Update to Windows Management Framework 5.1 on Windows 7

Over the weekend i read this article about PowerShell Security in the Enterprise. I decided whilst reading it, i should probably make sure my clients machines have the latest WMF installed.

Assuming this was just a KB article i searched WSUS for KB and found nothing. Reading the blog article about the 5.1 release and then the Install and Configure guidance, we see that WMF 5.1 is released to Windows 7, but, manual steps are required to install it.

The download comes as a ZIP file with a PowerShell script (Install-WMF5.1.ps1) and an MSU for the architecture of the PC.

Since i had several hundred devices to run this on, i decided i wanted to automate it. To do this, i decided to create a GPO to install the Update, and a WMI filter to target only those devices that needed the update.

The WMI Filter i created checks for the version of Windows, and also the version of the PowerShell.exe file.

select * from win32_operatingsystem where version like "6.1%"

SELECT * FROM CIM_Datafile WHERE Name = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' and VERSION like "6.1%"

This will target only Windows 7 machines where the PowerShell.exe Version is like 6.1. Since WMF 2 has a PowerShell exe version of 6.1.7600.16385.

In the GPO i created two items, one a Group Policy Preference to copy the Install-WMF5.1.ps1 to the machine, and the other, a scheduled task to execute the script.

I edited the PowerShell script to copy the MSU Package from a server to the PC, which allows us to bypass the Automatic Download Blocking (which i was getting when using the GPP to copy the MSU file to the PC in addition to the Script)

You could hard code that link to the UNC path, or you could set ‘server’ as a variable and use a PARAM to allow for setting this up at multiple locations.

The scheduled task is simple enough, it is set to run as SYSTEM, the trigger is a schedule i defined (Saturday & Sunday 10am) and the Action is:

powershell.exe

-command ".\Install-WMF5.1.ps1 –AcceptEula"

If you added a Server Param, you would also add that into the scheduled task arguments.

powershell.exe

-command ".\Install-WMF5.1.ps1 –AcceptEula –server Server1"

I also set the ‘Start In’ value to the location of the script, as i have seen issues in the past when running a script with a space in the path.

I did not set the ‘allow reboot’ (-allowReboot) option, in case anyone was working on their machine as the script will reboot without warning when using that switch. It’s unlikely anyone would be working at that time on a Saturday of course.. except there i was.

I also set it to run again on Sunday in case the GPO did not refresh in time for Saturday.

Once the script is run, anyone logged in, or subsequently logging in would receive this message to reboot their PC.

In addition i created a second GPO and WMI, to disable the scheduled task and delete the script when the PowerShell version was 10.

SELECT * FROM CIM_Datafile WHERE Name = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' and VERSION like "10%"

WMF 3 & 4

These instructions will work if your PCs are still using WMF 2. If you had deployed WMF 3 on your machines you will need to remove that, before WMF 5.1 can be installed.

If you are running WMF 3, then your version of PowerShell.exe will be 6.2, and your system will have KB2506143 installed.

Again you can create a Scheduled Task to remove the Update, and Prompt the User to reboot.

Wusa.exe /Uninstall /KB:2506143 /PromptRestart /Quiet /log:kb2506143.log

After removal and reboot, the version of PowerShell.exe will be back to 6.1 and our original WMI filter will kick in and the GPO to update to WMF 5 will now apply to this computer.

If you already deployed WMF 4, you simply need to run the Install script to update to WMF 5.1, predictably the version of PowerShell.exe when running WMF 4 is…. 6.3.