Update to Windows Management Framework 5.1 on Windows 7

mslogo3Over the weekend i read this article about PowerShell Security in the Enterprise. I decided whilst reading it, i should probably make sure my clients machines have the latest WMF installed.

Assuming this was just a KB article i searched WSUS for KB and found nothing. Reading the blog article about the 5.1 release and then the Install and Configure guidance, we see that WMF 5.1 is released to Windows 7, but, manual steps are required to install it.

The download comes as a ZIP file with a PowerShell script (Install-WMF5.1.ps1) and an MSU for the architecture of the PC.

Since i had several hundred devices to run this on, i decided i wanted to automate it. To do this, i decided to create a GPO to install the Update, and a WMI filter to target only those devices that needed the update.

Download

The WMI Filter i created checks for the version of Windows, and also the version of the PowerShell.exe file.

select * from win32_operatingsystem where version like "6.1%"

SELECT * FROM CIM_Datafile WHERE Name = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' and VERSION like "6.1%"

WMI WMF 2.0

This will target only Windows 7 machines where the PowerShell.exe Version is like 6.1. Since WMF 2 has a PowerShell exe version of 6.1.7600.16385.

In the GPO i created two items, one a Group Policy Preference to copy the Install-WMF5.1.ps1 to the machine, and the other, a scheduled task to execute the script.

Copy File

I edited the PowerShell script to copy the MSU Package from a server to the PC, which allows us to bypass the Automatic Download Blocking (which i was getting when using the GPP to copy the MSU file to the PC in addition to the Script)

Copy Script

You could hard code that link to the UNC path, or you could set ‘server’ as a variable and use a PARAM to allow for setting this up at multiple locations.

PARAM1

param2

The scheduled task is simple enough, it is set to run as SYSTEM, the trigger is a schedule i defined (Saturday & Sunday 10am) and the Action is:

powershell.exe

-command ".\Install-WMF5.1.ps1 –AcceptEula"

Sch1

If you added a Server Param, you would also add that into the scheduled task arguments.

powershell.exe

-command ".\Install-WMF5.1.ps1 –AcceptEula –server Server1"

Sch2

I also set the ‘Start In’ value to the location of the script, as i have seen issues in the past when running a script with a space in the path.

I did not set the ‘allow reboot’ (-allowReboot) option, in case anyone was working on their machine as the script will reboot without warning when using that switch. It’s unlikely anyone would be working at that time on a Saturday of course.. except there i was.

I also set it to run again on Sunday in case the GPO did not refresh in time for Saturday.

Once the script is run, anyone logged in, or subsequently logging in would receive this message to reboot their PC.

Restart your Computer

In addition i created a second GPO and WMI, to disable the scheduled task and delete the script when the PowerShell version was 10.

SELECT * FROM CIM_Datafile WHERE Name = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' and VERSION like "10%"

WMF 3 & 4

These instructions will work if your PCs are still using WMF 2. If you had deployed WMF 3 on your machines you will need to remove that, before WMF 5.1 can be installed.

If you are running WMF 3, then your version of PowerShell.exe will be 6.2, and your system will have KB2506143 installed.

Again you can create a Scheduled Task to remove the Update, and Prompt the User to reboot.

Wusa.exe /Uninstall /KB:2506143 /PromptRestart /Quiet /log:kb2506143.log

After removal and reboot, the version of PowerShell.exe will be back to 6.1 and our original WMI filter will kick in and the GPO to update to WMF 5 will now apply to this computer.

If you already deployed WMF 4, you simply need to run the Install script to update to WMF 5.1, predictably the version of PowerShell.exe when running WMF 4 is…. 6.3.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: