Run Windows Updates with Powershell Remotely

dmarquesgn · ‎May 29 2022

Hi,

I'm kind of new to Powershell, and trying to automate some stuff.
I found one nice Powershell module named PSWindowsUpdate to manage Windows Updates. I need to create some automated updating for my servers, which are around 50.

Everything runs fine locally, but I started to search on how to write a script to do it remotely, but from what I've read that has a lot of issues, due to permissions related to remote updating.

I create a remote session with "Enter-PSSession -ComputerName <servername>. But when I run the command "Install-WindowsUpdate -KBArticleID <kbID> -AcceptAll -Install" I get this error:

"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate"

I've been reading and understand that the problem is related to a permissions issue on powershell and remote updating.

I've read some topics about it, and in some there a solution presented, which is JEA. So I've followed this code to run on the server side:
"

New-PSSessionConfigurationFile -RunAsVirtualAccount -Path .\VirtualAccount.pssc
# Note this will restart the WinRM service:
Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurityDescriptorUI] -Path .\VirtualAccount.pssc -Force
# Check the Permission property:
Get-PSSessionConfiguration -Name 'VirtualAccount'
# Those users will have full unrestricted access to the system!

But I got this error:
"Register-PSSessionConfiguration : A positional parameter cannot be found that accepts argument '[-ShowSecurityDescriptorUI]'.
At line:1 char:1
+ Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurity ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Register-PSSessionConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.RegisterPSSessionConfigurationCommand"

So, my question is if everyone knows why do I get this error while registering the PSSessionConfiguration and also, if someone has any different solution for the topic.

Thanks

Harm_Veenstra · ‎May 30 2022

Install-WindowsUpdate has a parameter Computername, so you could use it like that :

Install-WindowsUpdate -KBArticleID <kbID> -AcceptAll -Install -ComputerName server.domain.name

dmarquesgn · ‎May 30 2022

Thanks for the reply. Apparently that's not possible due to some limitation described in some forums:
"When you are in a remote PowerShell session your logon session on this remote computer is flagged as a "network" logon (Logon Type: 3). For some obscure (security? sell SCCM?) reason, part of the Windows Update Agent COM APIs are restricted to only be usable by locally logged on Administrators.
https://docs.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-from-a-remote-computer"

So each time I run that command, always got this error:
"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate"

That's the reason why I need some alternative.

Alan2022 · ‎May 30 2022

Hi @dmarquesgn

I think the best approach in here is using WSUS in your Company.
So no need for PowerShell to do that.

dmarquesgn · ‎May 31 2022

Thanks for the tip.
I would like to avoid WSUS, as it also has some challenges, and at the same time I would learn more on Powershell.

Meanwhile I was already able to use a command to update remotely, now I need to deal with errors and logging, which is not so good at the moment.

Set-Item WSMan:\localhost\Client\TrustedHosts –Value * -Force
$Script = {Get-WindowsUpdate -KBArticleID KB4535680 -AcceptAll -Install -Verbose | Out-File C:\Temp\PSWindowsUpdate.log}
Invoke-WUjob -ComputerName <computername> -Script $Script -Confirm:$false -RunNow

andrefilipe90 · ‎Oct 11 2023

@dmarquesgn

great topic, would you mind sharing the code you got so far and some details of how it works?

cheers.

dmarquesgn · ‎Oct 19 2023

@andrefilipe90

Hi, how are you?

To be honest, I didn't developed much more on that, as we turned into a low cost but very effective tool for that goal, which was PDQ.

dmarquesgn · ‎May 31 2022

Thanks for the tip.
I would like to avoid WSUS, as it also has some challenges, and at the same time I would learn more on Powershell.

Meanwhile I was already able to use a command to update remotely, now I need to deal with errors and logging, which is not so good at the moment.

Set-Item WSMan:\localhost\Client\TrustedHosts –Value * -Force
$Script = {Get-WindowsUpdate -KBArticleID KB4535680 -AcceptAll -Install -Verbose | Out-File C:\Temp\PSWindowsUpdate.log}
Invoke-WUjob -ComputerName <computername> -Script $Script -Confirm:$false -RunNow

View solution in original post

Run Windows Updates with Powershell Remotely

Run Windows Updates with Powershell Remotely

Re: Run Windows Updates with Powershell Remotely

Re: Run Windows Updates with Powershell Remotely

Re: Run Windows Updates with Powershell Remotely

Re: Run Windows Updates with Powershell Remotely

Re: Run Windows Updates with Powershell Remotely

Re: Run Windows Updates with Powershell Remotely

Re: Run Windows Updates with Powershell Remotely

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Run Windows Updates with Powershell Remotely