Script to pull all updates for a particular group in WSUS

Welcome Forums General PowerShell Q&A Script to pull all updates for a particular group in WSUS

Viewing 3 reply threads
  • Author
    Posts
    • #182730
      Participant
      Topics: 28
      Replies: 28
      Points: 163
      Rank: Participant

      I recently installed WSUS for a smaller client, with ~ 150 servers in 4 main computer groups. This past month I had someone else on the team go through and approve the updates for each of these groups. Three of them should be the same (Prod, Non-Prod, and a “download and notify only” group), but the number of updates is off on one group by a significant amount. I thought to write a script that would pull updates by computer group so I could compare, but there doesn’t seem to be an easy way to do this. I tried the following:

      But while this does return a list of updates, all of which show the Non-Prod ID in the ComputerTargetGroupID column, it returns a total of 2489 updates, which is everything approved on this WSUS server and about 100 more than is actually approved for this group. I am just curious why the discrepancy, and if anyone has a better way of defining a computer group and then pulling every update approved for just that group. In the WSUS console I can set an Update View that shows me this exact info, so there has got to be a way (I would think) to do it via PS.

    • #182742
      Participant
      Topics: 0
      Replies: 6
      Points: 43
      Rank: Member

      This is what I have used before we switched away from WSUS. Tweak it as needed.

    • #182760
      Participant
      Topics: 28
      Replies: 28
      Points: 163
      Rank: Participant

      Thanks for the reply. This works, although it returns the updates approved for each computer (so 2453 updates approved for 125 computers in a group is going to return ~300,000 entries. I can certainly trim this down by just grabbing the approved updates from $ComputerTargets[0], so that gets me farther than I was. But I am surprised there is not an easier way to simply get the updates I have approved for the group itself rather than having to touch one of the members of that group. If (and I admit I don’t know why I would) I happened to have a group with updates approved but no members, I would not be able to run this. I can, however, see approved updates for an empty computer group through the console.

      Nevertheless, this at least gets me started, thanks!

      • #182970
        Participant
        Topics: 0
        Replies: 6
        Points: 43
        Rank: Member

        I have not run that first script in a few years. I wish I had a WSUS server to run against to refresh my memory. But I think I was able to just report on a single update group by specifying it on the command line. The default is “All Computers”. Here I have a fictitious group called “2008 Servers”. Yes this could have been written more cleanly, but I was a noob at the time.

        .\Report-WsusUpdatesByGroupServers.ps1 “2008 Servers” |Sort-object Computername | Export-Csv -notype |out-file .\MyApprovedUpdatesForGroup.csv

        If you have no computers in an update group, you can not have approved updates for that group.

    • #182793
      Participant
      Topics: 0
      Replies: 6
      Points: 43
      Rank: Member
Viewing 3 reply threads
  • The topic ‘Script to pull all updates for a particular group in WSUS’ is closed to new replies.