Nov 04 2011

Powershell: Compare WSUS target groups

This script compares the updates approved between two WSUS target groups. It can ben useful when you want to get the differences between a test and a production group, you can read this Group Policy Central article to get more details on how to set up a WSUS test group using GPO (chapter Implement a WSUS Update Test Group of Computers).

In order to get the approval status of a patch we will use the Microsoft.UpdateServices.Administration namespace (UpdateApprovalAction enumeration), the following code enumerates all the KB updates and returns its approval status for all target groups:

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($wsusserver,$False)
$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope;
$updateScope.UpdateApprovalActions =[Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install -bor [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Uninstall -bor [Microsoft.UpdateServices.Administration.UpdateApprovalActions]:: All -bor [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::NotApproved
 
$updates = $wsus.GetUpdates($updateScope)
 
$groups = $wsus.GetComputerTargetGroups()
 
foreach( $update in $updates){
 
    foreach($group in $groups) {
 
    $status = "Pending"
 
    #MSDN update status:
    #All: Use to query all updates, regardless of their action.
    #Install: Client installs the update.
    #NotApproved :The Update will not be available for clients. This value can be used in a simple targeting ComputerTargetGroup to "override" a UpdateApproval made to the "All Computers" ComputerTargetGroup.
    #Uninstall: Client removes the update.
 
        if ($update.GetUpdateApprovals($group).Count -ne 0)
        {$status = $update.GetUpdateApprovals($group)[0].Action}
    write-host ($update.Title + ';' + $group.Name + ';' + $status)
    }
}

Both test and production target groups inherit from the “All Computers” group:

We need to retrieve the update approval status for the following target groups:

  • $Allstatus: Approval status for the “All computers” group, default value “Not Approved“.
  • $statusprod: Approval status for the production target group, default value “Pending“, in this case the approval status inherits from the “All computers” group.
  • $statusqualif: Approval status for the test target group, default value “Pending“, in this case the approval status inherits from the “All computers” group.

For a given patch, if $statusprod is different from $statusqualif then the status of each group is returned, if one of the two groups has no value (status pending) then the All computers group approval status is returned.

Download the full script here:

The script returns a CSV file with the following information:

  • KB update name.
  • Approval status for the production target group, inheritance from the All Computers group is displayed if needed.
  • Approval status for the test target group, inheritance from the All Computers group is displayed if needed.
  • MSRC severity of the patch (see this MSDN article to get more information on the possible values), this concerns security patches.
  • MS Security bulletin the patch is related to, this concerns security patches.
  • Products concerned by this update.

In the script, change the following default values:

  • $wsusserver: WSUS server name.
  • $grqualif: WSUS Target group name for the test computers.
  • $grprod: WSUS Target group name for the production computers.

If you want more Powershell scripts about WSUS server management, visit the technet script center.

This post is also available in: French

2 Comments

  • By martbasi, June 9, 2014 @ 8:18 pm

    Interesting looking script, I hope to get it working. But:
    When I drop the first two lines into ISE and run them, it spits out an error:
    Exception calling “GetUpdateServer” with “2” argument(s): “The specified string is invalid.
    Parameter name: ServerName”
    At line:2 char:1
    + $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($w …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentException

  • By martbasi, June 9, 2014 @ 8:24 pm

    disregard my previous comment. i am a fool 🙂

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

*

WordPress Themes

Blossom Icon Set

Software Top Blogs