How to use PowerShell to scan for Windows 10 security updates

With Windows 10, you can no longer do a quick-and-dirty scan for updates from the GUI without triggering the detection and installation of those updates. The same holds true for Server 2016 or Server 2019. The ability to scan for, but not install updates is a useful auditing technique to ensure your patching tools are reporting properly. It also lets you see what updates are pending for Microsoft’s regularly scheduled patches.

You can use a remote management or patch management tool that offers this option to scan but not install updates. If you do not have one, here’s a way to do it using the PowerShell module PSWindowsUpdate.

To use this PowerShell command, you first need to set up the environment to run PowerShell scripts. In an elevated PowerShell, run the following commands:

Set-ExecutionPolicy RemoteSigned

Note this sets the policy to allow for scripts to be run. You will be prompted to say “yes” to accept the policy. To ensure that you have the policy set, type get-executionpolicy -list. If you are running preview builds of Windows 10 you might need to use the -force flag to set the policy. Use either Set-ExecutionPolicy Remote Signed -Force to set the policy for the local machine or Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force to set the policy for the current user.

Next, install NuGet, an open-source package manager designed for the Microsoft Development Platform:

Install-PackageProvider NuGet

To use the Windows update module, the NuGet package manager must be installed:

Install-Module PSWindowsUpdate

You might be warned that you are installing items from an untrusted repository. Click “Y” or “Yes” to install the PowerShell Windows Update module. You will see the module being installed.

Now you are ready to use the PowerShell module to then check for updates:

Get-WindowsUpdate

The module will take some time to process and then it will list pending updates. In the example below, it shows that the Intel Microcode updates would be installed if you manually check for updates, yet they are not being pushed to your machines unless you “seek” or manually scan for updates.  

Microsoft

To check for and install updates (with yes/no prompting), use:

Get-WindowsUpdate -Install

In the example above, you are being prompted to install the Microcode update. You can select “Y” for “yes,” or “N” for “No” to install the updates.

Microsoft

To check for and install all available updates:

Get-WindowsUpdate -Install _AcceptAll

This command does the same as checking for and installing updates in the Windows GUI.

Finally, to update the PSWindowsUpdate module enter the following command:

Update-Module PSWindowsUpdate

Using this module ensures that you can audit and ensure that the detection of patches is accurate without causing the install of updates.

If you are remote to the machine, you can enable remote PowerShell and perform these commands from a remote workstation. To enable remote PowerShell, ensure that you enable PSRemoting on the remote workstation.

Enable-PSRemoting -Force

Alternatively, you can enable remote PowerShell via group policy settings which enables Windows Remote Management on the network. Select “WinRM Service” under “Computer Configuration,” “Policies,” “Administrative Templates,” “Windows Components,” “Windows Remote Management (WinRM)”. You then set the policy through the “Allow remote server management through WinRM” dialog. There, check “Enabled”. In the “IPv4 filter” and “IPv6 filter” fields under “Options,” type * in both boxes to allow connections from any IP address, and then click “OK”. For a more secure configuration, you can restrict access to only administrative or management machines and not from any IP address.

You will want to then set WinRM to start automatically. In the left pane of the “Group Policy Management Editor” window, select “System Services” under “Computer Configuration,” “Policies,” “Windows Settings,” “Security Settings”. In the right pane, scroll down the list of services and double-click on “Windows Remote Management (WS-Management)”.

In the “Windows Remote Management” dialog, check “Define this policy setting,” and then check “Automatic” under “Select service startup mode”. Click “OK”.

Finally, you will want to enable Windows firewall rules for WinRM as follows: In the left pane under “Security Settings,” expand “Windows Firewall with Advanced Security” and select “Inbound Rules”. Right-click on “Inbound Rules” and select “New Rule” from the menu.

In the “New Inbound Rule Wizard” window, check “Predefined” and select “Windows Remote Management” from the menu. Click “Next”. Ensure that the firewall rule is not opened up to the public profile and limited to the domain profile.

Now you can use a command to enter a remote session. For example, you can use the following command to do the PowerShell commands as if you were on the remote machine:

Enter-PSSession -ComputerName COMPUTER -Credential USER