Skip to main content

Installing Windows Updates

Installing Windows Updates

Windows Updates deliver security patches, bug fixes, featuredriver improvements,updates, and driverfeature updatesimprovements from Microsoft. Keeping systems up to dateupdated is a foundationalfundamental part of maintaining a secure and stable Windows environment. Updates can be appliedinstalled through the Settings UI, Windows Update forGUI, BusinessSettings (WUfB),app, Windows Server Update Services (WSUS), or via command-command line tools such asincluding PowerShell and wuauclt.

Background

Windows Update has evolved significantly across OS versions. On modern systems (Windows 10/11, Server 2016+), the PSWindowsUpdate PowerShell module and the built-in UsoClient.exe / wuauclt.exe utilities are the primary CLI tools. In enterprise environments, update distribution is typically managed centrally through WSUS, Microsoft releasesEndpoint updatesConfiguration onManager (MECM/SCCM), or Windows Autopatch.

Understanding which update categories apply to a regularsystem cadence,helps mostprioritize notably on Patch Tuesday (the second Tuesday of each month). Update types include:deployment:

Update Type Description
Typical Release Cadence Security Updates Patches for CVEs and securityvulnerabilities vulnerabilitiesMonthly (Patch Tuesday) Cumulative Updates Bundled quality + security fixes rolled up into a single packageMonthly Feature Updates Major OS version upgrades Annually (e.g.Windows 22H2 → 23H2)10/11) Driver Updates Hardware driver updates via WindowsWU UpdateAs needed Definition Updates Antivirus/Defender antimalware signaturesignatures updatesDaily / multiple times daily Optional Updates Non-critical updatesquality requiringimprovements manualAs selectionneeded

InNote: enterprisePatch environments,Tuesday falls on the second Tuesday of each month. Emergency out-of-band updates aremay typicallybe managedreleased centrallyat viaany WSUS, Microsoft Endpoint Configuration Manager (MECM/SCCM), or Windows Updatetime for Businesscritical policiesvulnerabilities.

through Intune or Group Policy.

Usage

ViaChecking for and Installing Updates via Settings UI (Windows 10/11)GUI)

    Navigate

    Opento Settings → Windows Update (orand Update & Security → Windows Update on Windows 10) Clickclick Check for updates Allow available updates to download and install Reboot when prompted if required .

    Windows Update settings screen showing available updatesWindows Update settings page showing available updates Screenshot: Windows Update page in Settings showing pending updatesupdates, their status, and theirthe status"Check for updates" button

    ViaInstalling Updates via PowerShell (PSWindowsUpdate Module)

    The PSWindowsUpdate module is the most practicalcapable PowerShellCLI methodoption for managing updates on individual machines or via remoting.machines.

    Install the module (run as Administrator):

    Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers
Import-Module PSWindowsUpdate

    CheckImport forand list available updates:

    Import-Module PSWindowsUpdate
Get-WindowsUpdate

    Install all available updates:

    Install-WindowsUpdate -AcceptAll -AutoReboot

    Install updatesonly security updates, without auto-reboot:

    Install-WindowsUpdate -AcceptAll -IgnoreReboot

    Install only security updates:

    Install-WindowsUpdate -Category "Security Updates" -AcceptAll -AutoRebootIgnoreReboot

    Install updates on a remotespecific machine:update by KB article number:

    Invoke-WUJob -ComputerName SERVER01 -Script {
    Import-Module PSWindowsUpdate
    Install-WindowsUpdate -AcceptAllKBArticleID KB5034441 -AutoReboot
} -RunNow -Confirm:$false

    Via Windows Update Agent (wuauclt / UsoClient)

    Note: wuauclt is deprecated on Windows 10 1903+ in favour of UsoClient.

    Trigger an update scan (legacy):

    wuauclt /detectnowAcceptAll

    TriggerHide an update scanto (modern):prevent it from installing:

    UsoClient ScanInstallWait

    Force start an update install:

    UsoClient StartInstall

    Restart to complete pending updates:

    UsoClient RestartDevice

    Via Windows Server Update Services (WSUS)

    In a domain environment where clients are pointed at a WSUS server, approve updates in the WSUS console and allow clients to pick them up on their sync schedule, or force a manual sync.

    Force client to sync with WSUS immediately:

    # Check current WSUS configuration on client
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"

# Force detection and download
wuauclt /reportnow
UsoClient RefreshSettings
UsoClient ScanInstallWait

    Check WSUS server assignment via registry:

    Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" |
    Select-Object WUServer, WUStatusServer

    Via Windows Update for Business (Group Policy / Intune)

    Configuration is typically managed at a policy level rather than per-device commands. Key Group Policy paths:

    Setting GPO Path Configure update source Computer Config > Admin Templates > Windows Components > Windows Update Defer feature updates Windows Update for Business > Select when Feature Updates are received Defer quality updates Windows Update for Business > Select when Quality Updates are received Pause updates Windows Update for Business > Pause Feature/Quality Updates

    Apply Group Policy changes immediately with:

    gpupdate /force

    Common Use Cases

    Check Installed Update History

    Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 20

    Check if a Specific KB is Installed

    Get-HotFix -Id KB5034441

    List Pending Reboot Status

    # Check if a reboot is pending after updates
$rebootPending = @{
    WindowsUpdate   = Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired"
    ComponentBased  = Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending"
    PendingFileOps  = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -ErrorAction SilentlyContinue) -ne $null
}
$rebootPending

    Hide a Specific Update (PSWindowsUpdate)

    Hide-WindowsUpdate -KBArticleID KB5034441

    Tip: Use -Confirm:$falseVerbose with any PSWindowsUpdate command to see detailed progress output. Useful when scripting or troubleshooting stuck installs.

    Using UsoClient.exe (Windows 10/11 and Server 2016+)

    UsoClient.exe is the Update Session Orchestrator client, replacing much of wuauclt functionality on modern Windows.

    # Scan for updates
UsoClient.exe StartScan

# Download detected updates
UsoClient.exe StartDownload

# Install downloaded updates
UsoClient.exe StartInstall

# Trigger a full scan, download, and install in sequence
UsoClient.exe ScanInstallWait

    Warning: UsoClient.exe does not return meaningful exit codes and provides no console output. Use PSWindowsUpdate or check Event Viewer (Applications and Services Logs > Microsoft > Windows > WindowsUpdateClient) to verify results.

    BatchUsing Updatewuauclt.exe Multiple(Legacy Remote/ ServersWindows 7 / Server 2008 R2)

    $servers# =Force @("SERVER01",detection "SERVER02",of "SERVER03")updates Invoke-WUJobfrom -ComputerNameWSUS $serversor -ScriptWU
{wuauclt.exe Import-Module/detectnow

PSWindowsUpdate# Install-WindowsUpdateTrigger -AcceptAllinstallation -AutoRebootof |detected Out-Fileupdates
"C:\Logs\WULog_$(hostname).txt"wuauclt.exe }/updatenow

-RunNow# -Confirm:$falseReport current update status to WSUS server
wuauclt.exe /reportnow

    Note: wuauclt.exe is largely deprecated on Windows 10/11 and Server 2016+. Commands may appear to run but have no effect. Use UsoClient.exe or PSWindowsUpdate on modern systems.

    Scheduling a Reboot After Updates

    # Schedule restart for 11:00 PM tonight
shutdown /r /t 0 /f
# or schedule for a specific time using Task Scheduler
$trigger = New-ScheduledTaskTrigger -Once -At "23:00"
$action = New-ScheduledTaskAction -Execute "shutdown.exe" -Argument "/r /f /t 60"
Register-ScheduledTask -TaskName "PostUpdateReboot" -Trigger $trigger -Action $action -RunLevel Highest

    Update Process Flow

    flowchart TD
    A([Start]) --> B[CheckScan for Updates]Updates\nUsoClient / PSWindowsUpdate / GUI]
    B --> C{Updates Available?Updates\nAvailable?}
    C -- No --> D([System Up to Date])
    C -- Yes --> E[DownloadReview Updates]Update List\nCategories, KBs, Size]
    E --> F[InstallF{Approve Updates]/\nProceed?}
    F -- No / Defer --> G{RebootG[Hide Required?or Defer Update]
    G --> D
    F -- Yes --> H[Download Updates]
    H --> I[Install Updates]
    I --> J{Reboot\nRequired?}
    GJ -- No --> H([InstallationK[Verify Complete])Installation\nGet-WUHistory G/ WinVer]
    J -- Yes --> I{L[Schedule Reboot?}or IPerform --Reboot]
    ImmediateL --> J[Reboot Now]
    I -- Deferred --> K[Schedule Maintenance Window]K
    K --> J
    J --> L[Post-Reboot Verification]
    L --> BM([Done])

    Configuration

    VerifyConfiguring Windows Update Installationvia AfterGroup RebootPolicy

    Group Policy is the standard method for controlling update behavior in domain environments.

    Key GPO paths:

    Computer Configuration
└── Administrative Templates
    └── Windows Components
        └── Windows Update
            └── Manage end user experience
            └── Manage updates offered from Windows Server Update Services
    GPO Setting Description Configure Automatic Updates Sets update behavior (notify, download, install) Specify intranet Microsoft update service location Points clients to a WSUS server No auto-restart with logged-on users Prevents forced reboots when users are active Configure auto-restart required notification alerts Manages restart notification behavior Turn off access to all Windows Update features Disables the WU client entirely (use with WSUS)

    Configuring Windows Update via Registry

    For workgroup machines or scripted deployments without GPO:

    # Point a machine to a WSUS server
$WSUSServer = "http://wsus.domain.local:8530"
$WUPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$AUPath  = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"

New-Item -Path $WUPath -Force | Out-Null
New-Item -Path $AUPath -Force | Out-Null

Set-ItemProperty -Path $WUPath -Name "WUServer"       -Value $WSUSServer
Set-ItemProperty -Path $WUPath -Name "WUStatusServer" -Value $WSUSServer
Set-ItemProperty -Path $AUPath -Name "UseWUServer"    -Value 1 -Type DWord
Set-ItemProperty -Path $AUPath -Name "AUOptions"      -Value 4 -Type DWord  # 4 = Auto download and schedule install

    Warning: Incorrect WSUS registry settings can prevent a machine from receiving any updates. Always verify connectivity to the WSUS URL before applying at scale.

    Deferring Feature and Quality Updates (Windows 10/11 Pro+)

    # ConfirmDefer quality updates by 14 days
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -Name "DeferQualityUpdates" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -Name "DeferQualityUpdatesPeriodInDays" -Value 14 -Type DWord

# Defer feature updates by 60 days
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -Name "DeferFeatureUpdates" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
    -Name "DeferFeatureUpdatesPeriodInDays" -Value 60 -Type DWord

    Common Use Cases

    Patching Multiple Remote Machines via PSWindowsUpdate

    # Install all updates on a specificlist of remote servers (WinRM must be enabled)
$servers = @("SRV01", "SRV02", "SRV03")

Invoke-WUJob -ComputerName $servers `
    -Script { Import-Module PSWindowsUpdate; Install-WindowsUpdate -AcceptAll -AutoReboot | Out-File "C:\WU_$(hostname)_$(Get-Date -f yyyyMMdd).log" } `
    -Confirm:$false `
    -RunNow

    Note: Invoke-WUJob uses Task Scheduler on the remote machine to run the update job under the SYSTEM account, bypassing double-hop credential issues common with Invoke-Command.

    Viewing Update History

    # View last 20 installed updates
Get-WUHistory -Last 20 | Select-Object Date, Title, Result | Format-Table -AutoSize

    PowerShell output showing Get-WUHistory results Screenshot: Terminal output of Get-WUHistory listing recently installed KB installedarticles, successfullydates, post-rebootand $kb = "KB5034441" $result =status

    Checking for a Specific KB Installation

    # Check if KB5034441 is installed
Get-HotFix -Id KB5034441

# Alternatively using PSWindowsUpdate history
Get-WUHistory | Where-Object { $kb_.KB -eq "KB5034441" }

    Uninstalling a Problematic Update

    # Uninstall via wusa.exe
wusa.exe /uninstall /kb:5034441 /quiet /norestart

# Or via DISM for cumulative updates on Server Core
dism.exe /Online /Remove-Package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.1234.1.7

    Warning: Uninstalling cumulative updates on modern Windows can leave the system in an inconsistent patch state. Only do this to remediate a known bad update, and re-apply the latest good cumulative update as soon as possible.

    Clearing the Windows Update Cache

    Useful when updates are stuck downloading or installing:

    # Stop update services
Stop-Service -Name wuauserv, bits, cryptsvc, msiserver -Force

# Clear the SoftwareDistribution cache
Remove-Item -Path "C:\Windows\SoftwareDistribution\Download\*" -Recurse -Force
Remove-Item -Path "C:\Windows\System32\catroot2\*" -Recurse -Force -ErrorAction SilentlyContinue

# Restart services
Start-Service -Name cryptsvc, bits, wuauserv, msiserver

    Automating Monthly Patching with a Script

    # PatchServer.ps1 — basic monthly patching script
param (
    [switch]$Reboot
)

Import-Module PSWindowsUpdate -ErrorAction Stop

$LogFile = "C:\Logs\WindowsUpdate_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"
New-Item -ItemType Directory -Path "C:\Logs" -Force | Out-Null

Write-Output "Starting Windows Update scan: $(Get-Date)" | Tee-Object -FilePath $LogFile

$updates = Get-WindowsUpdate -AcceptAll
if ($result)updates.Count -eq 0) {
    Write-Output "$kbNo isupdates installed.available." Installed| on:Tee-Object -FilePath $($result.InstalledOn)"LogFile -Append
    exit 0
}

elseInstall-WindowsUpdate -AcceptAll -IgnoreReboot | Tee-Object -FilePath $LogFile -Append

if ($Reboot) {
    Write-WarningOutput "Rebooting in 60 seconds..." | Tee-Object -FilePath $kbLogFile was-Append
    NOTshutdown found./r Update/t may60 have/c failed."Scheduled post-patching reboot"
}

    Windows Update history showing recently installed updatesRun Screenshot:it:

    .\PatchServer.ps1 -Reboot

    Troubleshooting

    Symptom Likely Cause Resolution Updates stuck at 0% download Corrupt SoftwareDistribution cache Clear cache (see above), restart services 0x80070422 error Windows Update historyservice pagedisabled confirmingSet-Service successfulwuauserv installation-StartupType withAutomatic; datesStart-Service wuauserv 0x8024402c error DNS / proxy preventing WU connectivity Check proxy settings, DNS, and KBfirewall numbersegress to *.update.microsoft.com WSUS clients not checking in Incorrect registry keys or WUServer unreachable Verify WSUS URL, run wuauclt /detectnow, check WindowsUpdateClient event log PSWindowsUpdate not found Module not installed Install-Module PSWindowsUpdate -Force Update fails post-install Conflicting or incomplete cumulative update Run sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth then retry 
    # Run System File Checker
sfc /scannow

# Run DISM component store repair
DISM.exe /Online /Cleanup-Image /CheckHealth
DISM.exe /Online /Cleanup-Image /ScanHealth
DISM.exe /Online /Cleanup-Image /RestoreHealth

    References

    Back to top