This method uses Powershell module PsWindowsUpdate.
- Run this in administrative Powershell:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
Update-Module -Name PSWindowsUpdate -Force
} Else {
Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate
- Then check the list of available updates:
Get-WindowsUpdate
- You may find some that you want to omit, e.g., build upgrades. If you found one marked KB1234567, you would install all and omit that one thus:
Install-WindowsUpdate -KBArticleID KB1234567 -AcceptAll
If you had two KBs to omit:
Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB1234567,KB7654321"
There are other noteworthy items. Lots of firmware is being sent by Microsoft now, and some of this is more up-to-date than that available from the vendor. But there is risk in firmware updates, don’t forget. Some of the items don’t have KBs, and there are two other command-line arguments to omit those, -NotTitle
and -NotUpdateID
.
PSWindowsUpdate is a very interesting module, it can do lots of things. One of them is:
Reset-WUComponents
To get a full list of functions:
Get-Command -Module PSWindowsUpdate
Get-Help
works for all of them.
This removes all local admins from a machine’s Administrators group, except the built-in Administrator and “Domain Admins” if it’s on a domain.
$LocalDomain = $env:USERDOMAIN
$DomainAdmins = "$LocalDomain\Domain Admins"
$ComputerName = $env:COMPUTERNAME
$OEMAdministrator = "$ComputerName\Administrator"
Get-LocalGroupMember Administrators | ForEach-Object {
$UserName = $_.Name
"Found: $UserName"
If (($UserName -ne $DomainAdmins) -and ($UserName -ne $OEMAdministrator)) {
"Removing $UserName from local Administrators group."
Remove-LocalGroupMember -Group Administrators -Member $UserName
}
""
}
If you see GPO policies get implemented and re-implemented even though the settings have been removed, or if it just doesn’t happen, try the following in administrative Powershell. These clear the GPO cache on the machine you’re looking at.
Remove-Item "$env:windir\system32\GroupPolicy" -Force -Recurse
Remove-Item "HKLM:\Software\Policies\Microsoft" -Force -Recurse
Remove-Item "HKCU:\Software\Policies\Microsoft" -Force -Recurse
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects" -Force -Recurse
Remove-Item "HKCU:\\Software\Microsoft\Windows\CurrentVersion\Policies" -Force -Recurse
This appears to work well. It uses the olde ‘rwinsta’ command to work around some Powershell oddities.
# Get list of disconnected RDP sessions
$RDPDiscSessions = Get-RDUserSession | Where-Object SessionState -eq STATE_DISCONNECTED
# Disconnect each of them one by one
foreach ($row in $RDPDiscSessions) {
'Logging off ' + $row.SessionID
rwinsta $row.SessionID
}
Here’s one way:
$wco = (New-Object System.Net.WebClient)
$wco.DownloadFile('https://fqdn/filename.ext','filename.ext')
An in-script fix:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
A permanent fix:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
To download a single file in binary mode, try translating this:
Invoke-WebRequest -Uri "http://fq.dn/sub/binary.exe" -Outfile "C:\folder\binary.exe"
Prefix this, add a space to the end, and then type your Powershell:
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command
My current favorite way:
[string]$PSVersionTable.PSVersion.Major + '.' + [string]$PSVersionTable.PSVersion.Minor
If it’s 1.0, you’ll get an error, otherwise you will have what you need.