Link to home
Start Free TrialLog in
Avatar of jbcsystech

asked on

Hide Windows Updates using Powershell

Is it possible to use Powershell to hide Windows updates on Windows XP, Windows 7, Windows Server 2003, 2008, and 2008R2?
Avatar of dailypcguy
Flag of Australia image

What advantage do you seek using powershell over group policy objects? Normally you'd configure GPO's to change the default Windows Update location to a WSUS server or an offline WSUS update utility. I'm trying to figure why you'd want to use powershell instead?
Avatar of jbcsystech


I'd like to use a Windows update powershell script for installing updates and need a way to control updates we don't want to install.
Avatar of Don
Your best bet for controlling which updates get installed is using WSUS.

WSUS step by step

there's also wuinstall

WuInstall is a command line tool for Windows which enables you to install Windows updates for a certain workstation in a controlled way by using a command line script instead of the standard Windows update functionality.
dstewartjr Is correct, as this was where I was leading.

I don't use powerscript, but their site may be able to teach you how to do it. I looked there once and decided I didn't have time to learn yet another scripting language.

Me, I'd just use (as I do) WSUS offline update, so you download them once and apply them to many, in my case customers who never seem to update their machines.   (this is free, but donations are welcome)

Installed onto a larger portable USB drive, I just use this utility to update all of my machines, and GPO's to prevent them updating automotically. It covers all MS products XP to Win7 and servers, Office. You would need to have a seperate USB stick to achieve Win2000, as it is incompatible with the rest for some reason.

If you're really stuck on the idea of powerscript, I'll keep an eye out and wish you the best of luck! :-}
wsusoffline would be *very* time consuming if you have many systems.
Yes granted, thats true.
Do you have a server in your system? You can configure a single server to download the updates (It's inluded in WinServ 2003-2008), and push them out to the client machines based on GPO's and you can control which machines get which updates if you really want to have that much control. Doing it that way saves bandwidth.
I once installed it on my Windows Home Server to act as the update server for my 10 clients. The only problem there was that by default WHS partitions are limited to 20Gb, and that's a bit small if you want to run a lot of apps on it, like home automation, media server, custom apps and addins for instance. You can move the WSUS updates to a share folder which helps, but 20gb still isn't big. I tried several ways to increase the partition size, but MS wouldn't let me, so I abandoned it. Now I use WSUS offline on a networked USB drive or a NAS, and pointed my clients vis GPO's to get heir updates from there.
Hope you get some powershell code though, sounds intriguing.
Oh, I meant to say you can install only admin approved updates using WSUS on a server, to specific machines or designated groups of machines, but that means you have to troll through individually, again a bit time rich.
"....but that means you have to troll through individually, again a bit time rich."

That's why there's automatic approval rules in WSUS
Also WSUS does absolutely no pushing of anything. Clients query the server for updates that are approved and report their status back to WSUS for reporting.
Have you had a look here?
Surely if you can search for updates using this powershell script and install them using powershell script, you could also ignore them using powershell scripting and using a black/whitelist scenario to prevent them being applied?
Just not sure then how you would push this script out to hundreds of worksations??
I'm well aware of both of those conditions. As I said, I had it working well for my needs, and I can see it won't work for you. Split hairs if you will, but I am only here trying to help you find a solution after all.
There's also this

Windows Update Agent force script, email results version 2.6

A black/whitelist is exactly what I'd like, but I've found little information on trying to do that with Powershell.  I'm still learning Powershell and having to rely a lot on Google and Scripting Guy. That's why I thought I'd try using Powershell to hide updates as I thought it would be easier.  

Incidentally, I already have a working Windows Update Powershell script and a deployment mechanism, just need to add the white/black list scripting to it.
@ jbcsystech is there any chance you could post the script you use as i'm looking for something similar many thanks
This is one I found on the Scripting Guys site so I can't take credit for it.  I asked them for help, but they did not have the time to assist with adding whitelist/blacklist functionality.  

The workaround I found was setting up an Internal WSUS server then using it in combination with this.  I disabled the automatic updates client on the workstations/servers and use run this script to install updates.  I realize I can do everything through WSUS, but I've used it before in our environment and the WSUS agent proved to be problematic (the reason I stopped using it in the first place).  So far, I've been using this for a month and it seems to be working well for us.  I'm going to keep trying to figure out how to add whitelist/blacklist functionality, but in the meantime this works.

Write-host "Starting Update Process..." -foregroundcolor blue
Write-host ""
$UpdateSession = New-Object -com Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateupdateSearcher()
$SearchResult =  $UpdateSearcher.Search("IsAssigned=1 and IsHidden=0 and IsInstalled=0")
$UpdateLowNumber = 0
$UpdateHighNumber = 1
$NumberofUpdates = $searchResult.Updates.Count
while ($UpdateHighNumber -le $NumberofUpdates) {
$UpdatesToDownload = New-Object -com Microsoft.Update.UpdateColl
$Update = $searchResult.Updates.Item($UpdateLowNumber)
if ($Update.EulaAccepted -eq 0) {$Update.AcceptEula()}
# $UpdatesToDownload.Remove($Update)
$Downloader = $UpdateSession.CreateUpdateDownloader()
$Downloader.Updates = $UpdatesToDownload
$UpdatesToInstall = New-Object -com Microsoft.Update.UpdateColl
$Title = $update.Title
$KBArticleIDs = $update.KBArticleIDs
$SecurityBulletinIDs = $update.SecurityBulletinIDs
$MsrcSeverity = $update.MsrcSeverity
$LastDeploymentChangeTime = $update.LastDeploymentChangeTime
$MoreInfoUrls = $update.MoreInfoUrls
Write-host "Installing Update $UpdateHighNumber of $NumberofUpdates"
Write-host "Title: $Title"
if ($KBArticleIDs -ne "") {Write-host "KBID: $KBArticleIDs"}
if ($SecurityBulletinIDs -ne "") {write-host "Security Bulletin: $SecurityBulletinIDs"}
if ($MsrcSeverity -eq "Critical") {Write-host "Rating: $MsrcSeverity" -foregroundcolor red} else {Write-host "Rating: $MsrcSeverity"}
if ($LastDeploymentChangeTime -ne "") {Write-host "Dated: $LastDeploymentChangeTime"}
if ($MoreInfoUrls -ne "") {Write-host "$MoreInfoUrls"}
$Installer = $UpdateSession.CreateUpdateInstaller()
$Installer.Updates = $UpdatesToInstall
$InstallationResult = $Installer.Install()
$InstallationResult = $Installer.Ignore()
Write-host "--------------------------------------------"
if ($InstallationResult.ResultCode -eq "2") {Write-host "  Installation Succeeded" -foregroundcolor green}  else {Write-host "  INSTALLATION FAILED, check event log for details" -foregroundcolor red}
if ($InstallationResult.RebootRequired -eq "False") {Write-host "  Reboot not required" -foregroundcolor green} else {Write-host "  REBOOT REQUIRED" -foregroundcolor red}
Write-host "--------------------------------------------"
Write-host ""
Write-host ""
$Title = ""
$KBArticleIDs =  ""
$SecurityBulletinIDs =  ""
$MsrcSeverity =  ""
$LastDeploymentChangeTime =  ""
$MoreInfoUrls =  ""
$UpdateLowNumber = $UpdateLowNumber + 1
$UpdateHighNumber = $UpdateHighNumber + 1
if ($ProgressValue -lt $NumberofUpdates) {$ProgressValue = $ProgressValue + 1}
$ComputerStatus = New-Object -com Microsoft.Update.SystemInfo
 if ($ComputerStatus.RebootRequired -eq 1) {Write-host "A Reboot is Required"}

Awesome little Script.... Do you use that on remote servers?
No, all servers are on our internal lan.  I run it on multiple servers at a time using psexec.
hmmm kinda the way i'm trying to do it.

I've got a couple of Update scripts.

Basically like you I'm trying to update our severs in a Automated way (by remote servers I meant not having to log onto each server individually)

With the script you've given me I now just need to get it working on remote servers and get them to reboot once updates are done.....and possibly get a log file also...Maybe an email report
I'm working on the log/email report functionality, but haven't perfect it yet and haven't had time to work on it lately.  I'm also trying to figure out how to only reboot the servers when a reboot is required.  If I come up with a working script I'll try to remember to post to you.

I use psexec @\\somelist.txt -e -s cmd.exe /c "echo | powershell -file \\windowsupdate.ps1"

somelist contains a list of servers (one per line)
the following is required to use psexec with powershell:    cmd.exe /c "echo | powershell  

This works for the number of Windows servers we have (approximately 40), but for a larger environment I'd recommend kicking off a scheduled task on the servers (can be accomplished using either Powershell or Group Policy) that runs the script.   You could also run multiple powershell windows at once and use separate server text files  (example=  somefile1.txt contains server1

while somefile2.txt contains

and so forth).
ahh ok

I've got a script that has email Funcunality and reboot i'll have a look a dig it out.

Its that one that i've been trying to tweak etc
Avatar of Colchester_Institute
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks, I'll give that a try.