Criteria strings

These are a bit of a shit show:

Each criterion specifies an update property name and value. With some restrictions, multiple criteria can be connected with the AND and OR operators. The = (equal) and != (not-equal) operators are both supported. When you use Windows Update Agent (WUA), the != (not-equal) operator can be used only with the type criterion.

To quickly verify that your incantation meets Microsoft's arbitrary standards, run it against this:

function WUSearch([string]$criteria) {
  $session = New-Object -ComObject "Microsoft.Update.Session"
  $searcher = $session.CreateUpdateSearcher()
  return $searcher.Search($criteria)

$result = WUSearch "IsAssigned=1"


This is a pretty good base for understanding what your criteria's matching:

$result.Updates | Format-Table -AutoSize -Property `
    @{ Label = "KBArticleIDs"; Expression = { $_.KBArticleIDs | % { "KB$($_)" } } }, `
    MsrcSeverity, IsAssigned, BrowseOnly, IsMandatory, IsBeta, RebootRequired, IsUninstallable, `
    @{ Label = "Categories"; Expression = { $_.Categories | % { "$($_.Type): $($_.Name)" } } }

Note that properties used in your search query won't have values in the results. Helpful.


The Windows Update API is exposed via COM. Key objects:

  • Microsoft.Update.Session serves as a sort of transaction manager for the operation.
    • CreateUpdateSearcher() yields an IUpdateSearcher.
  • Microsoft.Update.IUpdateSearcher performs catalog searches.
    • Search(string criteria) searches synchronously, returning an ISearchResult.
  • Microsoft.Update.ISearchResult lets you poke at available updates:
    • ResultCode gives you an OperationResultCode indicating whether it worked or not.
    • Updates is an array of IUpdate objects.

Enabling Microsoft Update programmatically

As Administrator:

$serviceManager = New-Object -Com Microsoft.Update.ServiceManager
$serviceManager.ClientApplicationID = "acme-corp/enterprisinator9001"
$serviceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "")