Update Windows security remotely using powershell scheduled task

0

I am trying to Install windows security patches on a remote machine using powershell remoting. This is the function i am using to Update windows

<#
.SYNOPSIS
This functiion will automatically install all avaialable windows updates on a device and will automatically reboot if needed, after reboot, windows updates will continue to run until no more updates are available.
#>

function Install-WindowsUpdates

{
Install-Module -Name PSWindowsUpdate -RequiredVersion 2.1.0.1 -Force
Import-Module PSWindowsUpdate -Force
Get-WindowsUpdate -install -acceptall
}

When i run this function on a local host, the function is successful in installing windows security patches. I have the below script to do the same remotely:

param(

    [Parameter(Mandatory = $true)]
    [string] $IPaddress
)
try
{
$secpasswd = ConvertTo-SecureString "Pass@12345678" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("Admin02", $secpasswd)


#Create a Session.
$Session = New-PSSession -ComputerName $IPaddress -Credential $cred

cd C:\Users\Admin01\Documents
. .\Install-WindowsUpdates.ps1


Invoke-Command -Session $Session -ScriptBlock ${function:Install-WindowsUpdates}
return $true
}
catch
{
return $false
}

When i run this script i am getting the below error:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    + CategoryInfo          : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate
    + PSComputerName        : 10.0.0.7

I have setup both the loaclhost and remote machine for remoting and able to execute other scripts remotely. Also have enabled WMI on the remote machine. What other settings i have to do?

Using Scheduled Task: I am using the following script to start a scheduled task:

param(
   [parameter(Mandatory = $true)]
   [string]$IPaddress
)
$PSModulePath = $env:PSModulePath
$SplittedModulePath = $PSModulePath.Split(";")
$ModulePath = $SplittedModulePath[0]
$secpasswd = ConvertTo-SecureString "Pass@12345678" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("Admin02", $secpasswd)
#Create a Session. Replace host name with the host name of the remote machine.
$Session = New-PSSession -ComputerName $IPaddress -Credential $cred
$User= "Admin02"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "$env:ALLUSERSPROFILE\Install-WindowsUpdate.ps1"
$Trigger= New-ScheduledTaskTrigger -At 5:05am -Once
Invoke-Command -Session $Session -ScriptBlock { Register-ScheduledTask -TaskName "Install-Updates" -User $Using:User -Action $Using:Action -Trigger $Using:Trigger -RunLevel Highest –Force }

I have copied the below script on the target machine at the path $env:ALLUSERSPROFILE

<#
.SYNOPSIS
This functiion will automatically install all avaialable windows updates on a device and will automatically reboot if needed, after reboot, windows updates will continue to run until no more updates are available.
.PARAMETER computer
Use the Computer parameter to specify the Computer to remotely install windows updates on.
#>


Install-Module -Name PSWindowsUpdate -RequiredVersion 2.1.0.1 -Force
Import-Module PSWindowsUpdate -Force
Get-WindowsUpdate -install -acceptall

After i schedule the task nothing is happening.What i am doing wrong?

powershell
powershell-remoting
windows-update
windows-security
asked on Stack Overflow Sep 10, 2019 by Harshith R • edited Sep 16, 2019 by Harshith R

3 Answers

1

This seems to be not possible by design:

It is impossible for remotely connected users to download stuff from the internet it appears.

answered on Stack Overflow Sep 10, 2019 by DarkLite1
0

Yea, I fought this for weeks and finally have a good solution. The solution is actually built right into the PSWindowsUpdate module. The built in solution does use a windows Task, but it launches right away, and its actually helpful in tracking its completion progress, and it keeps the integration secure. The issue I have found is that PSWindowsUpdate has poor documentation. The following code worked for me:

Invoke-WUJob -ComputerName $svr -Script {ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll -AutoReboot -Install | Out-File C:\PSWindowsUpdate.log } -Confirm:$false -Verbose -RunNow

There is a lot of scattered information on this topic, so please do your reading. PSWindowsUpdate is by far the best library for this job, and although its been a long process for me, I believe the above solution will work for everyone.

Please remember, the computer you are running the above scrip from needs to trust the computer you are trying to update, you can run this script to trust the computer:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value <ComputerName>

NOTE: Wildcards can be used in computer name

I also wanted to give you some information that greatly helped me:

Get-WindowsUpdate: This is the main cmdlet of the module. It lists, downloads, installs or hides a list of updates meeting predefined requisites and sets the rules of the restarts when installing the updates.

Remove-WindowsUpdate: Uninstalls an update

Add-WUServiceManage: Registers a new Windows Update API Service Manager

Get-WUHistory: Shows a list of installed updates

Get-WUSettings: Gets Windows Update client settings

Get-WUInstallerStatus: Gets Windows Update Installer Status, whether it is busy or not

Enable-WURemoting: Enables firewall rules for PSWindowsUpdate remoting

Invoke-WUJob: Invokes PSWindowsUpdate actions remotely

Like for all PowerShell cmdlets, different usage examples can be shown for each command typing Get-Help “command” -examples. PSWindowsUpdate main parameters

As shown in the previous section, the PSWindowsUpdate module includes different predefined aliases to ease patching processes. However, main parameters for the Get-WindowsUpdate cmdlet will be listed and explained below:

Filtering updates:

AcceptAll: Downloads or installs all available updates

KBArticleID: Finds updates that contain a KBArticleID (or sets of KBArticleIDs)

UpdateID: Specifies updates with a specific UUID (or sets of UUIDs)

Category: Specifies updates that contain a specified category name, such as ‘Updates,’ ‘Security Updates’ or ‘Critical Updates’

Title: Finds updates that match part of title

Severity: Finds updates that match part of severity, such as ‘Important,’ ‘Critical’ or ‘Moderate’

UpdateType: Finds updates with a specific type, such as ‘Driver’ and ‘Software.’ Default value contains all updates

Actions and targets:

Download: downloads approved updates but does not install them

Install: installs approved updates

Hide: hides specified updates to prevent them to being installed

ScheduleJob: specifies date when job will start

SendReport: sends a report from the installation process

ComputerName: specifies target server or computer

Client restart behavior:

AutoReboot: automatically reboots system if required

IgnoreReboot: suppresses automatic restarts

ScheduleReboot: specifies the date when the system will be rebooted.

#How to avoid accidental installs#

Windows updates and patches improve the features and stability of the system. However, some updates can mess up your system and cause instability, especially automatic updates for legacy software such as graphic card drivers. To avoid automatic updates and accidental installs for such applications, you can pause Windows updates.

Alternatively, you can hide the specific updates for those features you don’t want to get updated. When you hide the updates, Windows can no longer download and install such updates. Before you can hide the update, you need to find out its details, including its knowledge base (KB) number and title. Type the cmdlet below to list all the available updates on your system:

Get-WUList

To hide a specific update using the KB number, use your mouse to copy that KB number. Next, type the command below:

Hide-WUUpdate -KBArticleID KB_Number

Highlight the “KB_Number” and click paste to replace that part with the actual KB number.

When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates, with hidden updates appearing with the symbol “H” under their status.

The KB number for the update may not be available for some updates. In this case, you can use the title to hide the update. To do this, list all the available updates via the cmdlet below:

Get-WUList

Next, use your mouse to copy the update title. Ensure it is distinct from other update titles. Now, type below command below to hide the update:

Hide-WUUpdate -Title “Update_Title”

Don’t forget to paste the actual update title in the “Update Title” section.

When prompted to confirm the action, type A, and hit the Enter key. If the command succeeds, the “Get-WUList” lists all the available updates. However, the status of hidden updates appears with the symbol “H” underneath them. How to determine errors

It is of crucial importance to have as much information as possible about Windows Updates installation processes in order to be able to fix erroneous deployments. The Get-WindowsUpdate cmdlet and the rest of cmdlets available in the module, provide a very detailed log level when managing updates, including status, KB ID, Size or Title.

Centralizing all of the computer logs and analyzing them searching for errors, administrators will always be able to know the patch level of their Windows computers and servers.

The above passages came from this site!

answered on Stack Overflow Feb 20, 2021 by code
-1

Speaking about windows update, you have many options like:

  1. Connection using psexec tool then run wuauclt /detectnow /updatenow

  2. If you are using windows 10 /server 2016 , the tools was replaced with USOClient.exe which is more effective.

answered on Stack Overflow Sep 10, 2019 by Mahmood Shehab

User contributions licensed under CC BY-SA 3.0