PowerShell Script to Change Windows Update Settings

Mark Berry March 12, 2015

I’ve already posted a script to show Windows Update settings. What if you want to change the settings? In particular, I needed to be able to use MAXfocus Site Automated Tasks to change the NotificationLevel so I could control when downloads and updates happen.

The script requires one numeric parameter for NotificationLevel:

1 – Never check for updates
2 – Check for updates but let me choose whether to download and install them
3 – Download updates but let me choose whether to install them
4 – Install updates automatically

In my case, to enforce a download window of 3:00 to 7:00am, I set the NotificationLevel to 4 at 3:00am, then back to 2 at 7:00am.

The script displays the settings in effect after they have been changed.

Note that the script will not work if you controlling Windows Update through group policy. You’ll need to set the group policy items to Not Configured to allow the script to make changes.

Important  The script sets most Windows Update settings to hard-coded values. It even creates a local policy registry key to set NoAutoReboot. If you want to use other values, you’ll need to modify them in the script.

The Script

And here’s the script:

<#
.Synopsis
  Set the Microsoft auto-update settings for the local computer.  
  - Use a parameter to set NotificationLevel (allows disabling/enabling 
    downloads and updates via script).  
  - Set other values to hard-coded defaults.
  List settings after any changes.
  
  Adapted from http://stackoverflow.com/questions/9612609

  Copyright (c) 2015 by MCB Systems. All rights reserved.
  Free for personal or commercial use.  May not be sold.
  No warranties.  Use at your own risk.

.Notes 
    Name:       MCB.WindowsUpdate.SetSettings.ps1
    Author:     Mark Berry, MCB Systems
    Created:    03/12/2015
    Last Edit:  03/12/2015

    Changes:
    03/12/2015 - Initial release.
    
    03/13/2015 - Make ScheduledInstallationTime an optional parameter 
                 and set default to 4am.  Since current usage changes 
                 to auto-update just after 3am, setting install time
                 to 4am should allow same-day install.
                 Rename script to reflect that is sets _all_ settings.
#>

param(
  [Parameter(Mandatory = $true,
                    Position = 0,
                    ValueFromPipelineByPropertyName = $true)]
  [Int]$NotificationLevel,

  [Parameter(Mandatory = $false,
                    Position = 1,
                    ValueFromPipelineByPropertyName = $true)]
  [Int]$ScheduledInstallationTime=4,
  
  [Parameter(Mandatory = $false,
                    Position = 2,
                    ValueFromPipelineByPropertyName = $true)]
  [String]$LogFile=""
)

[Boolean]$ErrFound = $false

Write-Host -NoNewLine ("Microsoft AutoUpdate settings on " + $env:COMPUTERNAME + " after update by this script:")

try {

  # Set other values using the Microsoft.Update.AutoUpdate COM object
  $objAutoUpdateSettings = (New-Object -ComObject "Microsoft.Update.AutoUpdate").Settings
  $objAutoUpdateSettings.NotificationLevel = $NotificationLevel
  $objAutoUpdateSettings.ScheduledInstallationDay = 0
  $objAutoUpdateSettings.ScheduledInstallationTime = $ScheduledInstallationTime
  $objAutoUpdateSettings.IncludeRecommendedUpdates = $true
  $objAutoUpdateSettings.NonAdministratorsElevated = $true
  $objAutoUpdateSettings.FeaturedUpdatesEnabled = $true
  $objAutoUpdateSettings.save()

  $objSysInfo = New-Object -ComObject "Microsoft.Update.SystemInfo"
  $objAutoUpdateSettings
  "Reboot required               : " + $objSysInfo.RebootRequired

  # NoAutoReboot can apparently only be set by policy, so set and report that here.
  # Reference: https://technet.microsoft.com/en-us/library/cc720464%28v=ws.10%29.aspx.
  New-Item -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Force | Out-Null
  New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoRebootWithLoggedOnUsers -Value 1 -PropertyType DWORD -Force | Out-Null
  Write-Host -NoNewLine ("NoAutoRebootWithLoggedOnUsers : ")
  try {
    # If Get-ItemProperty fails, value is not in registry. Do not fail entire script. 
    # "-ErrorAction Stop" forces it to catch even a non-terminating error.
    $output = Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoRebootWithLoggedOnUsers -ErrorAction Stop
    switch ($output.NoAutoRebootWithLoggedOnUsers)
    {
      0 {"False (set in registry)"}
      1 {"True (set in registry)"}
    }
  }
  catch { 
    "Unknown (local policy registry value not found)" 
  }
  
  # The rest of this is just static info on the meaning of various Settings.
  ""
  "NotificationLevel:"
  "1 - Never check for updates"
  "2 - Check for updates but let me choose whether to download and install them"
  "3 - Download updates but let me choose whether to install them"
  "4 - Install updates automatically"
  ""
  "ScheduledInstallationDay"
  "0 - Every day"
  "1-7 - Sunday through Saturday"
  "Note:  On Windows 8/2012 and later, ScheduledInstallationDay and"
  "       ScheduledInstallationTime are only reliable if the values" 
  "       are set through Group Policy."
  ""
  "Script execution succeeded"
  $ExitCode = 0
}
catch {
  ""
  $error[0]
  ""
  "Script execution failed"
  $ExitCode = 1001 # Cause script to report failure in GFI dashboard
}

""
"Local Machine Time:  " + (Get-Date -Format G)
"Exit Code: " + $ExitCode
Exit $ExitCode


3 Comments

  1. Print Detailed Windows Update Information | MCB Systems   |  January 14, 2016 at 11:13 am

    […] this year, I wrote about how to show and change Windows Update settings on a machine using PowerShell. But sometimes you need to know more about a […]

  2. Kenny   |  September 23, 2016 at 8:35 am

    hi,
    great script. I’m not too familiar with scripting, but i need this script to disable windows 10 update during business hours 7 am to 7 pm but enable and run it only between 7pm and 7 am. . Can you help me dit your script to work this way?

    thanks,
    Kenny

  3. Mark Berry   |  September 23, 2016 at 8:54 am

    Kenny, I haven’t played with Windows 10 updating too much, but I don’t think it allows disabling updates this way. I’ve heard that you can tell it that it is on a “metered connection” to temporarily disable updates, but I haven’t tried that.

Leave a Reply





*