Keeping Windows devices up to date is critical for security, stability, and compliance. For IT administrators and power users, PowerShell provides a fast, scriptable, and repeatable way to check Windows Update status across individual machines or entire environments.
This guide explains multiple methods to check Windows Updates using PowerShell, covering Windows 10 and Windows 11, including Intune- and MDM-managed devices.
Why Use PowerShell for Windows Updates?
Using PowerShell allows you to:
- Check pending updates without using the GUI
- Automate update checks across multiple devices
- Troubleshoot Windows Update issues remotely
- Integrate update checks into scripts and monitoring tools
For managed environments, this is far more efficient than manual checks via Settings → Windows Update.
Method 1: Check Pending Updates Using PSWindowsUpdate (Recommended)
The PSWindowsUpdate module is the most reliable and feature-rich way to manage Windows Updates via PowerShell.
Install the module (first time only)
Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate
List available Windows Updates
Get-WindowsUpdate
Include Microsoft Updates (Office, Defender, etc.)
Get-WindowsUpdate -MicrosoftUpdate
Simulate update installation (no changes made)
Get-WindowsUpdate -AcceptAll -Install -WhatIf
✅ Best for administrators managing multiple systems or servers.
Method 2: Check if a Reboot Is Required
After updates install, Windows may require a reboot. You can quickly verify this using:
Get-WURebootStatus
This command returns whether a restart is pending due to Windows Updates.
Method 3: Check Windows Update Service Status
Windows Updates rely on the Windows Update service (wuauserv).
Check service status
Get-Service wuauserv
Start the service if stopped
Start-Service wuauserv
If this service is not running, Windows Update checks will fail.
Method 4: View Recently Installed Updates
To see which updates were installed most recently:
Get-HotFix | Sort-Object InstalledOn -Descending
This is useful for:
- Verifying patch deployment
- Troubleshooting post-update issues
Method 5: Check Updates Without Installing Modules (WMI/CIM)
If installing PowerShell modules is restricted, you can use built-in WMI/CIM commands:
Get-CimInstance -Namespace "root\\cimv2" -ClassName Win32_QuickFixEngineering
⚠️ This method only shows installed updates, not pending ones.
Method 6: Trigger a Windows Update Scan
On Windows 10 and Windows 11, you can force an update scan using UsoClient.
UsoClient StartScan
Additional useful commands:
UsoClient StartDownload
UsoClient StartInstall
UsoClient RestartDevice
These commands are particularly useful for Intune- or MDM-managed devices.
Method 7: Generate Windows Update Logs
To create a readable Windows Update log:
Get-WindowsUpdateLog
This generates WindowsUpdate.log on the desktop, which is helpful for deeper troubleshooting.
Method 8: Intune / MDM Device – Force Policy Sync
For devices managed by Microsoft Intune or another MDM solution, you may want to force a sync before checking updates.
dsregcmd /status
Then trigger enrollment and sync:
Start-Process "C:\\Windows\\System32\\deviceenroller.exe" -ArgumentList "/c /AutoEnrollMDM"
Best Practice Recommendations
| Scenario | Recommended Method |
|---|---|
| Enterprise / Managed IT | PSWindowsUpdate module |
| Quick health check | Get-HotFix + Get-WURebootStatus |
| Intune-managed devices | UsoClient StartScan |
| Locked-down systems | WMI/CIM method |
Final Thoughts
PowerShell gives administrators complete visibility and control over Windows Updates. Whether you are managing a single workstation or hundreds of endpoints, these commands help you check update status quickly, automate patch management, and troubleshoot update issues efficiently.
If you manage Windows devices in a business environment, consider combining these commands with Intune policies, scheduled scripts, or monitoring tools for a fully automated patching strategy.
Need help automating Windows Updates or managing devices securely? A managed IT services provider can help ensure your systems stay patched, compliant, and protected.
