machine individually and check if it has a specific patch.

Related:Introduction To PowerShell Environment Variables

When assessing the patching status of machines in your organization, another cmdlet to know is Get-WURebootStatus. Sometimes, a patch management tool deploys an update but fails to reboot the server, leaving the update process incomplete. By running the Get-WURebootStatus command, you can check whether a machine is awaiting a reboot. If any machines need one, you can force the reboot using the Restart-Computer -Force command.

Of course, you can also use PowerShell to install updates on individual machines. The Get-WindowsUpdate cmdlet lists all updates that need to be installed. To install them, you would use the Install-WindowsUpdate cmdlet. However, there are three optional parameters to know before running the Install-WindowsUpdate command:

  1. -AcceptAll: This parameter forces PowerShell to accept any license agreements associated with the updates that you are installing. Generally, you should include this parameter any time you run Install-WindowsUpdate.

  2. -AutoReboot: As the name implies, the -AutoReboot parameter automatically reboots the machine after installing the updates.

  3. -ComputerName: Typically, you won’t need this parameter when updating the local machine. However, you must use it to deploy updates on remote systems. By using the -ComputerName parameter, you can direct the updates to one or more remote computers.

Related:Handle Long PowerShell Scripts With Background Jobs

It’s worth noting that you don’t have to worry about manually specifying individual updates when using the Install-WindowsUpdate cmdlet. It automatically installs all available updates.

Read more PowerShell tips:

Click here to submit a question to the [Root] Access advice column.

About the Author

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.

https://brienposey.com/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like