Install WSUS updates immediately with Windows PowerShell

One little script can change your life. Use Greg Shields' 'Big Red Button' to automate patching and reclaim some hours in your day.

There’s a point in every Windows administrator’s career where the power in command-line automation becomes completely...


Before it hits you, tools like PowerShell and VBScript might appear quaint. You might see their value in performing little tasks, but the effort spent in creating the automation is often far greater than the time saved.

Then, one day, you figure out how one little script can change your life for the better. That script for me was a tiny but powerful WSUS hack back in 2007. Tired of late nights and long evenings each month waiting for WSUS’ scheduler to get started patching servers, I went heads down to script up a “You Patch Now” VBScript.

It took more than a few days and a lot of web searching, but my efforts concluded with a workable solution I called my WSUS Big Red Button (which I wrote about here). Double-click that VBScript and any Windows computer would immediately scan for updates, download those it needed, install them and reboot if necessary.

Even better, the script (or, more specifically, the Windows Update Agent) respected WSUS configurations applied either manually or via Group Policy. As a result, any computer already part of a WSUS infrastructure would install only updates marked Approved. Conversely, any computer not managed by a WSUS server would still install anything Microsoft Update suggested. Instantly, my monthly patching efforts diminished from hours to mere minutes.

Red Button Mark II, PowerShell Edition

Times change, as do scripting languages. Today, VBScript is an artifact of a time long past, replaced by the far more powerful PowerShell. As a result, it seems time to update my “Install WSUS Updates Immediately” Big Red Button with a replacement for the PowerShell generation.

Here’s the code. Far shorter than its VBScript genesis, this Big Red Button scans a Windows system, downloads whatever updates are necessary, installs them and reboots the computer should any installed patches require it:

#Define update criteria.

$Criteria = "IsInstalled=0 and Type='Software'"

#Search for relevant updates.

$Searcher = New-Object -ComObject Microsoft.Update.Searcher

$SearchResult = $Searcher.Search($Criteria).Updates

#Download updates.

$Session = New-Object -ComObject Microsoft.Update.Session

$Downloader = $Session.CreateUpdateDownloader()

$Downloader.Updates = $SearchResult


#Install updates.

$Installer = New-Object -ComObject Microsoft.Update.Installer

$Installer.Updates = $SearchResult

$Result = $Installer.Install()

#Reboot if required by updates.

If ($Result.rebootRequired) { shutdown.exe /t 0 /r }

A little explanation is in order for this “starter” script, as it is a distillation of the one I use in production today. This script is as minimal as it gets. As the comments suggest, execute it on a Windows computer and that machine will search for any relevant updates, download them (from either a configured WSUS server or Microsoft’s servers online), install them, and reboot if any updates request one.

I deliver this script in its most minimal form specifically to give you an opportunity to expand it for your own uses. While my original published VBScript was one of the first ever released to solve this specific problem, today a web search for “install WSUS updates with PowerShell” results in a vast range of options. Many of those go too far with notifications, journaling, emailing results files and all the other niceties that make scripts like these useful. They obscure what’s really being done.

More on WSUS

Automating patch management with WSUS 

WSUS: The basics

Free WSUS utility offers on-the-fly patch management for Windows 

WSUS deployment guide

This script’s first block provides a place to identify the criteria for those updates you want installed. I’ve listed a sample few for $Criteria, but you can add your own with the help of the documentation found on MSDN.

The second block instructs the onboard Windows Update Agent to search the local computer for missing updates. The third block uses those results, stored in the variable $SearchResult, to kick off an update download. Those updates are then installed in the fourth block. The fifth and final block queries that installation process to verify and force a reboot if requested.

Since the native Windows Update Agent will respect configurations handed to it manually or via Group Policies, running this will download only those updates you’ve approved for installation in your WSUS console. Start there first, before kicking off this script against individual machines. If a machine doesn’t have a local WSUS configuration, the Windows Update Agent will query against Microsoft’s Internet servers for the patches Microsoft deems appropriate (and constrained by the criteria you’ve added).

There’s plenty more you can add to this starter PowerShell script, like data gathering and reporting, emailing of reports, and all manner of if/then statements and verifications that tie everything together.

Even if you’ve never scripted before, little automations like this one present an opportunity to earn back precious hours of your life. Hopefully with it you can eliminate yet another piece of IT’s mundane scut work, freeing you to become a more efficient Windows administrator.

About the author:
Greg Shields is a Partner and Principal Technologist with Concentrated Technology, an IT analysis and strategic consulting firm. Contact him at http://www.ConcentratedTech.com.

Dig Deeper on Windows administration tools