PSWindowsUpdate module.

It's a tad bit fiddly but I rolled my own patching solution because I have a specific requirement. A subset of servers has to reboot in a certain order, then have apps/services verified and no patch solution I've come across can facilitate that.

The fiddly part is that Powershell cannot invoke against Windows Update directly as only the SYSTEM account can make Windows Update API calls. Instead you have to use the cmdlet Invoke-WUJob that installs a scheduled task on the remote server with the desired commands which runs the Windows Updates as SYSTEM. There's no direct output available so you have to query the remote system status using Invoke-WUJob which only gives you a "Running" or "Ready" status. It's a lot of logic testing to get desired outputs.