Installing Windows Updates
Windows Updates deliver security patches, bug fixes, feature improvements, and driver updates from Microsoft. Keeping systems up to date is a foundational part of maintaining a secure and stable Windows environment. Updates can be applied through the Settings UI, Windows Update for Business (WUfB), Windows Server Update Services (WSUS), or via command-line tools such as PowerShell and wuauclt.
Background
Microsoft releases updates on a regular cadence, most notably on Patch Tuesday (the second Tuesday of each month). Update types include:
| Update Type | Description |
|---|---|
| Security Updates | Patches for CVEs and security vulnerabilities |
| Cumulative Updates | Bundled fixes rolled up into a single package |
| Feature Updates | Major OS version upgrades (e.g. 22H2 → 23H2) |
| Driver Updates | Hardware driver updates via Windows Update |
| Definition Updates | Antivirus/antimalware signature updates |
| Optional Updates | Non-critical updates requiring manual selection |
In enterprise environments, updates are typically managed centrally via WSUS, Microsoft Endpoint Configuration Manager (MECM/SCCM), or Windows Update for Business policies through Intune or Group Policy.
Usage
Via Settings UI (Windows 10/11)
- Open Settings → Windows Update (or Update & Security → Windows Update on Windows 10)
- Click Check for updates
- Allow available updates to download and install
- Reboot when prompted if required
Screenshot: Windows Update page in Settings showing pending updates and their status
Via PowerShell (PSWindowsUpdate Module)
The PSWindowsUpdate module is the most practical PowerShell method for managing updates on individual machines or via remoting.
Install the module (run as Administrator):
Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers
Import-Module PSWindowsUpdate
Check for available updates:
Get-WindowsUpdate
Install all available updates:
Install-WindowsUpdate -AcceptAll -AutoReboot
Install updates without auto-reboot:
Install-WindowsUpdate -AcceptAll -IgnoreReboot
Install only security updates:
Install-WindowsUpdate -Category "Security Updates" -AcceptAll -AutoReboot
Install updates on a remote machine:
Invoke-WUJob -ComputerName SERVER01 -Script {
Import-Module PSWindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot
} -RunNow -Confirm:$false
Via Windows Update Agent (wuauclt / UsoClient)
Note:
wuaucltis deprecated on Windows 10 1903+ in favour ofUsoClient.
Trigger an update scan (legacy):
wuauclt /detectnow
Trigger an update scan (modern):
UsoClient ScanInstallWait
Force start an update install:
UsoClient StartInstall
Restart to complete pending updates:
UsoClient RestartDevice
Via Windows Server Update Services (WSUS)
In a domain environment where clients are pointed at a WSUS server, approve updates in the WSUS console and allow clients to pick them up on their sync schedule, or force a manual sync.
Force client to sync with WSUS immediately:
# Check current WSUS configuration on client
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
# Force detection and download
wuauclt /reportnow
UsoClient RefreshSettings
UsoClient ScanInstallWait
Check WSUS server assignment via registry:
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" |
Select-Object WUServer, WUStatusServer
Via Windows Update for Business (Group Policy / Intune)
Configuration is typically managed at a policy level rather than per-device commands. Key Group Policy paths:
| Setting | GPO Path |
|---|---|
| Configure update source | Computer Config > Admin Templates > Windows Components > Windows Update |
| Defer feature updates | Windows Update for Business > Select when Feature Updates are received |
| Defer quality updates | Windows Update for Business > Select when Quality Updates are received |
| Pause updates | Windows Update for Business > Pause Feature/Quality Updates |
Apply Group Policy changes immediately with:
gpupdate /force
Common Use Cases
Check Installed Update History
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 20
Check if a Specific KB is Installed
Get-HotFix -Id KB5034441
List Pending Reboot Status
# Check if a reboot is pending after updates
$rebootPending = @{
WindowsUpdate = Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired"
ComponentBased = Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending"
PendingFileOps = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -ErrorAction SilentlyContinue) -ne $null
}
$rebootPending
Hide a Specific Update (PSWindowsUpdate)
Hide-WindowsUpdate -KBArticleID KB5034441 -Confirm:$false
Batch Update Multiple Remote Servers
$servers = @("SERVER01", "SERVER02", "SERVER03")
Invoke-WUJob -ComputerName $servers -Script {
Import-Module PSWindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot | Out-File "C:\Logs\WULog_$(hostname).txt"
} -RunNow -Confirm:$false
Update Process Flow
flowchart TD
A([Start]) --> B[Check for Updates]
B --> C{Updates Available?}
C -- No --> D([System Up to Date])
C -- Yes --> E[Download Updates]
E --> F[Install Updates]
F --> G{Reboot Required?}
G -- No --> H([Installation Complete])
G -- Yes --> I{Schedule Reboot?}
I -- Immediate --> J[Reboot Now]
I -- Deferred --> K[Schedule Maintenance Window]
K --> J
J --> L[Post-Reboot Verification]
L --> B
Verify Update Installation After Reboot
# Confirm a specific KB installed successfully post-reboot
$kb = "KB5034441"
$result = Get-HotFix -Id $kb -ErrorAction SilentlyContinue
if ($result) {
Write-Output "$kb is installed. Installed on: $($result.InstalledOn)"
} else {
Write-Warning "$kb was NOT found. Update may have failed."
}
Screenshot: Update history page confirming successful installation with dates and KB numbers