This method uses Powershell module PsWindowsUpdate.
First, a complete script which gets the module in and updates everything available from Microsoft, including patches and drivers and firmware:
#begin script
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
Update-Module -Name PSWindowsUpdate -Force
} Else {
Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot
# end script
Next, the bits. We do need to install and keep up a module.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
Update-Module -Name PSWindowsUpdate -Force
} Else {
Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate
Then we can check the list of available updates:
Get-WindowsUpdate
And then we probably want to actually do updates. There are good reasons and multiple methods to be careful. Alas, thus far, there does not appear to be a way to install updates a given number of days after release, e.g., 30, so as to give Microsoft time to respond to issues. Here is a glancing overview of what we do have:
- Lots of firmware is being sent by Microsoft now, and some of this is more up-to-date than that available from the vendors. But there is risk in these, don’t forget. You may find that you want to install current Windows patches, but no drivers, firmware, services packs, feature packs, etc. To do this:
Install-WindowsUpdate -NotCategory "Drivers","Service Packs","FeaturePacks" -NotTitle "preview" -AcceptAll
And to do it while ignoring reboot:
Install-WindowsUpdate -NotCategory "Drivers","Service Packs","FeaturePacks" -NotTitle "preview" -AcceptAll -IgnoreReboot
The -IgnoreReboot ignores all relevant reboot automata. -NotTitle "preview" omits all updates with the word “preview” in their name.
But sometimes, e.g. with a new PC install, we’ll want to install all updates and reboot automatically:
Install-WindowsUpdate -AcceptAll -AutoReboot
- You may find that you want to omit granularly, e.g., specific build upgrades. If you found one marked KB1234567, you would install all and omit that one thus:
Install-WindowsUpdate -NotKBArticleID KB1234567 -AcceptAll
- If you wanted to do that, and explicitly not reboot if indicated:
Install-WindowsUpdate -NotKBArticleID KB1234567 -AcceptAll -IgnoreReboot
- If you had two KBs to omit:
Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB1234567,KB7654321"
- There are other noteworthy items. Lots of firmware is being sent by Microsoft now, and some of this is more up-to-date than that available from the vendor. But there is risk in firmware updates, don’t forget. Some of the items don’t have KBs, and there are two other command-line arguments to omit those,
-NotTitle and -NotUpdateID.
Reset-WUComponents
- To get a full list of functions:
Get-Command -Module PSWindowsUpdate
Get-Help works for all of them.
Categories:
Windows Installer, Updates, Patching
Powershell
It’s built into most OEM installs of Windows 10 and 11, and can often be installed. On server builds it’s touch and go.
To see if you have it, try winget list from CMD or Powershell.
One good way to test it, is to install Microsoft .NET framework (SDK) 6, thus, from administrative Powershell:
winget install --id Microsoft.DotNet.Runtime.6 --silent --accept-source-agreements
I learned just now that if you add other seemingly valuable options to the one above, e.g., --scope machine, at least while running as SYSTEM, it will fail citing package not found. So you’ll want to test carefully.
Here’s one proven just now for 7zip (there’s a “search” option in winget to get the ID):
winget install --exact --id 7zip.7zip --accept-package-agreements --silent --scope machine
Here’s one for Google Chrome, needs a bit of extra:
winget.exe install --exact --id Google.Chrome --silent --accept-package-agreements --accept-source-agreements --scope machine
And here’s a way to upgrade everything Winget can upgrade. There are some systems to not use this on, e.g., anything with some Autodesk products:
winget upgrade --all --include-unknown
If you do want to use it from the SYSTEM account, in scripting, it gets interesting. You’ll want to first run the below, and then winget will run as expected.
# Function to find the path to winget.exe
function Find-WinGet-Path {
# Get the WinGet path (for use when running in SYSTEM context).
$WinGetPathToResolve = Join-Path -Path $ENV:ProgramFiles -ChildPath 'WindowsApps\Microsoft.DesktopAppInstaller_*_*__8wekyb3d8bbwe'
$ResolveWinGetPath = Resolve-Path -Path $WinGetPathToResolve | Sort-Object {
[version]($_.Path -replace '^[^\d]+_((\d+\.)*\d+)_.*', '$1')
}
if ($ResolveWinGetPath) {
# If we have multiple versions - use the latest.
$WinGetPath = $ResolveWinGetPath[-1].Path
}
# Get the User-Context WinGet exe location.
$WinGetExePath = Get-Command -Name winget.exe -CommandType Application -ErrorAction SilentlyContinue
# Select the correct WinGet exe
if (Test-Path -Path (Join-Path $WinGetPath 'winget.exe')) {
# Running in SYSTEM-Context.
$WinGet = Join-Path $WinGetPath 'winget.exe'
} elseif ($WinGetExePath) {
# Get User-Context if SYSTEM-Context not found.
$WinGet = $WinGetExePath.Path
} else {
Write-Output 'WinGet not Found!'
Stop-Transcript
exit 1
}
# Return WinGet path
return ($WinGet -replace '\winget.exe','')
}
Function Add-PathVariable {
param (
[string]$addPath
)
if (Test-Path $addPath){
$regexAddPath = [regex]::Escape($addPath)
$arrPath = $env:Path -split ';' | Where-Object {$_ -notMatch
"^$regexAddPath\\?"}
$env:Path = ($arrPath + $addPath) -join ';'
} else {
Throw "'$addPath' is not a valid path."
}
}
Add-PathVariable (Find-Winget-Path)
Installing has been even more interesting. I’ve tried a lot of things. The below worked very well just now on Server 2019. There may be one extra module install in it, will test when it comes up again.
#Begin winget installation
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force > $null
Function PrepareModule {
param( [string]$ModuleName )
"Preparing Powershell environment: Getting online " + $ModuleName + " info..."
$OnlineModuleInfo = Find-Module $ModuleName -Repository PSGallery
"Preparing Powershell environment: Getting local " + $ModuleName + " info (if exists)..."
$LocalModuleInfo = Get-InstalledModule $ModuleName -ErrorAction SilentlyContinue > $null
If ($OnlineModuleInfo.Version -ne $LocalModuleInfo.Version) {
"Preparing Powershell environment: Removing old " + $ModuleName + " (if exists)..."
Uninstall-Module -Name $ModuleName -ErrorAction SilentlyContinue > $null
"Preparing Powershell environment: Installing new " + $ModuleName + "..."
Install-Module -Name $ModuleName -Repository PSGallery
"Preparing Powershell environment: Importing new " + $ModuleName + "..."
Import-Module -Name $ModuleName
}
}
"Setting up to use Powershell Gallery..."
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Set-PSRepository -InstallationPolicy Trusted -Name PSGallery
PrepareModule("NuGet")
Install-Script -Name winget-install
#End winget installation
Categories:
Powershell
Windows Installer, Updates, Patching
This command line will upgrade many things:
winget upgrade --all --include-unknown
Categories:
Windows Installer, Updates, Patching
To do this, one must set a registry entry, this is Powershell:
$registryPath = "HKLM:\SYSTEM\Setup\MoSetup";
If ( !(Test-Path $registryPath) ) { New-Item -Path $registryPath -Force; };
New-ItemProperty -Path $registryPath -Name "AllowUpgradesWithUnsupportedTPMOrCPU" -Value 1 -PropertyType DWORD -Force;
then download the ISO (not the recommended upgrader app), unpack it, and run setup.exe.
Categories:
Windows Installer, Updates, Patching
Windows OS-Level Issues
This is a curious method, seemingly very reliable, and it has many different builds, including 22H2, 23H2, 24H2 as of right now. Here’s the last 22H2:
uupdump.net/selectlang.php?id=0cda15f9-a14a-4adf-bb3c-2ce79d0de621
It is not the ISO itself, it is a script setup which uses OS resources to build an ISO.
Categories:
Windows Installer, Updates, Patching
Windows OS-Level Issues
Categories:
Windows Installer, Updates, Patching
BIOS
Categories:
Windows Installer, Updates, Patching
BIOS
HP Support Assistant is the oft-default tool, not suitable for automation; but there is the HP Image Assistant:
ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html
So far this looks like the way forward. Early testing done, not thorough yet. It has a GUI for default use, but also has command line usage. Download the installer, complete it, CD to the folder it created in command-line, and run HPImageAssistant.exe for nice GUI. Documentation is here:
ftp.hp.com/pub/caps-softpaq/cmit/imagepal/userguide/936944-008.pdf
Several command-line examples are in that PDF. This command does a lot of very good things, very silently:
.\HPImageAssistant /Operation:Analyze /Category:All,Accessories /selection:All /action:Install /silent /reportFolder:c:\HPIA\Report /softpaqdownloadfolder:c:\HPIA\download
Categories:
Windows Installer, Updates, Patching
BIOS
This one works very well indeed. It does need a bit more technical intervention:
https://www.bcuninstaller.com
Categories:
Windows Installer, Updates, Patching
Tools
A very interesting .EXE which appears to be able to upgrade Build 1909 directly to 22H2.
https://www.microsoft.com/en-us/software-download/windows10
Categories:
Windows Installer, Updates, Patching