WSUS Reporting: Digging Into Target Groups and Update Statuses Using PowerShell

I had an email recently asking how to report on the number of updates per Target Group. Basically when a report is run using the WSUS Management Console, you can create a tabular report that displays something similar to this:

image

By specifying a Target Group and then report on all systems with the number of updates Needed, Installed/NotApplicable, Failed and NoStatus. Not too difficult to do with WSUS, but if you want to work with multiple target groups then you really are not sure what group belongs to what systems.

In the end, I wrote a fairly short script that the individual can use to get the information he needed. First I wanted to just show the number of updates per Target Group, then dive into a specific target group and pull number of updates per Computer (like the report above) and present it out. Lastly, I wanted to go even deeper into the rabbit hole and just pull updates which are Needed by a specific computer and list those out.

Before I do anything else, I need to make my initial connection using the WSUS API (WSUS Management Console is required for access).

$Computername = 'dc1'
$UseSSL = $False
$Port = 80

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
$Wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($Computername,$UseSSL,$Port)

First, lets take a look at the Target Groups:

#Updates per TargetGroup
$wsus.GetComputerTargetGroups() | ForEach {
    $Group = $_.Name
    $_.GetTotalSummary() | ForEach {
        [pscustomobject]@{
            TargetGroup = $Group
            Needed = ($_.NotInstalledCount + $_.DownloadedCount)
            "Installed/NotApplicable" = ($_.NotApplicableCount + $_.InstalledCount)
            NoStatus = $_.UnknownCount
            PendingReboot = $_.InstalledPendingRebootCount
        }
    }
}

 

image

One thing that I have done better all ready with the report is that I can see what how many updates require a reboot.

Now onto the Windows Server 2003 Target Group. Let’s see how many updates are needed per computer (in this case only 1 system).

image

Lastly, I want to dive even deeper into this and see what updates exactly are needed for my server before I go about approving them for installation.

$TargetGroup = 'Windows Server 2003'
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.IncludedInstallationStates = 'Downloaded','NotInstalled'
($wsus.GetComputerTargetGroups() | Where {
    $_.Name -eq $TargetGroup 
}).GetComputerTargets() | ForEach {
        $Computername = $_.fulldomainname
        $_.GetUpdateInstallationInfoPerUpdate($updateScope) | ForEach {
            $update = $_.GetUpdate()
            [pscustomobject]@{
                Computername = $Computername
                TargetGroup = $TargetGroup
                UpdateTitle = $Update.Title 
                IsApproved = $update.IsApproved
            }
    }
}

image

Note my use of a UpdateScope object that is used to provide the necessary information for the InstallationStates (Downloaded, NotInstalled) so I can be sure to get an accurate report.

Now we saw that 1 update was pending a reboot, so the question is: what update was installed that is awaiting a system reboot? Let’s find out!

$TargetGroup = 'Windows Server 2003'
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.IncludedInstallationStates = 'InstalledPendingReboot'
$computerScope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$computerScope.IncludedInstallationStates = 'InstalledPendingReboot'
($wsus.GetComputerTargetGroups() | Where {
    $_.Name -eq $TargetGroup 
}).GetComputerTargets($computerScope) | ForEach {
        $Computername = $_.fulldomainname
        $_.GetUpdateInstallationInfoPerUpdate($updateScope) | ForEach {
            $update = $_.GetUpdate()
            [pscustomobject]@{
                Computername = $Computername
                TargetGroup = $TargetGroup
                UpdateTitle = $Update.Title 
                IsApproved = $update.IsApproved
            }
    }
} 

image

The only adjustment here was that I only had one InstallationState used (InstalledPendingReboot). I also created a ComputerTargetScope and applied the InstallationState of InstalledPendingReboot to better filter for only the computers that are in a pending reboot state. The rest was the same code I had used before. The nice thing about this is you don’t have to filter by target group or computername and just pull from all systems to see any computers which are awaiting a reboot and what update is requiring it.

About Boe Prox

Microsoft Cloud and Datacenter MVP working as a SQL DBA.
This entry was posted in powershell, WSUS and tagged , , , , . Bookmark the permalink.

13 Responses to WSUS Reporting: Digging Into Target Groups and Update Statuses Using PowerShell

  1. Sean says:

    “Let’s see how many updates are needed per computer”
    Any update on this? This is exactly what I’m looking for. Thanks!

  2. Great script!!!
    Is it possible to make this script to work for all target groups simultaneously without having to define them for each group in $Targetgroup?
    I tried to make the $Targetgroup an array but I cannot match it with where command.
    Any ideas would be helpful.
    Thanks in advance!

  3. John says:

    Is one of the examples missing, how did you create this output ?

    Thanks
    John

  4. Andre says:

    Now onto the Windows Server 2003 Target Group. Let’s see how many updates are needed per computer (in this case only 1 system)……..
    How to do it?

  5. mbrownnyc says:

    Fantastic and missing from the regular cmdlets! Now we can harass our users with an automated email!

  6. Kevin says:

    HI Boe,

    Do you have any ideas why I would be able to run the script successfully once but then get “You cannot call a method on a null-valued expression” every attempt after the first?

    Like I said the first attempt was successful and I was able to connect and pull the information from the 2 Target Groups. Every attempt after fails with the error above.

    Any suggestions?

    Thanks,
    Kevin

  7. Jimmy says:

    Hello Prox,

    Can you please help me about the structure of the result.
    I can’t have a table like you have when executing the script.

    Thank you in advance.

  8. Hi Boe,

    The code seems to be missing for the “number of updates needed per computer” output above. Could you kindly provide that as well? Thanks!

    Waqqas
    Mississauga, Ontario

  9. Nicolas says:

    Hi Boe,

    Great article. I’m trying to pump out a list of the approved updates for a target group but not getting the desired result. Just wondering if you have anything that could help.

    Thanks

    Nicolas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s