Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Powershell, WSUS, Execute Multiple Approvals per client computer

782 views
Skip to first unread message

jmedd

unread,
Oct 1, 2008, 6:35:00 AM10/1/08
to
I need to approve around 100 updates for a client computer in WSUS. Using the
WSUS console for this is impracticle since its involves about 5 - 6 clicks
per update, so naturally I am looking to Powershell for a solution.

There are some sample scripts for managing WSUS 3.0 at the script center.

http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/default.mspx?mfr=true

Basically what I need to do is for a particular computer find which updates
need approving and then approve them all for a particular WSUS computer group
in one go.

So far I have:

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
if (!$wsus) {
$wsus =
[Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
}


$wsus.GetComputerTargets()


This basically returns a lot of info about the computers, but nothing to do
with approvals.

Similarly the following gives you a load of info about the updates including
whether they are approved or not, but does not tell you which group they are
approved for.

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
if (!$wsus) {
$wsus =
[Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
}

$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope;
$updateScope.UpdateApprovalActions =
[Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install `
-bor
[Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Uninstall

$wsus.GetUpdates($updateScope)


Exchanging the last line for

$wsus.GetUpdateApprovals($updateScope)

gets you some approval info, but not quite what I'm looking for.

Anyone willing to assist would be most appreciated.

Marco Shaw [MVP]

unread,
Oct 1, 2008, 1:46:33 PM10/1/08
to

> Anyone willing to assist would be most appreciated.

I have an older VM I can dust off. It doesn't even have PowerShell on
it. I don't know much about WSUS, but I'll try to help.

You need this yesterday?

Marco

--
*Microsoft MVP - Windows Server - Admin Frameworks
https://mvp.support.microsoft.com/profile/Marco.Shaw
*PowerShell Co-Community Director - http://www.powershellcommunity.org
*Blog - http://marcoshaw.blogspot.com

Marco Shaw [MVP]

unread,
Oct 1, 2008, 10:36:45 PM10/1/08
to
Marco Shaw [MVP] wrote:
>
>> Anyone willing to assist would be most appreciated.
>
> I have an older VM I can dust off. It doesn't even have PowerShell on
> it. I don't know much about WSUS, but I'll try to help.
>
> You need this yesterday?
>
> Marco
>

I didn't get far, maybe try here also:
http://social.technet.microsoft.com/Forums/en-US/winserverwsus/threads/

I will post something tomorrow.

Shay Levy [MVP]

unread,
Oct 2, 2008, 4:14:56 AM10/2/08
to
Hello jmedd,


I was able to run this and get results:

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")


$updateServer = "updateServerName"
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)

$computerScope = new-object Microsoft.UpdateServices.Administration.ComputerTargetScope
$computerScope.includedInstallationStates = "Installed,NotInstalled"

$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.includedInstallationStates = "Installed,NotInstalled"


$wsus.getComputerTargets($ComputerScope) | foreach {

$machine = $_
$fdn = @{n="FullDomainName";e={$machine.fullDomainName}}

$_.getUpdateInstallationInfoPerUpdate($updateScope) | foreach {
$updateId = $wsus.getUpdate($_.updateId)
$updateId | select $fdn,Title,UpdateType,IsApproved,IsDeclined,KnowledgebaseArticles
}
}

Here's the first item output:

FullDomainName : serverName.domain
Title : Cumulative Security Update for Outlook Express for
Windows Server 2003 (KB929123)
UpdateType : Software
IsApproved : True
IsDeclined : False
KnowledgebaseArticles : {929123}

HTH

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar: http://tinyurl.com/PSToolbar


j> I need to approve around 100 updates for a client computer in WSUS.
j> Using the WSUS console for this is impracticle since its involves
j> about 5 - 6 clicks per update, so naturally I am looking to
j> Powershell for a solution.
j>
j> There are some sample scripts for managing WSUS 3.0 at the script
j> center.
j>
j> http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/defa
j> ult.mspx?mfr=true
j>
j> Basically what I need to do is for a particular computer find which
j> updates need approving and then approve them all for a particular
j> WSUS computer group in one go.
j>
j> So far I have:
j>
j> [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.
j> Administration") | out-null
j> if (!$wsus) {
j> $wsus =
j> [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer
j> ();
j> }
j>
j> $wsus.GetComputerTargets()
j>
j> This basically returns a lot of info about the computers, but nothing
j> to do with approvals.
j>
j> Similarly the following gives you a load of info about the updates
j> including whether they are approved or not, but does not tell you
j> which group they are approved for.
j>
j> [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.
j> Administration") | out-null
j> if (!$wsus) {
j> $wsus =
j> [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer
j> ();
j> }
j>
j> $updateScope = new-object
j> Microsoft.UpdateServices.Administration.UpdateScope;
j> $updateScope.UpdateApprovalActions =
j> [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Inst
j> all `
j> -bor
j> [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Unin
j> stall
j> $wsus.GetUpdates($updateScope)
j>
j> Exchanging the last line for
j>
j> $wsus.GetUpdateApprovals($updateScope)
j>
j> gets you some approval info, but not quite what I'm looking for.
j>
j> Anyone willing to assist would be most appreciated.
j>


Marco Shaw [MVP]

unread,
Oct 2, 2008, 5:43:20 AM10/2/08
to
Shay Levy [MVP] wrote:
> Hello jmedd,
>
>
> I was able to run this and get results:

I think Jonathan (that's right?) was actually looking on how to approve
the updates also, not just list them?

Shay Levy [MVP]

unread,
Oct 2, 2008, 7:25:02 AM10/2/08
to

Thanks for clarifying.

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar: http://tinyurl.com/PSToolbar


M> Shay Levy [MVP] wrote:
M>

>> Hello jmedd,
>>
>> I was able to run this and get results:
>>

M> I think Jonathan (that's right?) was actually looking on how to
M> approve the updates also, not just list them?
M>
M> Marco
M>


jmedd

unread,
Oct 2, 2008, 6:44:00 AM10/2/08
to
Awesome, that is taking it a lot further than I was getting. Thanks so much.

The further steps I need to take it are:

1) Be able to specify a particular client machine
2) Find only updates which are not approved for that machine
3) Approve all the updates which are approved for that machine specifying a
particular computer target group for the approval.

If I can get that, it will save me hours, maybe days of work!

Thanks
Jonathan

jmedd

unread,
Oct 2, 2008, 6:46:00 AM10/2/08
to
Thanks for the interest in helping. The work is not urgent, rather it is to
kick start a project I'm beginning for server patching. I don't want to waste
tedious hours clicking through approvals of updates for a test group and then
have to repeat that exact same task for another group.

Thanks
Jonathan

Shay Levy [MVP]

unread,
Oct 2, 2008, 7:43:58 AM10/2/08
to
Take II:

$updateServer = "serverName"
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)

$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.updateApprovalActions = "Install,Uninstall"

$updates = $wsus.getUpdates($updateScope)


$updates[0] | gm -MemberType method a*

TypeName: Microsoft.UpdateServices.Internal.BaseApi.Update

Name MemberType Definition
---- ---------- ----------
...
Approve Method Microsoft.UpdateServices.Administra...
...


Notice that the Approve() method has two overloads:

Approve(UpdateApprovalAction action, IComputerTargetGroup targetGroup),
Approve(UpdateApprovalAction action, IComputerTargetGroup targetGroup, DateTime
deadline)}

j> gets you some approval info, but not quite what I'm looking for.
j>
j> Anyone willing to assist would be most appreciated.
j>

jmedd

unread,
Oct 3, 2008, 6:00:00 AM10/3/08
to
OK cool. So those are the methods to make the approvals happen.

Are you able to help me put it all together like in the previous post?

"Shay Levy [MVP]" wrote:

> Take II:
>
>
>
> $updateServer = "serverName"
> $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)
>
> $updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope
> $updateScope.updateApprovalActions = "Install,Uninstall"
>
> $updates = $wsus.getUpdates($updateScope)
>
>
> $updates[0] | gm -MemberType method a*
>
> TypeName: Microsoft.UpdateServices.Internal.BaseApi.Update
>
> Name MemberType Definition
> ---- ---------- ----------

> ....
> Approve Method Microsoft.UpdateServices.Administra...
> ....

Shay Levy [MVP]

unread,
Oct 5, 2008, 12:52:25 PM10/5/08
to
Hello jmedd,

This is what I

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")


$updateServer = "serverName"
$machineName = "machineName"
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)
$com = $wsus.GetComputerTargetByName($machineName)

# get info for the specified machineName
PS > $com

UpdateServer : Microsoft.UpdateServices.Internal.BaseApi.UpdateServer
Id : 687b433f-18c0-45c0-8dbb-0f45a484d73e
FullDomainName : serverName
IPAddress : 10.4.90.135
Make : HP
Model : ProLiant BL460c G1
BiosInfo : Microsoft.UpdateServices.Administration.BiosInfo
OSInfo : Microsoft.UpdateServices.Administration.OSInfo
OSArchitecture : x86
ClientVersion : 7.1.6001.65
OSFamily : Windows
OSDescription : Windows Server 2003 Enterprise Edition
ComputerRole : Server
LastSyncTime : 10/09/2008 11:52:50
LastSyncResult : Succeeded
LastReportedStatusTime : 10/09/2008 12:07:48
LastReportedInventoryTime : 01/01/0001 00:00:00
RequestedTargetGroupName :
RequestedTargetGroupNames : {}
ComputerTargetGroupIds : {b73ca6ed-5727-47f3-84de-015e03f6a88a, a0a08746-4dbe-4a37-9adf-9e7652c0b421}
ParentServerId : 00000000-0000-0000-0000-000000000000
SyncsFromDownstreamServer : False


# get installation summary
PS > $com.GetUpdateInstallationSummary()

UnknownCount : 44
NotApplicableCount : 2131
NotInstalledCount : 15
DownloadedCount : 0
InstalledCount : 40
InstalledPendingRebootCount : 0
FailedCount : 0
IsSummedAcrossAllUpdates : True
UpdateId : 00000000-0000-0000-0000-000000000000
ComputerTargetGroupId : 00000000-0000-0000-0000-000000000000
ComputerTargetId : 687b433f-18c0-45c0-8dbb-0f45a484d73e
LastUpdated : 05/10/2008 12:59:27


# updates report sample output
PS > $com.GetUpdateInstallationInfoPerUpdate()

UpdateServer : Microsoft.UpdateServices.Internal.BaseApi.UpdateServer
UpdateInstallationState : NotApplicable
UpdateApprovalAction : Install
UpdateApprovalTargetGroupId : a0a08746-4dbe-4a37-9adf-9e7652c0b421
ComputerTargetId : 687b433f-18c0-45c0-8dbb-0f45a484d73e
UpdateId : 1847ae6d-8360-4e5a-9d15-da82b24deffd

You can translate an UpdateId guid to its object like so:

PS > $upd = $com.GetUpdateInstallationInfoPerUpdate()
PS 42> $wsus.GetUpdate($upd[0].updateid)


UpdateServer : Microsoft.UpdateServices.Internal.BaseApi.UpdateServer
Id : Microsoft.UpdateServices.Administration.UpdateRevisionId
Title : Windows XP Update Package, October 25,
2001
Description : This update resolves all critical issues
that were found in Windows XP between Aug
ust 2001 and October 2001, and is discussed
in Microsoft Knowledge Base (KB) Artic
le Q309521. Among the updates included
in this package are several that eliminate
security vulnerabilities. Download now
to ensure that you have all the latest crit
ical updates for Windows XP.
LegacyName : q309521_xp_4973
MsrcSeverity : Unspecified
KnowledgebaseArticles : {309521}
SecurityBulletins : {}
AdditionalInformationUrls : {http://www.download.windowsupdate.com/msdownload/update/v3/static/RTF/en/4973.htm
}
ReleaseNotes :
UpdateClassificationTitle : Critical Updates
CompanyTitles : {Microsoft}
ProductTitles : {Windows XP}
ProductFamilyTitles : {Windows}
IsLatestRevision : True
HasEarlierRevision : False
Size : 0
CreationDate : 18/02/2003 21:28:13
ArrivalDate : 11/06/2008 09:11:51
UpdateType : Software
PublicationState : Published
InstallationBehavior : Microsoft.UpdateServices.Administration.InstallationBehavior
UninstallationBehavior : Microsoft.UpdateServices.Administration.InstallationBehavior
IsBeta : False
HasStaleUpdateApprovals : False
IsApproved : True
IsDeclined : False
DefaultPropertiesLanguage :
HasLicenseAgreement : False
RequiresLicenseAgreementAcceptance : False
State : Ready
HasSupersededUpdates : False
IsSuperseded : True
IsWsusInfrastructureUpdate : False
IsEditable : False
UpdateSource : MicrosoftUpdate


---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar: http://tinyurl.com/PSToolbar


j> Awesome, that is taking it a lot further than I was getting. Thanks
j> so much.
j>
j> The further steps I need to take it are:
j>
j> 1) Be able to specify a particular client machine
j> 2) Find only updates which are not approved for that machine
j> 3) Approve all the updates which are approved for that machine
j> specifying a
j> particular computer target group for the approval.
j> If I can get that, it will save me hours, maybe days of work!
j>
j> Thanks
j> Jonathan
j> "Shay Levy [MVP]" wrote:
j>

jmedd

unread,
Oct 6, 2008, 7:15:01 AM10/6/08
to
Brilliant! I think I'm pretty close now.

In the WSUS console if you highlight a computer in the Summary pane you have
'Updates Needed' and clicking the link gives you a report on which updates
are required on the machine.

In the stuff you have just done there are results for

Approved: Yes or No
Installed: Yes or No
etc

but I can't see anything for Updates Needed?

If I can just get this then I will have my goal of:

- Get details for a particular computer
- Filter the results to only show those updates needed
- Approve all the updates returned in the filter to a particular computer
group.

Thanks!
Jonathan

Shay Levy [MVP]

unread,
Oct 6, 2008, 7:57:40 AM10/6/08
to

Try this:

$updateServer = "serverName"
$machineName = "machineName"

$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)

$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope

$updateScope.includedInstallationStates = "NotInstalled"

$com = $wsus.GetComputerTargetByName($machineName)
$com.GetUpdateInstallationInfoPerUpdate($updateScope)

---
Shay Levy
Windows PowerShell MVP
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar: http://tinyurl.com/PSToolbar


j> Brilliant! I think I'm pretty close now.
j>
j> In the WSUS console if you highlight a computer in the Summary pane
j> you have 'Updates Needed' and clicking the link gives you a report on
j> which updates are required on the machine.
j>
j> In the stuff you have just done there are results for
j>
j> Approved: Yes or No
j> Installed: Yes or No
j> etc
j> but I can't see anything for Updates Needed?
j>
j> If I can just get this then I will have my goal of:
j>
j> - Get details for a particular computer
j> - Filter the results to only show those updates needed
j> - Approve all the updates returned in the filter to a particular
j> computer
j> group.
j> Thanks!


j> Jonathan
j> "Shay Levy [MVP]" wrote:
j>
>> Hello jmedd,
>>

>> This is what I


>> [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateSer
>> vices.Administration")
>>

>>>> er vices.Administration")

jmedd

unread,
Oct 6, 2008, 10:09:02 AM10/6/08
to
Cool. In the example I am testing that returns only the updates I am looking
for.

I have then tried to approve these updates with the following:

$upd = $com.GetUpdateInstallationInfoPerUpdate($updateScope)
$upd.Approve(Approved,Groupname)

as per your side post about approving updates, but it doesn't like it.

jmedd

unread,
Nov 11, 2008, 8:07:01 AM11/11/08
to
Finally got this thing nailed - detailed here:

http://jonathanmedd.blogspot.com/2008/11/wsus-30-approving-multiple-updates-for.html

0 new messages