Computer Tabular Status for Approved Updates report in WSUS in Powershell

When you have many WSUS-servers with central server in your organization, it might be very difficult of getting reports from computers.

Once I was needed in script to show me, at which computers I dont have approved updates installed. There is a report in WSUS console that can give me such info (it called Computer Tabular Status for Approved Updates), but I was not able to go to every WSUS-server and run this report. Its a very weird task when you have 5-10-15 of WSUS-servers.

I wrote a script in Powershell that will automate the task of getting reports from WSUS.

The best you can do - is to run script on the central WSUS-server as it getting all information about all computers from branch WSUS-server in organization. But of course you can run it on any server. In this case you will get report only about computers that connected to the specific server.

Script has three variables. The first - is the domain name in Active Directory. For example, if you have domain like domain1.domain.local, the parameter must be the domain1. This is the domain that we will audit. If you have only one domain, you can hardcode it on line #3.

Also, you must specify FQDN of your WSUS-server. Thats one line #8.

After scanning, script will export report to csv-file to the path which you will customize on line #5.

#cls
$datetime = Get-Date -Format "yyyy.MM.dd_HH-mm-ss";
$domain = $args[0];
$file_name = "wsus_audit_result_" + $domain + "_" + $datetime + ".csv";
$xl_filename = "c:\audit\" + $file_name;

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer('wsus10.domain.local',$False)

$computerscope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$computerscope.IncludeSubgroups = $true;
$computerscope.IncludeDownstreamComputerTargets = $true;
$computerscope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates] "Failed, NotInstalled, Downloaded";

$updates = $wsus.GetUpdates() | where {$_.IsApproved -eq $true};

$array = @{};
foreach ($update in $updates) {
	$temp = $update.GetUpdateInstallationInfoPerComputerTarget($ComputerScope) | where {$_.UpdateApprovalAction -eq "Install"}
		
	if ($temp -ne $null) {
		foreach ($item in $temp) {
			$array.($wsus.GetComputerTarget([guid]$item.ComputerTargetId).FulldomainName)++;
		}
	}
}

$export_array = @();
$export_array += ,@("");$export_array += ,@("");

$i = 1;
foreach ($key in $array.Keys) {
	if ($key.split(".")[1] -eq $domain.split(".")[0]) {
		$export_array += ,@($key.Split(".")[0], $key.Split(".")[1], $array.$key);
	}
}

echo "Saving report ...";
foreach($item1 in $export_array)  
{  
	$csv_string = "";
	foreach($item in $item1)
	{
		$csv_string = $csv_string + $item + ";";
	}
	Add-Content $xl_filename $csv_string;
}  

Script running a little bit slowly, because it queries every PC registered in WSUS through HTTP-protocol. That's a very slow procedure, so prepare to wait.

And one more thing...

Dont try to run script on any server or computer. It will work correctly only on the server where WSUS-console is installed.