WSUS: Managing Groups with PowerShell

In this post, I will show how to use PowerShell to manage the Target Groups in WSUS.  Using PowerShell, you can Create and Delete groups and Add/Remove clients from groups.

First, we need to setup our connection to our WSUS server:

$wsusserver = 'dc1'
#Load required assemblies            
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($wsusserver,$False)

Create Target Group

We will be using the CreateComputerTargetGroup() method to create our group. There are two different ways to use this method, one just requires a name for the Group and the other allows you to supple a parent group name to create a child group underneath it.

If you want to validate the group name to make sure it will be ok to use in WSUS, you can use the IsValidComputerTargetGroupName() method to see if WSUS will allow the group name.



Let’s create a group now:


Simple enough. After you create the group, you will receive confirmation of the creation that lists the group name and the ID GUID of the group.


Now that we have created this test group, lets create a second group underneath that group.

We need to first get the group that we created.

$group = $wsus.GetComputerTargetGroups() | ? {$_.Name -eq "TestGroup"}


Now with that,we can create the child group underneath our newly created parent group:


As usual, you can immediately see the new group along with its GUID.


It isn’t that apparent that this is a child group until you see the console:


You can also use the GetChildTargetGroups() method that is available to find out if a group has any children. It is important to note that you must call this on an individual group, not the entire collection unless you loop through each group in the collection.



Delete Target Group

Ok, so we have figured out how to create groups within WSUS, but how do you delete the groups?  Well, the answer is pretty easy. We will make use of the Delete() method that is available for each group in the collection. Lets get the child group we created and then delete it using the Delete method:

$group = $wsus.GetComputerTargetGroups() | ? {$_.Name -eq "ChildGroup"}


Now, the child group is gone.


Creating a target is fairly simple with an little bit of complexity when your adding a child group, but deleting a group is pretty painless. Now what happens if you delete the parent group and not the child? Easy, both are deleted.

Add Computer to Target Group

Lets now take a look at adding a client to a target group.  For this, we will be using the AddComputerTarget() method that is available for each group in the collection. Looking at the requirements for this method, we can see that the value that it is expecting is a computer target object. So just typing in the name of the computer will not work and will only throw an error.


The quickest way to get a client is by using the GetComputerTargetByName() method. This only works as long as you know the client name. This method has by far the best performance of locating a client in WSUS using PowerShell instead of using the GetComputerTargets() method and throwing in a Where-Object to locate the name. I am going to add “boe-laptop” to the “Domain Servers” group in my example.

$client = $wsus.GetComputerTargetByName("boe-laptop")


If you wanted to add more than one computer to a group, you will have to create the collection of clients and then iterate through the collection and add each on into the group.

$clients = $wsus.GetComputerTargets()
ForEach ($client in $clients) {

Remove Computer from Target Group

Last in this post I will show you how to remove a computer from a group using the RemoveComputerTarget() which is available for each group in the collection. Just like when we added a client to a group, we will once again need to first get the computer object to meet the required value of the method. For this example, I will remove “boe-latop” from the “Domain Servers” group.

$client = $wsus.GetComputerTargetByName("boe-laptop")


And, just like with adding multiple clients to a group, you will need to iterate through the collection of clients to remove each one from a group.

$clients = $wsus.GetComputerTargets()
ForEach ($client in $clients) {

Once you start to climb into managing WSUS groups with PowerShell, it really is just a matter of a few lines to start to make things happen.

About Boe Prox

Microsoft Cloud and Datacenter MVP working as a SQL DBA.
This entry was posted in powershell, WSUS and tagged , , . Bookmark the permalink.

6 Responses to WSUS: Managing Groups with PowerShell

  1. PK says:

    can you please elaborate more on how to add multiple clients to group with $clients = $wsus.GetComputerTargets(computer1, computer2) ? can you specify a file name to get computer names from?

  2. boeprox says:

    Hi Lee,

    For the bottom error, replace $_.DomainName with $_.FullDomainName and try to run again. You should get some sort of confirmation that the client was added to a new group.
    For the first error, verify that $computer has data in the variable and that it is not an array, if it is an array, you will need to loop through each name in the collection.

    Hope this helps

  3. Lee says:

    Hi There,

    Should I get any kind of confirmation after submitting the command for this?

    Currently I get no confirmation and the Computers won’t move (might be worth pointing out that in the console they are also refusing to move)

    The vast majority of our computers will move through the console so I have added 4 machines into a Computer Group called ‘Test1’, when I try to move them using the command into a group called ‘Powershell’ I get an error which suggests the computers are not in WSUS!

    Heres the error:… (replaced the domain name)

    Get-WSUSClient : Cannot bind argument to parameter ‘Computer’ because it is an empty string.
    At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WSUS\WSUS.psm1:1260 char:35
    + $client = Get-WSUSClient -computer <<<< $computer
    + CategoryInfo : InvalidData: (:) [Get-WSUSClient], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Get-WSUSClient

    Add-WSUSClientToGroup : Computer: is not in WSUS!
    At line:1 char:64
    + Get-WSUSClientsInGroup -name "Test1" | % {Add-WSUSClientToGroup <<<< -computer $_.domainname -Group "Powershell"}
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-WSUSClientToGroup

    This error is just repeated 4 times.

    Any ideas?

    Thanks 🙂

  4. Lee says:


    Is it possible to move all the computers from one group to another using a powershell command?


    • boeprox says:

      Yes, if you use my WSUS module,you can run the following line to move the clients from one group to another:

      Get-WSUSClientsInGroup -name “Domain Servers” | % {Add-WSUSClientToGroup -computer $_.fulldomainname -Group “Test”}

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s