使用 PowerShell 远程安装 Windows 更新。 （一些 PowerCLI）

Question

I am having a problem with a script for remote windows updates. My goal: update all the windows servers, without using WSUS or SCCM, from PowerShell without having to log into all of them and start the update process.

For my script I am using powercli and PSWindowsUpdate modules. For test purposes I am using a single host in the $hostname variable.

So here is what I have.

$Cred = Get-Credential
Import-Module PSWindowsUpdate
Invoke-Command -ComputerName $HostName {Import-Module PSWindowsUpdate} -Verbose -Credential $Cred
Invoke-Command -ComputerName $HostName {Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d -Confirm:$false} -Verbose -Credential $Cred
Invoke-Command -ComputerName $HostName -ScriptBlock {Get-WUInstall -MicrosoftUpdate -IgnoreUserInput -AcceptAll -AutoReboot -Confirm:$FALSE -Verbose | Out-File C:\Setup\PSWindowsUpdate.log } -credential $cred
Get-Content \\$HostName\c$\Setup\PSWindowsUpdate.log

After running the script everything works from the shut down, snapshot, power on but I can't install any updates. I am getting the error below :

WARNING: To perform some operations you must run an elevated Windows PowerShell console.
WARNING: Can't access to machine "hostName". Try use: winrm qc

As I was searching I see that I can not make any elevation in PowerShell itself and I am reading some posts about running a CMD bat to start PowerShell in elevated rights. It is not a problem for me to copy to every windows server the update script and have a batch to run it in elevated rights but is this the only way?

I will do the batch solution to see what I can achieve but is there any other solution in the problem I am facing? Has anyone tried that out?

Thank you very much for your time! I am also open for any comment on my code or fixes!

Answer 1

If Admin right, elevated prompts are your issue, the following may help you.

PS Code to check if running as an Administrator. If not, It will relaunch as an Administrator.

If (-Not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    $Arguments = "& '" + $MyInvocation.MyCommand.Definition + "'"
    Start-Process Powershell -Verb RunAs -ArgumentList $Arguments
    Break
}

You will also likely need to modify ConsentPromptBehaviorAdmin at HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ in the Registry

-

Here is a simple BAT file that will will get around the PS Execution policy and then launch the PS Script (Assuming they are named the same).

REG ADD "HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" /T REG_SZ /V ExecutionPolicy /D Unrestricted /F

Start PowerShell.exe -Command "& '%~dpn0.ps1'"

Add the end of your PS Script you can use Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine -Force to set the execution policy back to restricted or what you have ti set to.

Answer 2

I ran into this issue when trying to import modules on remote machines using Invoke-Command . There's a security function that doesn't allow you to do it. You might try running the following to see if you're more successful at importing a new module.

$myPsSession = New-PSSession -ComputerName $HostName
Import-Module -Name PSWindowsUpdate -PSSession $myPsSession

Answer 3

I went with the task scheduler solution as it seems easier.

I created a script named WUpdates.ps1

$Timestamp=((Get-Date).ToString('dd_MM_yyyy_HH_mm'))
Import-Module PSWindowsUpdate -Verbose
Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d -Confirm:$false -Verbose
Get-WUInstall -MicrosoftUpdate -IgnoreUserInput -AcceptAll -AutoReboot -Confirm:$FALSE -Verbose | Format-Table -AutoSize | Out-File C:\Setup\WUpdates\PSWindowsUpdate_$Timestamp.log

and a script to create a schedule task named WinUpdateScheduler.ps1

Unregister-ScheduledTask -TaskName "WindowsUpdates" -Confirm:$False    
$Action = New-ScheduledTaskAction -Execute C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Argument '-f "C:\Setup\WUpdates\WUpdates.ps1"'
$Trigger =  New-ScheduledTaskTrigger -Once -At (get-date).AddSeconds(30)
Register-ScheduledTask -Action $Action -Trigger $Trigger -RunLevel Highest -User system -TaskName "WindowsUpdates" -Description "Running Windows updates."

then in the main script I call the schedule script and have my updates installed.

Invoke-Command -ComputerName $HostName { c:\setup\WUpdates\WinUpdateScheduler.ps1 } -Credential $Cred

If anyone want the full script I can provide it. As of the Nixphoe and Backin answers, I will check them and I will come back later to comment on them.

Thank you very much for your time.

Answer 4

Invoke-WUInstall -ComputerName Test-1 -Script { ipmo PSWindowsUpdate; Get-WUInstall -AcceptAll | Out-File C:\PSWindowsUpdate.log } 
-Confirm:$false –Verbose

https://4sysops.com/archives/install-windows-updates-remotely-with-the-powershell/