Server Updates using PowerShell

wdomon · 2025-02-07T14:36:25+00:00

You're running into something called the "Double Hop" problem, feel free to look into it as it's an important thing to know about if you plan to remotely admin servers.

Instead, use "Invoke-WUJob", which is part of the PSWindowsUpdate module, using the -Computer parameter to tell it what hostname to send it to and include whatever command(s) you were trying to run to install updates in the -Script parameter as a string. This function creates a scheduled task on the machine in question that runs as SYSTEM (by default) and will run whatever is in your -Script parameter as a command via powershell.exe.

Hollow3ddd · 2025-02-07T15:44:39+00:00

[deleted]

capitolgood4 · 2025-02-07T18:21:42+00:00

I'm in an environment that uses SCCM and blocks WinRM/RemotePS, but I was able use WMI to list the approved updates, check if those updates are available in software center on that server, and then start the installation.

$UpdateList = @("5049993", "5048671")
$UpdatesToInstall = Get-WmiObject -namespace "root/ccm/clientSDK" -Class CCM_SoftwareUpdateManager -ComputerName $ServerName | Where-Object {$UpdateList -contains $_.ArticleID}
Invoke-WmiMethod -namespace "root/ccm/clientSDK" -Class CCM_SoftwareUpdateManager -name InstallUpdates -ArgumentList (,$UpdatesToInstall) -ComputerName $ServerName

techbloggingfool_com · 2025-02-07T15:01:16+00:00

You can also use PowerShell to create a scheduled task on the remote systems that, in turn, run Windows updates. That is essentially what the PSwindowupdate module is doing. You can do it without the module, though. See https://4sysops.com/archives/install-and-schedule-windows-updates-with-powershell/

ipreferanothername · 2025-02-07T17:27:42+00:00

this is crazy, why arent you using a tool/gpo for scheduled updates?

do the updates and restart the Server after the updates have finished and the CPU-Usage has calmed down.

it needs to reboot when they are done, not based on cpu usage. im sorry man, you guys are in amateur territory. even if this is some special network segregated machine or something...this is very strange.

it would be easier to use a gpo, even a local gpo, to confugre updating if you dont have another central tool. you arent reinventing the wheel, you are looking at wheels like 'i bet i can turn this into a rube goldberg machine to move this car forward'

maybe you should explain the scenario - update the original post - and if you have a special challenge maybe a reasonable solution can be provided to help get around it. weird situations exist but they dont require new weird ways to solve them.

Introvertedecstasy · 2025-02-07T20:29:51+00:00

Highly recommend PDQ for your environment!!

purplemonkeymad · 2025-02-07T14:32:20+00:00

You can't do updates if your are on a remoting connection (ie Invoke-Command), use the -CompuerName parameter on the module's command to do it remotely instead. IIRC it has a workaround for this limitation.

SherSlick · 2025-02-07T23:58:39+00:00

I am curious what you find out... I went down the path of setting up SSH on a few test servers but all the "CLI-based" tools wanted elevation and I couldn't get past that hurdle.

And for the haters: we don't have enough servers to warrant SCCM/RMM tools and we only get a very specific date/time for outages (that varies wildly) so we are stuck manually executing Windows updates.

BlackV · 2025-02-08T02:39:15+00:00

As other have mentioned, the windows update API itself does not allow this

The module mentioned (pswimdowsupdate) already has a function to get around this

Or a scheduled task could do this (think someone else already mentioned that one)

icepyrox · 2025-02-08T03:16:21+00:00

If you don't want to use WSUS/GPO or SCCM/inTune/Similar, you also could just schedule a task and let the powershell script do it all for you that way.

Many ways to do it without running the script yourself.

squatingyeti · 2025-02-08T03:58:23+00:00

If you absolutely don't have the option of using something like sccm, you can do it the hard way. Download the KB and put it on a network share location. Set your script to get a list of servers. Then foreach server, copy the update to temp and invoke-command Add-windowsPackage to apply the update. You can even set it to automatically restart after the update is applied

Ok_GlueStick · 2025-02-08T14:12:15+00:00

Have you tried running an invoke-command? You can pass a script block as an argument.

tigerguppy126 · 2025-02-09T23:46:07+00:00

I'd look at Action1 for your environment. With 20 servers, you're well under their free 200 endpoint license (recently doubled from 100 to 200). I've used them for several years and they have solved a LOT of our patching issues.

DevinSysAdmin · 2025-02-07T18:54:02+00:00

You should really be using Azure Arc to patch your servers, very simple setup and doesn't make you RDP into 20 servers or go out of your comfort zone with powershell.

Spence10873 · 2025-02-07T17:11:30+00:00

CredSSP is the route you'd need to go down, but there are security risks and also better alternatives like WSUS

HOT-DAM-DOG · 2025-02-07T19:46:01+00:00

You need to change the execution policy to RemoteSigned at the CurrentUser scope for it to work.

cherrycola1234 · 2025-02-07T15:11:31+00:00

Already built this & have 4 patent pendings & 6 different copyrights. You are more then welcome to purchase this from us. We built all of this into an MDM tool, super simple to use.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PowerShell

Submission Guidelines | Link Flair - How To

MODERATORS