Windows Updates

Manage Windows Updates via PowerShell, built-in CLI tools, Group Policy, and WSUS for both standalone machines and enterprise environments.

Table of Contents#

Overview
PSWindowsUpdate Module
Remote Update Management
Built-in CLI Tools
Group Policy and Registry
Update Rollback
WSUS Integration
Troubleshooting
See Also
Sources

1. Overview#

Windows Update delivers security patches, feature updates, driver updates, and quality improvements to Windows clients and servers. Updates can be managed through:

PSWindowsUpdate - a PowerShell module for scripted update management
DISM - image servicing and update package management
WSUS - centralized update approval and distribution for enterprise environments
Group Policy / Registry - control update behavior, active hours, and deferral policies
Windows Update for Business - cloud-based deferral and compliance policies via Intune or Group Policy

2. PSWindowsUpdate Module#

Install the Module#

Install-Module -Name PSWindowsUpdate

List All Available Commands#

Get-Command -Module PSWindowsUpdate

Check for Available Updates#

Get-WindowsUpdate

Install All Available Updates#

Install-WindowsUpdate -AcceptAll -AutoReboot

Install Updates Without Auto-Reboot#

Install-WindowsUpdate -AcceptAll -IgnoreReboot

Install Specific Update by KB Number#

Get-WindowsUpdate -KBArticleID KB5034441 -Install -AcceptAll

Hide/Ignore a Specific Update#

Hide-WindowsUpdate -KBArticleID KB5034441

Show Update History#

Get-WUHistory

Uninstall a Specific Update#

Remove-WindowsUpdate -KBArticleID KB5034441 -NoRestart

3. Remote Update Management#

Install Updates on Remote Machines#

Invoke-WUJob -ComputerName SERVER01 -Script {
    Import-Module PSWindowsUpdate;
    Install-WindowsUpdate -AcceptAll -AutoReboot
} -RunNow -Confirm:$false

Check for Updates on Multiple Servers#

"SERVER01","SERVER02","SERVER03" | ForEach-Object {
    Get-WindowsUpdate -ComputerName $_
}

4. Built-in CLI Tools#

Windows Update via Settings (URI)#

Start-Process "ms-settings:windowsupdate-action"

DISM (Deployment Image Servicing and Management)#

# Check for pending updates
DISM /Online /Get-Packages /Format:Table

# Clean up superseded updates
DISM /Online /Cleanup-Image /StartComponentCleanup

# Repair component store corruption
DISM /Online /Cleanup-Image /RestoreHealth

Windows Update Troubleshooting - Cache Reset#

# Stop Windows Update services
Stop-Service -Name wuauserv, cryptSvc, bits, msiserver

# Clear update cache
Remove-Item -Path "C:\Windows\SoftwareDistribution\*" -Recurse -Force

# Restart services
Start-Service -Name wuauserv, cryptSvc, bits, msiserver

5. Group Policy and Registry#

Disable Automatic Updates via Registry#

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -Name "NoAutoUpdate" -Value 1

Configure Active Hours#

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" `
    -Name "ActiveHoursStart" -Value 8
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" `
    -Name "ActiveHoursEnd" -Value 17

Defer Feature Updates#

# Defer feature updates by 30 days
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -Name "DeferFeatureUpdates" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -Name "DeferFeatureUpdatesPeriodInDays" -Value 30

Defer Quality Updates#

# Defer quality (security) updates by 7 days
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -Name "DeferQualityUpdates" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -Name "DeferQualityUpdatesPeriodInDays" -Value 7

6. Update Rollback#

Uninstall a Recent Update#

# List installed updates
Get-HotFix | Sort-Object InstalledOn -Descending

# Uninstall via PSWindowsUpdate
Remove-WindowsUpdate -KBArticleID KB5034441 -NoRestart

# Uninstall via WUSA (Windows Update Standalone Installer)
wusa.exe /uninstall /kb:5034441 /quiet /norestart

Uninstall via DISM#

# List installed packages
DISM /Online /Get-Packages /Format:Table

# Uninstall a specific package
DISM /Online /Remove-Package /PackageName:<package-name>

Roll Back a Feature Update (Within 10 Days)#

Windows keeps the previous version for a configurable period (default 10 days) after a feature update.

# Check rollback window
DISM /Online /Get-OSUninstallWindow

# Extend the rollback window to 30 days (must be run before the default window expires)
DISM /Online /Set-OSUninstallWindow /Value:30

To roll back via Settings: Settings > System > Recovery > Go Back.

System Restore#

# List available restore points
Get-ComputerRestorePoint

# Create a restore point before updates
Checkpoint-Computer -Description "Pre-update checkpoint" -RestorePointType MODIFY_SETTINGS

# Restore (requires restart)
Restore-Computer -RestorePoint <sequence-number> -Confirm

7. WSUS Integration#

Windows Server Update Services (WSUS) provides centralized update management for enterprise environments.

Point Clients to a WSUS Server#

# Configure via registry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -Name "WUServer" -Value "http://<wsus-server>:8530"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" `
    -Name "WUStatusServer" -Value "http://<wsus-server>:8530"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -Name "UseWUServer" -Value 1

# Force the client to check in with WSUS
wuauclt.exe /detectnow /reportnow

WSUS Server Management#

# Install WSUS role
Install-WindowsFeature -Name UpdateServices -IncludeManagementTools

# Run initial WSUS configuration
& "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=D:\WSUS

# Approve updates via PowerShell
Get-WsusUpdate -Classification Security -Approval Unapproved |
    Approve-WsusUpdate -Action Install -TargetGroupName "All Computers"

Common Group Policy Settings for WSUS#

Setting	Path	Description
Specify intranet update service	Computer Config > Admin Templates > Windows Update	Points clients to WSUS server
Configure Automatic Updates	Computer Config > Admin Templates > Windows Update	Controls download and install behavior
No auto-restart with logged on users	Computer Config > Admin Templates > Windows Update	Prevents forced restarts during active sessions

Troubleshooting#

Issue	Cause	Solution
Updates fail with error 0x80070002	Corrupted update cache	Stop services, delete `C:\Windows\SoftwareDistribution`, restart services
Updates fail with error 0x800f081f	Missing source files	Run `DISM /Online /Cleanup-Image /RestoreHealth`; specify source with `/Source` if needed
Updates stuck at downloading	BITS service issue	Restart BITS: `Restart-Service bits`; check `bitsadmin /list /allusers`
Update requires restart but keeps reapplying	Pending reboot not completed	Check `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending`; restart the machine
WSUS clients not reporting	Client not configured or firewall blocking	Verify registry points to WSUS; ensure port 8530/8531 is open; run `wuauclt /detectnow`
PSWindowsUpdate module not found	Module not installed	Run `Install-Module -Name PSWindowsUpdate -Force`
Feature update rollback unavailable	Rollback window expired	Default is 10 days; extend early with `DISM /Set-OSUninstallWindow`; use System Restore or backup instead