Skip to main content
SysAdmin Shell Scripting Essentials

PowerShell Command Windows Update – Verified Syntax and Flags

3 min read

powershell command windows update uses the PSWindowsUpdate module to check, download, install, and reboot Windows systems entirely from the PowerShell CLI, bypassing the Settings GUI.

# Install module (one-time)
Install-Module -Name PSWindowsUpdate -Force
# Import module for session
Import-Module PSWindowsUpdate
# Check for available updates
Get-WindowsUpdate
# Install all updates with accept-all and reboot
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

Syntax

# Install module (one-time)
Install-Module -Name PSWindowsUpdate -Force

# Import module for session
Import-Module PSWindowsUpdate

# Check for available updates
Get-WindowsUpdate

# Install all updates with accept-all and reboot
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

# Install a specific update by KB number
Install-WindowsUpdate -KBArticleID "KB4052623"

# Get update history
Get-WUHistory

# Uninstall an update
Remove-WindowsUpdate -KBArticleID "KB4052623" -Confirm:$false

Options and Flags

Parameter Type Default Description
-AcceptAll Switch False Automatically accepts all updates without prompting.
-Install Switch False Installs the updates after download.
-AutoReboot Switch False Forces an automatic reboot after installation if required.
-IgnoreReboot Switch False Suppresses reboot even if update requires it.
-KBArticleID String[] None Target a specific update by KB number.
-ComputerName String[] Localhost Target remote computers (requires WinRM).
-ScheduleJob Switch False Creates a scheduled task instead of running inline.
See also  Tmux Install: Syntax, Flags, Examples & Troubleshooting Guide

Usage Examples

Example 1: Fully automated local update with reboot

# Install all pending updates and reboot if needed
Install-Module -Name PSWindowsUpdate -Force -ErrorAction SilentlyContinue
Import-Module PSWindowsUpdate
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

This is the standard production script for unattended update cycles on workstations or servers. The -AutoReboot flag triggers immediate reboot after installation; use only in maintenance windows.

Example 2: Install a specific security update on a remote machine

# Target remote server with KB5021234
Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate
Invoke-Command -ComputerName "SRV-APP01" -ScriptBlock {
    Get-WindowsUpdate -KBArticleID "KB5021234" -AcceptAll -Install -AutoReboot
}

Remote execution requires WinRM (HTTP/HTTPS) and appropriate firewall rules. The KB article must exist in the remote system’s update catalog.

Example 3: Check for updates and log results without installing

# Audit mode – no installation
Get-WindowsUpdate | Out-File -FilePath "C:LogsPendingUpdates.txt"
Get-WUHistory | Select-Object -First 20 | Format-Table -AutoSize

Use Get-WUHistory to review past installations. The module stores history locally; no cloud dependence.

Troubleshooting & Common Errors

Error Message/Code Root Cause Resolution Command
“This module requires Windows PowerShell 5.1 or higher” Legacy PowerShell version Install-Module -Name PSWindowsUpdate -RequiredVersion 2.8.5.201 -SkipPublisherCheck
0x80070422 – Service not running wuauserv service disabled Start-Service wuauserv; Set-Service wuauserv -StartupType Automatic
“Could not match the HTTPS URI with the WSMan provider” WinRM not configured on remote target Enable-PSRemoting -Force on target machine
“Access Denied” when using -ComputerName Insufficient privileges or CredSSP issue Run with admin credentials: Invoke-Command -Credential (Get-Credential)
REBOOT_IN_PROGRESS reg value Pending reboot blocked earlier update installs Check registry: Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update" -Name RebootRequired

Closing Tip

Always test -AutoReboot on a single non-production machine first – an unexpected reboot on a domain controller or SQL server can cascade into application outages.

See also  Get-CimInstance: PowerShell Cmdlet Syntax, Flags, and Examples

Frequently Asked Questions

What is the difference between the -AcceptAll and -AutoReboot flags in Install-WUUpdate?

Answer: -AcceptAll approves all pending updates without interactive confirmation; -AutoReboot forces an automatic restart after installation.

Use -AcceptAll to skip each update’s confirmation prompt. -AutoReboot triggers immediate reboot, but can be suppressed with -IgnoreReboot. Example:

Get-WUInstall -AcceptAll -AutoReboot -IgnoreReboot:$false

When should I use the -NotCategory parameter in Get-WUInstall?

Answer: Use -NotCategory to exclude entire update categories (e.

Handy when you want only Security Updates and Critical Updates without downloading drivers or feature packs. Syntax:

Get-WUInstall -NotCategory "Drivers","Feature Packs" -AcceptAll -Install

How do I fix error 0x8024401c when running Get-WUInstall?

Answer: The error 0x8024401c indicates a WSUS server connection failure.

Check HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate for WUServer and WUStatusServer. Alternatively bypass WSUS:

Get-WUInstall -UpdateServer "https://www.update.microsoft.com" -AcceptAll

Does the PSWindowsUpdate module function on Windows Server Core?

Answer: Yes, PSWindowsUpdate works on Windows Server Core (PowerShell 5.

No GUI dependencies exist; cmdlets like Get-WUList and Install-WUUpdate run in console. Ensure NuGet provider is installed if module missing:

Install-PackageProvider -Name NuGet -Force; Install-Module PSWindowsUpdate -Force

What is the fastest way to install all critical updates with a single PowerShell command?

Answer: Use Get-WUInstall -AcceptAll -Install -AutoReboot -IgnoreReboot:$false to approve and install all updates immediately with automatic reboot.

This one-liner combines search and installation. For no reboot use -IgnoreReboot:$true. Example:

Get-WUInstall -AcceptAll -Install -AutoReboot -IgnoreReboot:$false