You dont have javascript enabled! Please enable it!

How To Update and Patch Nano Server with PowerShell? #NanoLove #WS2016

3 Min. Read

In the unlikely event that you have not heard, Windows Server 2016 TP5 is now available for download unless you are under a rock Smile


What you do after you install Windows Server?… Update it of course!

At day-0, Microsoft released Cumulative Update for Windows Server 2016 Technical Preview 5: KB3158663.

This KB is very important, because it is a security update that includes improvements and fixes in the functionality of Windows Server 2016 Technical Preview 5.

How to get this update?

Option 1: You can run Windows Update on your Windows Server 2016 TP5, the update is downloaded and installed automatically for you.

Option 2: You can get the stand-alone package for this update, by going to the Microsoft Update Catalog website.

How to install this update on Nano Server?

Patching and updating a Nano Server is a little different than traditional Windows Server. Starting with Windows Server 2016 Technical Preview P4, Microsoft added Windows Update (WU) WMI provider that can be used to scan and install updates. Even though you patch a LOT less with Nano Server but you still need to patch.

There are multiple options to install Windows update:

Option 1: Online using Windows Update (WU) WMI provider.

Option 2: Windows Server Update Services (WSUS).

Option 3: Download the update on another machine, copy it over, and then use DISM to apply the package.

In this post, I will cover Option 3, since my Nano Severs are not connected to the Internet and I don’t have WSUS in place. However, if you are interested in Option 1 and Option 2, please make sure to follow the step by step guide here.

Step 1 – Download the update

Download manually the update from Microsoft Update Catalog website (89.6MB) and copy it to your management machine.

Step 2 – Connect to Nano Server

In this step, we will connect to Nano Server using PowerShell Remoting and then query the package installed.

# Workgroup environment; we need to modify TrustedHosts list
Enable-PSRemoting –force   
Set-Item wsman:\localhost\client\auth\CredSSP -value true -force   
Enable-WSManCredSSP -force -role server     
Set-item wsman:localhost\client\trustedhosts -value 10.0.0.*    
Restart-Service winrm 

$NanoIP = ""
# Connect to Nano Server
$S = New-PSSession -ComputerName $NanoIP -Credential ~\Administrator
Enter-PSSession $S
Get-WindowsPackage -online | Where-Object {$_.PackageName -like "*Fix*"}


As you can see, we don’t any package or security update installed.

I have another system which I already installed this Rollup Fix, by running Get-WindowsPackage –online, we can see the update is installed.


Step 3 – Copy the update

To install this update, we need to expand the MSU file first and extract the CAB file.

In order to do so, please run the following command on your management machine:

Expand –f:* C:\ <destination folder to copy extracted files>


As you can see, the CAB file is extracted.

Next, we need to copy the package over PowerShell remote session without the need to use network shares!

And if Nano Server is hosted in a VM, you can leverage PowerShell Direct and copy the same without network as well.

Please run the following command to copy the cab file:

Copy-Item -ToSession $S -Path C:\ -Destination C:\

If we connect to Nano Server, we can see the package is copied over.


Step 4 – Apply the update

There are two options to apply the cab file with DISM, you can do this online or offline, I will cover both options:


Dism.exe /online /add-package /packagepath:C:\ /norestart


Dism.exe /Mount-Image /ImageFile:<image path > /Index:1 /MountDir:<Mount Directory path>

Dism.exe /image:<mounted path> /add-package /packagepath:<path to the cab file>

Dism.exe /Unmount-Image /MountDir:<Mount Directory path> /Commit

The offline option requires to shutdown Nano Server first, mount the VHD(X), add the package and then commit.

Let’s install the package now using the online option:


The operation completed successfully!

Step 5 – Confirm the update

We will confirm the Rollup Fix if it’s installed by running the following command in a Nano remote session:

Get-WindowsPackage -online | Where-Object {$_.PackageName -like "*Fix*"}


As you can see the update is installed but the state is still Pending.

For this package to get applied, we need to reboot Nano Server.

You can restart Nano Server using PowerShell (Restart-Computer) or by using Nano Recovery Console (Ctrl+F6).


Let’s check the package state after the reboot…


As you can see the update is fully Installed now.

Happy Patching!

Hope that helps,


Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts


Windows Server 2016 and System Center 2016 Technical Preview 5 Now Available! #WS2016 #SysCtr #HyperV

How To Configure Hyper-V Virtual Switch That Supports NAT Network with PowerShell? #HyperV #PowerShell


Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the \'Code Blocks\' in \'Black\' by selecting the Code. Thank You!