How To
Summary
To initiate Windows patching remotely without using third-party tools besides PSWindows Update Powershell Module, you can leverage built-in Windows features like PowerShell, Group Policy, or Windows Server Update Services (WSUS) if available in your environment.
Objective
See PowerShell steps below for remote administration without additional software. This assumes you have administrative access to the target machines and appropriate network permissions.
Prerequisites
1. Administrative Credentials: You need admin rights on the target machines.
2. PowerShell Remoting: Ensure PowerShell remoting is enabled on both the source and target machines.
3. Network Access: The target machines must be reachable over the network, and firewall rules must allow PowerShell remoting (TCP port 5985 for HTTP, 5986 for HTTPS).
4. Windows Update Service: The target machines should have the Windows Update service running.
Environment
Windows
Steps
Step 1: Enable PowerShell Remoting
On the target machines, enable PowerShell remoting if not already enabled:
1. Open PowerShell as an administrator on the target machine.
2. Run:
```powershell
Enable-PSRemoting -Force
```
3. Verify the WinRM service is running:
```powershell
Get-Service WinRM
```
4. Ensure the firewall allows PowerShell remoting:
```powershell
Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP" -Enabled True
```
If you’re managing multiple machines, you can enable remoting remotely using Group Policy or a script, provided you have domain admin rights.
Step 2: Check for Updates Remotely
Use PowerShell to check for available updates on the remote machine:
1. On your local machine, open PowerShell as an administrator.
2. Connect to the remote machine:
```powershell
Enter-PSSession -ComputerName <RemoteComputerName> -Credential (Get-Credential)
```
Replace `<RemoteComputerName>` with the target machine’s hostname or IP address. Enter admin credentials when prompted.
3. Use the `Get-WindowsUpdate` cmdlet (available in the `PSWindowsUpdate` module) to list available updates.
If the module isn’t installed, install it first:
```powershell
Install-Module -Name PSWindowsUpdate -Force
```
4. Check for updates:
```powershell
Get-WindowsUpdate
```
This lists available updates for the remote machine.
Step 3: Install Updates Remotely
To install updates on the remote machine:
1. While in the PowerShell session, run:
```powershell
Install-WindowsUpdate -AcceptAll -AutoReboot
```
- `-AcceptAll`: Automatically accepts all prompts.
- `-AutoReboot`: Reboots the machine if required (optional; remove if you want manual reboot control).
2. Monitor the installation:
```powershell
Get-WUHistory
```
This shows the updated installation history.
Step 4: Alternative Method Using Invoke-Command
If you need to patch multiple machines or prefer not to enter an interactive session:
1. Create a list of target computers (e.g., in a text file `computers.txt`, one hostname per line).
2. Run the following script to install updates on all machines:
```powershell
$computers = Get-Content -Path "C:\path\to\computers.txt"
$credential = Get-Credential
Invoke-Command -ComputerName $computers -Credential $credential -ScriptBlock {
Install-Module -Name PSWindowsUpdate -Force -ErrorAction SilentlyContinue
Import-Module PSWindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot
}
```
3. Monitor progress by checking logs or running `Get-WUHistory` on each machine.
Step 5: Verify Update Installation
To confirm updates were applied:
1. Run on the remote machine:
```powershell
Get-WUHistory | Select-Object Title, Date, Result
```
2. Alternatively, check the Windows Update log:
```powershell
Get-Content -Path "C:\Windows\WindowsUpdate.log"
```
Additional Information
Additional Notes
- PSWindowsUpdate Module: This module is not built into Windows but is freely available from the PowerShell Gallery. It’s a Microsoft-supported way to manage updates without third-party tools.
- WSUS Integration: If your environment uses WSUS, you can configure clients to pull updates from the WSUS server.
Use PowerShell to trigger the update process:
```powershell
wuauclt.exe /detectnow
```
This forces the client to check WSUS for updates.
- Firewall and Permissions: Ensure the account used has permission to trigger updates and that firewall rules allow necessary traffic.
- Reboot Management: Some updates require a reboot. Use `Restart-Computer -ComputerName <RemoteComputerName>` to reboot remotely if needed.
- Error Handling: Add error handling in scripts to manage connectivity issues or failed updates:
```powershell
try {
Invoke-Command -ComputerName <RemoteComputerName> -ScriptBlock { Install-WindowsUpdate -AcceptAll } -ErrorAction Stop
} catch {
Write-Error "Failed to install updates on <RemoteComputerName>: $_"
}
```
Limitations
- Manual Approval: If you use WSUS, updates may need to be approved in the WSUS console before clients can install them.
- Bandwidth: Downloading updates remotely can strain networks, so schedule during off-peak hours.
- Module Dependency: The `PSWindowsUpdate` module requires internet access to install initially.
This approach uses native Windows tools and PowerShell to manage updates remotely, avoiding third-party software.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
27 March 2026
UID
ibm17252553