Install Windows updates with PowerShell

  • PSWindowsUpdate Available Cmdlets

Easy to install Windows updates with PowerShell

You can easily install updates for Windows using PowerShell. For this you really do not need to have Windows Server and / or WSUS, Windows 10 with PowerShell 5.1 is enough to be able to use NuGet and PSWindowsUpdate module. You can then easily install Windows updates via PowerShell from Windows Update. Proceed as follows:


Install PSWindowsUpdate PowerShell module

To make the PSWindowsUpdate PowerShell module available, you must start a PowerShell prompt as an administrator. Via Start, search for PowerShell and select the Run as Administrator option.

Or use the shortcut Windows key-X and choose Windows PowerShell (Admin).

If necessary to set things first export policy of PowerShell on RemoteSigned: Set-ExecutionPolicy RemoteSigned. Execute the following commands:

  • Install-PackageProvider -Name NuGet -Force
  • Install-Module -Name PSWindowsUpdate -Force

The PSWindowsUpdate module is now installed on your system. By Get-Commandasking you to which Cmdlets and aliases exist. Enter the -Moduleparameter:

PSWindowsUpdate Available Cmdlets

Get-Command -Module PSWindowsUpdate

CommandType Name Version Source
———– —- ——- ——
Alias Clear-WUJob PSWindowsUpdate
Alias Download-WindowsUpdate PSWindowsUpdate
Alias Get-WUInstall PSWindowsUpdate
Alias Get-WUList PSWindowsUpdate
Alias Hide-WindowsUpdate PSWindowsUpdate
Alias Install-WindowsUpdate PSWindowsUpdate
Alias Show-WindowsUpdate PSWindowsUpdate
Alias UnHide-WindowsUpdate PSWindowsUpdate
Alias Uninstall-WindowsUpdate PSWindowsUpdate
Cmdlet Add-WUServiceManager PSWindowsUpdate
Cmdlet Enable-WURemoting PSWindowsUpdate
Cmdlet Get-WindowsUpdate PSWindowsUpdate
Cmdlet Get-WUApiVersion PSWindowsUpdate
Cmdlet Get-WUHistory PSWindowsUpdate
Cmdlet Get-WUInstallerStatus PSWindowsUpdate
Cmdlet Get-WUJob PSWindowsUpdate
Cmdlet Get-WULastResults PSWindowsUpdate
Cmdlet Get-WURebootStatus PSWindowsUpdate
Cmdlet Get-WUServiceManager PSWindowsUpdate
Cmdlet Get-WUSettings PSWindowsUpdate
Cmdlet Invoke-WUJob PSWindowsUpdate
Cmdlet Remove-WindowsUpdate PSWindowsUpdate
Cmdlet Remove-WUServiceManager PSWindowsUpdate
Cmdlet Set-PSWUSettings PSWindowsUpdate
Cmdlet Set-WUSettings PSWindowsUpdate
Cmdlet Update-WUModule PSWindowsUpdate

Check for available Windows Updates

Check for Windows Updates now with Get-WindowsUpdateor Get-WUInstall:


ComputerName Status KB Size Title
———— —— — —- —–
DESKTOP-J… ——- KB2267602 574MB Security Intelligence Update for Windows Defender Antivirus – KB2267602 (Ve…

Protip : Scan for (detect) new updates with Microsoft.Update.AutoUpdateCOM object in PowerShell:
(new-object -Comobject Microsoft.Update.AutoUpdate).detectnow()

Install found updates

Are there updates available? Then you can easily install this update with Install-WindowsUpdatewhat is an alias of Get-WindowsUpdate -Install:

Install-WindowsUpdate -KBArticleID KB2267602 -Force

A confirmation is given that the update has been accepted, downloaded and installed:

X ComputerName Result KB Size Title
- ------------ ------ -- ---- -----
1 DESKTOP-J... Accepted KB2267602 574MB Security Intelligence Update for Windows Defender Antivirus - KB2267602 (...
2 DESKTOP-J... Downloaded KB2267602 574MB Security Intelligence Update for Windows Defender Antivirus - KB2267602 (...
3 DESKTOP-J... Installed KB2267602 574MB Security Intelligence Update for Windows Defender Antivirus - KB2267602 (...

You can do a lot more with this Windows Update module for PowerShell, such as scheduling updates, installing updates on other computers, and more. The cmdlet Get-Help Install-WindowsUpdategives you all this information.

This way you can also check for updates at once and specify all the updates found to be accepted and installed. Do this with -AcceptAll -Download -Installand possibly -MicrosoftUpdateto indicate that you want to consult Microsoft Windows Update instead of, for example, a local WSUS:

Get-WindowsUpdate -AcceptAll -Download -Install -MicrosoftUpdate

X ComputerName Result KB Size Title
– ———— —— — —- —–
1 DESKTOP-J… Accepted KB4481252 13MB Microsoft Silverlight (KB4481252)
1 DESKTOP-J… Accepted KB3152281 48MB Click-to-Run Update Support
2 DESKTOP-J… Downloaded KB4481252 13MB Microsoft Silverlight (KB4481252)
2 DESKTOP-J… Downloaded KB3152281 48MB Click-to-Run Update Support
3 DESKTOP-J… Installed KB4481252 13MB Microsoft Silverlight (KB4481252)
3 DESKTOP-J… Installed KB3152281 48MB Click-to-Run Update Support

Protip : Launch the Windows Update GUI window from cmd.exe (or PowerShell) with the following command:
%windir%\explorer.exe ms-settings:windowsupdate-action

Activate “Check for updates” GUI from the command prompt

For learning and entertainment : you can activate the Check for updates GUI from the command prompt . To do this, use the UsoClient.exe command. UsoClient.exeis the Windows 10 equivalent of wuauclt.exe(Windows Update Automatic Update Client) in Windows 7. In this, USO stands for  Update Session Orchestrator .

The UsoClient.exe command has a number of parameters that you can specify to control the behavior. To use the ScanInstallWait parameter to combine search for updates and install them directly:

Start-Process -NoNewWindow "c:\windows\system32\UsoClient.exe" -argument "ScanInstallWait" -Wait

You can also &UsoClient.exe ScanInstallWaittype in your PowerShell command prompt. Note that you do not /need to use the parameter.

If you do this when you open the Check for updates GUI, you will see the GUI animation that searches for Windows Updates (“Checking for updates…”). If they are found, they will also be installed.

The available parameters for UsoClient.exe are (as far as known):

  • StartScan – launches a scan for available updates for Windows
  • StartDownload – download updates
  • StartInstall – install downloaded updates. You must use this after ScanInstallWait .
  • RefreshSettings – Refresh the settings if there have been any changes
  • StartInteractiveScan – this parameter allows the user to request input or approval and / or display progress dialogs
  • RestartDevice – restarts the computer to complete the installation
  • ScanInstallWait – a combined “scan” and “download” updates. This is what you often want, in combination with ” StartInstall ” afterwards.
  • ResumeUpdate – resumes update installation after reboot

As stated, you do not need to use / or – for the switch. You simply enter commands as USOClient.exe ScanInstallWaitor USOClient.exe StartInstall.

UsoClient parameters differ per Windows version

To find out what parameters UsoClient supports on your computer, run the following PowerShell command. In an Administrators window:

Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' | Select-Object @{Expression={$_.TaskName};Label="TaskName"}, @{Expression={$_.Actions.Execute + ' ' + $_.Actions.Arguments};Label="CommandLine"}

The output is for example:

TaskName CommandLine
-------- -----------
AC Power Install %systemroot%\system32\usoclient.exe StartInstall
Backup Scan %systemroot%\system32\usoclient.exe StartScan
Maintenance Install %systemroot%\system32\usoclient.exe StartInstall
MusUx_LogonUpdateResults %systemroot%\system32\MusNotification.exe LogonUpdateResults
Reboot_AC %systemroot%\system32\MusNotification.exe /RunOnAC RebootDialog
Reboot_Battery %systemroot%\system32\MusNotification.exe /RunOnBattery RebootDialog
Report policies %systemroot%\system32\usoclient.exe ReportPolicies
Schedule Maintenance Work %systemroot%\system32\usoclient.exe StartMaintenanceWork
Schedule Scan %systemroot%\system32\usoclient.exe StartScan
Schedule Scan Static Task %systemroot%\system32\usoclient.exe StartScan
Schedule Wake To Work %systemroot%\system32\usoclient.exe StartWork
Schedule Work %systemroot%\system32\usoclient.exe StartWork
Universal Orchestrator Start %systemroot%\system32\usoclient.exe StartUWork
UpdateModelTask %systemroot%\system32\usoclient.exe StartModelUpdates
USO_UxBroker %systemroot%\system32\MusNotification.exe


TaskName CommandLine
-------- -----------
AC Power Download %systemroot%\system32\usoclient.exe StartDownload
Backup Scan %systemroot%\system32\usoclient.exe StartScan
MusUx_UpdateInterval %systemroot%\system32\MusNotification.exe Display
Schedule Scan %systemroot%\system32\usoclient.exe StartScan
Schedule Scan Static Task %systemroot%\system32\usoclient.exe StartScan
USO_UxBroker %systemroot%\system32\MusNotification.exe

Conclusion PSWindowsUpdate

The conclusion of working with PSWindowsUpdate is that you can easily install Windows updates using PowerShell and this PSWindowsUpdate module. You simplify Windows maintenance by scheduling updates in the Windows task scheduler and installing them automatically.

Anyone who takes the time to discover and get to know this module can use PSWindowsUpdate to install network updates at a pre-scheduled time. Additionally, you can set up logging to keep track of all installed updates.


Unable to update NuGet or Packages in Powershell due to “WARNING: Unable to download the list of available providers. Check your internet connection.”

When attempting to install or update PowerShell Modules, NuGet or NuGet packages in PowerShell 5. You receive one or more of the following errors

WARNING: Unable to resolve package source ''.

The underlying connection was closed: An unexpected error occurred on a receive.

WARNING: Unable to download the list of available providers. Check your internet connection.

Equally, you may receive the same error when attempting to run a WGET or an Invoke-WebRequest command e.g.


You are unable to install/update the software component or make an outbound internet connection.

This issue may be especially prevalent on IIS installations serving HTTPS websites.

The Fix

Conventional troubleshooting is fairly well documented on-line

  1. Ensure that you are actually able to open a https webpage in a web browser
  2. Ensure that your DNS is working correctly.
  3. Check to see whether wget can connect to a non-https site e.g.
  4. Check to see whether or not you need to use a Proxy server. If so, you must configure PowerShell to use your Proxy Server before you proceed. This may require you to to configure PowerShell with your Proxy Server credentials.
    $webclient=New-Object System.Net.WebClient
    $webclient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

A less obvious issue to explore related to the default operating system security configuration for using SSL.

More Info

By default, Windows Server and Windows client will allow SSL3, TLS 1.0, TLS 1.1 and TLS 1.2. The .net Framework is also configured to allow these protocols, and, by default, any outbound request for a SSL site will attempt to use SSL3/TLS 1.0 as its default protocol.

In secure environments, where system administrators have enabled recommended best practice on Windows systems to disable the use of SSL1, 2,3 and TLS 1.0. PowerShell is not currently clever enough to internally compare its configuration to that of the operating system. consequently, when attempting to make an outbound https request in such an environment. PowerShell will attempt to use one of the older protocols which has been disabled by the operating system’s networking stack. Instead of re-attempting the request using a higher protocol. PowerShell will fail the request with one of the error messages listed at the beginning of the article.

As NuGet and Update-Module both attempt to make connections to Microsoft servers using HTTPS, they too will fail.

Encountering this issue on a SSL enabled IIS install will be more common, as it is more likely that system administrators will have applied best practice and disabled legacy encryption protocols on these servers. their public facing, high visibility should demand such a response.

To fix the issue there are two options:

  1. Reconfigure and reboot the system to re-enable client use of TLS 1.0 (and possibly SSL3) via
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\<protocol>\ClientDisabledByDefault = 0
    Enabled = ffffffff (hex)
  2. Alternatively, you must set-up each PowerShell environment so that the script itself knows not to use the legacy protocol versions. This is achieved via the following code which restricted PowerShell to only using TLS 1.1 and TLS 1.2.
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls11,Tls12'


PS C:\beheer> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS C:\beheer> Register-PSRepository -Default
PS C:\beheer> Install-Module PSWindowsUpdate

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
PS C:\beheer>