There’s basically nothing wrong in using Windows Settings app for Windows Update, but in my opinion it lacks some update management features. I have used for a few years already a PowerShell module PSWindowsUpdate instead, to manage Windows Update. In this article, I will show how to use PowerShell instead of Windows Settings to manage Windows Update.
First step is to allow scripts to be run in PowerShell. In Windows Settings, allow local PowerShell scripts to be run:
Install PSWindowsUpdate module
Open an elevated PowerShell. Enter the following cmdlet to install PSWindowsUpdate module (#1 in next screenshot):
Install-Module -Name PSWindowsUpdate
A Nuget package provider must be present before installing a module. If Nuget is not installed, you will be asked to confirm that you want to install it now (#2).
The PowerShell Script Gallery is official and can be trusted. Yet, you will be told it is an “untrusted repository”. It is completely safe to tell PowerShell you trust it (#3).
When installed, PSWindowsUpdate module must be imported to PowerShell with following cmdlet (#4):
Import-Module -Name PSWindowsUpdate
PSWindowsUpdate takes care of Windows updates (WSUS Server). If you want it also to take care of other Microsoft updates, like for instance updates to various Microsoft VS C++ redistributables, you can add Microsoft Update to PSWindowsUpdate with following command (#5):
Add-WUServiceManager -ServiceID "7971f918-a847-4430-9279-4a52d1efe18d" -AddServiceFlag 7
Confirm when prompted. Adding Microsoft Update is optional.
That’s it. Use following cmdlet to list available PSWindowsUpdate cmdlets and aliases (#6):
Get-Command -Module PSWindowsUpdate
Install all available updates
I will write more in-depth about PSWindowsUpdate later. This time, let’s just get you started, and see how to list available updates, install those you want to install, and exclude those you do not want or need.
First, let’s see all available updates after clean installing Windows 10 Pro version 1909. In screenshot, I use Get-WUList for it, an alias for cmdlet Get-WindowsUpdate:
Notice the size of the Cumulative Update KB4551762. It is shown as 85 GB, which is of course not true. All Windows Cumulative Updates and Feature Updates show the size for complete repository on Microsoft servers, containing all editions. The size in this case shows the size of the repository, combined size of KB4551762 for each and every Windows and Windows IoT edition. Although this is somewhat confusing, you can completely ignore
The Microsoft Silverlight update is shown because I added Microsoft Update to PSWindowsUpdate, WSUS Server alone would not show it.
To make this simpler, I am using a Hyper-V virtual machine to demonstrate PSWindowsUpdate and get screenshots. All screenshots in this article are from that VM. As the VM does not require any additional drivers and does not get driver updates, the above screenshot does not show any available driver updates. Just to show the difference, here’s what Get-WUList would show on real hardware, on this HP laptop of mine, directly after a clean install of the same Windows 10 Pro version 1909:
The following cmdlet would install all those listed updates, and restart computer if required:
Install-WindowsUpdate -AcceptAll -AutoReboot
The -AcceptAll will automatically accept all updates. If not used, you must manually accept or decline each individual update. The -AutoReboot will restart computer if required when updates are ready, without warning. If you want to continue working while Windows is updating and restart when you have finished, to assure a sudden restart will not cause data loss, use -IgnoreReboot instead.
Install selected updates only
To install only selected updates, you can use -KBArticleID and –Title switches. For instance, only install the Windows Cumulative Update and Cumulative Update for .NET Framework shown in previous screenshot, you could use the following cmdlet:
Install-WindowsUpdate -Title "Cumulative" -AcceptAll -IgnoreReboot
The -Title switch selects all updates where the given string, in this case Cumulative, appears in the update title. Using the –KBArticleID instead, those same two updates could be installed with following cmdlet:
Install-WindowsUpdate -KBArticleID "KB4537572", "KB4551762" -AcceptAll -IgnoreReboot
When more values are given for -Title and -KBArticleID, they are separated by comma + space.
Another method to only install selected updates is to exclude unwanted ones. For that, we can use -NotCategory, -NotTitle and -NotKBArticle switches. The -NotCategory is really practical for instance when you are offered updates for drivers you do not want. Exclude all drivers but install all other updates with this simple cmdlet:
Install WindowsUpdate -NotCategory "Drivers" -AcceptAll -IgnoreReboot
In next screenshot, I first got a list of available updates. At the moment, I want to install all other updates but exclude Silverlight, Adobe Flash Player and Windows Cumulative Update with following cmdlet, mixing -NotTitle and -NotKBArticle switches:
Install-WindowsUpdate -NotTitle "Silverlight" -NotKBArticleID "KB4537759", "KB4551762" -AcceptAll -IgnoreReboot
All other updates were installed. Because I used -IgnoreReboot switch, I am told that I should restart. Checking the available updates now, I can see that there’s nothing but those three updates I excluded:
The previous screenshots are from a demo virtual machine I set up just to get screenshots. On my host machine, I’m offered a camera driver for this laptop (#1 in screenshot), which I know to be problematic. I can hide it with cmdlet Get-WindowsUpdate with switch -Hide, followed by either title or KB article ID as parameter. As this update has no KB article ID, I will use any string from its title instead, and hide it with following cmdlet (#2):
Get-WindowsUpdate -Hide -Title "Camera"
Checking the available updates again (3), I no longer see it:
Hiding an update means that it will no longer be offered to me, and will not be “accidentally” installed.
OK, back to my demo VM and screenshots from it. The –Get-WindowsUpdate with -Hide switch without any parameters is practical when you want to get list of all available updates, and be asked for each if you want to hide them or not. In next screenshot I will only hide Adobe Flash Player update, confirming it with Y, and selecting N for all other updates to not hide them;
Notice that the hidden update shows H in Status column, to indicate it is hidden.
In case you do not want to individually confirm or decline every selection, you can use switch -Confirm with parameter $False with most of PSWindowsUpdate cmdlets to automatically confirm selected actions. For instance, I can hide all available updates with one simple cmdlet:
Get-Windows-Update -Hide -Confirm:$False
As you can see in Status column, all updates are now hidden. The Windows Defender update had already been downloaded but not installed, its Status is also showing D to mark it is downloaded but not installed.
To list all hidden updates, enter the following cmdlet (#1 in next screenhot):
To unhide, to show an update again, you need to use -Hide switch with $False parameter, together with -WithHidden switch. I want to unhide the Cumulative Updates for Windows and .NET Framework, using their respective KB article numbers, and using -Confirm:$False so that I don’t have to manually confirm unhiding each file. I’ll do it with following cmdlet (#2):
Get-WindowsUpdate -KBArticleID "KB4551762", "KB4537572" -WithHidden -Hide:$False -Confirm:$False
PSWindowsUpdate can also manage Windows Feature Updates. A new clean Windows 10 installation on my demo VM was opted in for Insider Fast Ring Ring first thing when it was booted to desktop first time, before doing any updates. Checking the available updates, the latest Insider build is offered among other updates (#1 in next screenshot). I always hide a feature upgrade, the Insider build in this case, until all other updates have been installed (#2). I can see it has been hidden (#3):
Get-WindowsUpdate -Hide -Title "Insider"
I now use PSWindows to fully update Windows, restart if required, and check if there are new updates. Only when Get-WUList returns nothing, I will unhide the feature update with following cmdlet:
Get-WindowsUpddate -Title "Insider" -WithHidden -Hide:$False
Now it’s time to install Insider upgrade:
Install-WindowsUpdate -Title "Insider" -AcceptAll -IgnoreReboot
For reasons unknown to me, you must use the -IgnoreReboot switch when installing a feature update. If you let machine to automatically restart after feature update has been installed using the –AutoReboot switch, nothing happens. Windows restarts but feature update will not be applied. Using -IgnoreReboot, when PSWindows tells me the machine should be restarted, I’ll open settings and press Restart now button to apply feature update downloaded and installed with PSWindowsUpdate:
Other useful cmdlets
– To check Windows Update history: Get-WUHistory
– To uninstall an update: Uninstall-WindowsUpdate -Title “XXXXXX” and / or -KBArticle “1234567”
– To get help for a specific cmdlet: Get-Help CMDLET (i.e. GEt-Help Install-WindowsUpdate
That’s it this time! Stay tuned.
Author: Kari Finn
A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.