Hide Windows Updates using Powershell

Is it possible to use Powershell to hide Windows updates on Windows XP, Windows 7, Windows Server 2003, 2008, and 2008R2?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Colchester_InstituteConnect With a Mentor Commented:
heres the link

What advantage do you seek using powershell over group policy objects? Normally you'd configure GPO's to change the default Windows Update location to a WSUS server or an offline WSUS update utility. I'm trying to figure why you'd want to use powershell instead?
jbcsystechAuthor Commented:
I'd like to use a Windows update powershell script for installing updates and need a way to control updates we don't want to install.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

DonNetwork AdministratorCommented:
Your best bet for controlling which updates get installed is using WSUS.

WSUS step by step


there's also wuinstall


WuInstall is a command line tool for Windows which enables you to install Windows updates for a certain workstation in a controlled way by using a command line script instead of the standard Windows update functionality.
dstewartjr Is correct, as this was where I was leading.

I don't use powerscript, but their site may be able to teach you how to do it. I looked there once and decided I didn't have time to learn yet another scripting language.

Me, I'd just use (as I do) WSUS offline update, so you download them once and apply them to many, in my case customers who never seem to update their machines.

http://www.wsusoffline.net/   (this is free, but donations are welcome)

Installed onto a larger portable USB drive, I just use this utility to update all of my machines, and GPO's to prevent them updating automotically. It covers all MS products XP to Win7 and servers, Office. You would need to have a seperate USB stick to achieve Win2000, as it is incompatible with the rest for some reason.

If you're really stuck on the idea of powerscript, I'll keep an eye out and wish you the best of luck! :-}
DonNetwork AdministratorCommented:
wsusoffline would be *very* time consuming if you have many systems.
Yes granted, thats true.
Do you have a server in your system? You can configure a single server to download the updates (It's inluded in WinServ 2003-2008), and push them out to the client machines based on GPO's and you can control which machines get which updates if you really want to have that much control. Doing it that way saves bandwidth.
I once installed it on my Windows Home Server to act as the update server for my 10 clients. The only problem there was that by default WHS partitions are limited to 20Gb, and that's a bit small if you want to run a lot of apps on it, like home automation, media server, custom apps and addins for instance. You can move the WSUS updates to a share folder which helps, but 20gb still isn't big. I tried several ways to increase the partition size, but MS wouldn't let me, so I abandoned it. Now I use WSUS offline on a networked USB drive or a NAS, and pointed my clients vis GPO's to get heir updates from there.
Hope you get some powershell code though, sounds intriguing.
Oh, I meant to say you can install only admin approved updates using WSUS on a server, to specific machines or designated groups of machines, but that means you have to troll through individually, again a bit time rich.
DonNetwork AdministratorCommented:
"....but that means you have to troll through individually, again a bit time rich."

That's why there's automatic approval rules in WSUS

DonNetwork AdministratorCommented:
Also WSUS does absolutely no pushing of anything. Clients query the server for updates that are approved and report their status back to WSUS for reporting.
Have you had a look here?
Surely if you can search for updates using this powershell script and install them using powershell script, you could also ignore them using powershell scripting and using a black/whitelist scenario to prevent them being applied?
Just not sure then how you would push this script out to hundreds of worksations??
I'm well aware of both of those conditions. As I said, I had it working well for my needs, and I can see it won't work for you. Split hairs if you will, but I am only here trying to help you find a solution after all.
DonNetwork AdministratorCommented:
There's also this

Windows Update Agent force script, email results version 2.6
jbcsystechAuthor Commented:

A black/whitelist is exactly what I'd like, but I've found little information on trying to do that with Powershell.  I'm still learning Powershell and having to rely a lot on Google and Scripting Guy. That's why I thought I'd try using Powershell to hide updates as I thought it would be easier.  

jbcsystechAuthor Commented:
Incidentally, I already have a working Windows Update Powershell script and a deployment mechanism, just need to add the white/black list scripting to it.
@ jbcsystech is there any chance you could post the script you use as i'm looking for something similar many thanks
jbcsystechAuthor Commented:
This is one I found on the Scripting Guys site so I can't take credit for it.  I asked them for help, but they did not have the time to assist with adding whitelist/blacklist functionality.  

The workaround I found was setting up an Internal WSUS server then using it in combination with this.  I disabled the automatic updates client on the workstations/servers and use run this script to install updates.  I realize I can do everything through WSUS, but I've used it before in our environment and the WSUS agent proved to be problematic (the reason I stopped using it in the first place).  So far, I've been using this for a month and it seems to be working well for us.  I'm going to keep trying to figure out how to add whitelist/blacklist functionality, but in the meantime this works.

Write-host "Starting Update Process..." -foregroundcolor blue
Write-host ""
$UpdateSession = New-Object -com Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateupdateSearcher()
$SearchResult =  $UpdateSearcher.Search("IsAssigned=1 and IsHidden=0 and IsInstalled=0")
$UpdateLowNumber = 0
$UpdateHighNumber = 1
$NumberofUpdates = $searchResult.Updates.Count
while ($UpdateHighNumber -le $NumberofUpdates) {
$UpdatesToDownload = New-Object -com Microsoft.Update.UpdateColl
$Update = $searchResult.Updates.Item($UpdateLowNumber)
if ($Update.EulaAccepted -eq 0) {$Update.AcceptEula()}
# $UpdatesToDownload.Remove($Update)
$Downloader = $UpdateSession.CreateUpdateDownloader()
$Downloader.Updates = $UpdatesToDownload
$UpdatesToInstall = New-Object -com Microsoft.Update.UpdateColl
$Title = $update.Title
$KBArticleIDs = $update.KBArticleIDs
$SecurityBulletinIDs = $update.SecurityBulletinIDs
$MsrcSeverity = $update.MsrcSeverity
$LastDeploymentChangeTime = $update.LastDeploymentChangeTime
$MoreInfoUrls = $update.MoreInfoUrls
Write-host "Installing Update $UpdateHighNumber of $NumberofUpdates"
Write-host "Title: $Title"
if ($KBArticleIDs -ne "") {Write-host "KBID: $KBArticleIDs"}
if ($SecurityBulletinIDs -ne "") {write-host "Security Bulletin: $SecurityBulletinIDs"}
if ($MsrcSeverity -eq "Critical") {Write-host "Rating: $MsrcSeverity" -foregroundcolor red} else {Write-host "Rating: $MsrcSeverity"}
if ($LastDeploymentChangeTime -ne "") {Write-host "Dated: $LastDeploymentChangeTime"}
if ($MoreInfoUrls -ne "") {Write-host "$MoreInfoUrls"}
$Installer = $UpdateSession.CreateUpdateInstaller()
$Installer.Updates = $UpdatesToInstall
$InstallationResult = $Installer.Install()
$InstallationResult = $Installer.Ignore()
Write-host "--------------------------------------------"
if ($InstallationResult.ResultCode -eq "2") {Write-host "  Installation Succeeded" -foregroundcolor green}  else {Write-host "  INSTALLATION FAILED, check event log for details" -foregroundcolor red}
if ($InstallationResult.RebootRequired -eq "False") {Write-host "  Reboot not required" -foregroundcolor green} else {Write-host "  REBOOT REQUIRED" -foregroundcolor red}
Write-host "--------------------------------------------"
Write-host ""
Write-host ""
$Title = ""
$KBArticleIDs =  ""
$SecurityBulletinIDs =  ""
$MsrcSeverity =  ""
$LastDeploymentChangeTime =  ""
$MoreInfoUrls =  ""
$UpdateLowNumber = $UpdateLowNumber + 1
$UpdateHighNumber = $UpdateHighNumber + 1
if ($ProgressValue -lt $NumberofUpdates) {$ProgressValue = $ProgressValue + 1}
$ComputerStatus = New-Object -com Microsoft.Update.SystemInfo
 if ($ComputerStatus.RebootRequired -eq 1) {Write-host "A Reboot is Required"}

Awesome little Script.... Do you use that on remote servers?
jbcsystechAuthor Commented:
No, all servers are on our internal lan.  I run it on multiple servers at a time using psexec.
hmmm kinda the way i'm trying to do it.

I've got a couple of Update scripts.

Basically like you I'm trying to update our severs in a Automated way (by remote servers I meant not having to log onto each server individually)

With the script you've given me I now just need to get it working on remote servers and get them to reboot once updates are done.....and possibly get a log file also...Maybe an email report
jbcsystechAuthor Commented:
I'm working on the log/email report functionality, but haven't perfect it yet and haven't had time to work on it lately.  I'm also trying to figure out how to only reboot the servers when a reboot is required.  If I come up with a working script I'll try to remember to post to you.

I use psexec @\\somelist.txt -e -s cmd.exe /c "echo | powershell -file \\windowsupdate.ps1"

somelist contains a list of servers (one per line)
the following is required to use psexec with powershell:    cmd.exe /c "echo | powershell  

This works for the number of Windows servers we have (approximately 40), but for a larger environment I'd recommend kicking off a scheduled task on the servers (can be accomplished using either Powershell or Group Policy) that runs the script.   You could also run multiple powershell windows at once and use separate server text files  (example=  somefile1.txt contains server1

while somefile2.txt contains

and so forth).
ahh ok

I've got a script that has email Funcunality and reboot i'll have a look a dig it out.

Its that one that i've been trying to tweak etc
jbcsystechAuthor Commented:
Thanks, I'll give that a try.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.