How to Install Windows Updates on Remote Computer with PowerShell

Question

I'm trying to install Windows Updates on a Remote Computer with this command:

$InstallSplat = @{
    AcceptAll = $true
    SendReport = $true
    IgnoreReboot = if ($Reboot) { $false } else { $true }
    PSWUSettings = @{
        SmtpServer = "my mail server"
        From = "myfrom <myfrom@myfrom.com>"
        To = "myto <myto@myto.com>"
        Port = 25
    }
}

Invoke-Command -ComputerName $_ -Credential $cred -AsJob -ArgumentList $InstallSplat -ScriptBlock { 
    param([hashtable]$InstallSplat)
    Import-Module PSWindowsUpdate
    Install-WindowsUpdate @InstallSplat
    $Error | out-file C:\install\installwinupdate.log -Append
}

I pass a credential Object with domain admin privileges in $cred but I still always get this error

Install-WindowsUpdate : Access denied (Ausnahme von HRESULT: 0x80070005 (E_ACCESSDENIED)) In Zeile:4 Zeichen:25
+                         Install-WindowsUpdate @InstallSplat
+                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate

The Command Install-WindowsUpdate itself does not have a credential parameter I could use. The Command needs to run in an elevated PowerShell, but I use an elevated PowerShell when starting this command on my Computer.

I Also tried creating a New-PSSession with my $cred and run Invoke-Command -Session $session instead of Invoke-Command -ComputerName $_ with the same result.

Does anybody know what's happening here? Why do I get Access denied?

It can't have anything to do with passing the $InstallSplat because the same thing happens if I don't pass any parameter at all and write the parameters and their Values directly at the command instead of splatting.

Possible duplicate of [PowerShell Splatting the Argumentlist on Invoke-Command](https://stackoverflow.com/questions/28234509/powershell-splatting-the-argumentlist-on-invoke-command) — Guenther Schmitz, Oct 26 '19 at 10:52
@GuentherSchmitz Ok no it's definetly not a duplicate. the same thing happens If I don't pass anything to invoke-command and don't use splatting at all (just tested that). — SimonS, Oct 26 '19 at 11:33
according to https://community.spiceworks.com/topic/954498-windows-update-module-for-powershell-access-denied-on-remote-pc-in-workgroup it is a security feature. the link within that post https://serverfault.com/questions/473991/run-remote-powershell-as-administrator shows some have done it using JEA. — Guenther Schmitz, Oct 26 '19 at 11:37
@GuentherSchmitz So I won't be able to download WinUpdates on a RemoteMachine, even though they get their Updates From WSUS Server? That's really a pity — SimonS, Oct 26 '19 at 11:45
that's what i read from the posts - can test this on monday or later today on my environment and report back to you — Guenther Schmitz, Oct 26 '19 at 11:46
@GuentherSchmitz I think I will create a Scheduled Task for Downloading and Installing Updates on each of my machines and start these tasks remotely. a bit uglier than what i would have wished for, but could be a workaround. I'll test that now. Thanks for your help — SimonS, Oct 26 '19 at 11:51
this seems to be what the module command `invoke-wuinstall` does https://4sysops.com/archives/install-windows-updates-remotely-with-the-powershell/ — Guenther Schmitz, Oct 26 '19 at 11:55
if you remote to that machine with `Enter-PSSession` and then try `Install-WindowsUpdate` , does that give you the same result ? That should narrow it down a bit to what type of issue you are dealing with there. — Vasil Nikolov, Oct 26 '19 at 12:01
@VasilSvilenovNikolov The Problem is, I want to run the commands simultaneously on all my servers, because the Endgoal is to have a script that does all Windows Updates on all Servers and then restart them in a specific order. I guess though Guenther and I are on the correct track, I think the problem is identified. I will try my luck with Invoke-WUInstall now. — SimonS, Oct 26 '19 at 12:06
@GuentherSchmitz OK I got the solution now, thanks for your hints. Can you please remove your first comment? Then the duplicate message at the beginning of my question would disappear :) thanks! — SimonS, Oct 26 '19 at 14:20
Does this answer your question? [Powershell Remote: Microsoft.Update.Session, Access Denied: 0x80070005](https://stackoverflow.com/questions/7078958/powershell-remote-microsoft-update-session-access-denied-0x80070005) — argonym, Apr 21 '22 at 09:38

SimonS · Accepted Answer · 2019-10-26T14:29:26.347

The Problem was, that you can't Download or Install Updates on a machine from another remote machine. Here's a list what you can or can't do remotely when it comes to Windows Updates

The solution is, to create a scheduled task on each server you want to install updates from a remote script, and start that task.

luckily, when you use the PSWindowsUpdate module, you don't have to do that yourself, you can just use Invoke-WUJob (formerly Invoke-WUInstall) which does the trick for you.

I used it like so ($ServerData.Value contains a list of my Servers) and it works like a charm. It creates a scheduled task on each server, and runs them immediately, if you add the -RunNow Parameter.

invoke-WUJob -ComputerName $ServerData.Value -Script { Import-Module PSWindowsUpdate ; Install-WindowsUpdate -AcceptAll -SendReport -IgnoreReboot -PSWUSettings @{From='xy';Port=25;SmtpServer='xy';To='xy'} | Out-File C:\install\PSWindowsUpdateLog.txt -Append} -Confirm:$false -verbose -RunNow

Note that what you specify as a script block in -Script will be pasted to -Command " <here> " in your scheduled task, so you should work with ' inside -Script.

Check [this answer](https://stackoverflow.com/a/60046097) for a more elegant alternative to the scheduled tasks workaround. — argonym, Apr 21 '22 at 09:40

How to Install Windows Updates on Remote Computer with PowerShell

1 Answers1