locked
Wsus Script - How to Filter only approved updates RRS feed

  • Question

  • Hello,

    I've already done a basic script to get a report of approved updates by queried computer, but in some cases the results are reporting some 'NotApproved' updates

    $computername='testcomputer.mydomain.com'

    $updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
    $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved  # Includes updates whose latest revision is approved.
    $updateScope.UpdateApprovalActions = [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install

    $updatescope.ExcludedInstallationStates=@('NotApplicable','Installed')

    $mycomputer=$wsus.GetComputerTargetbyName($computername) 

    foreach ($update in $mycomputer.GetUpdateInstallationInfoPerUpdate($updateScope) ) {
            $updateinfo=$update.getupdate()
            [pscustomobject][Ordered]@{
               Status=$update.UpdateInstallationState
               Approval=$update.UpdateApprovalAction
               ArrivalDate=get-date $updateinfo.ArrivalDate -format dd-MMM-yyyy
               Title=$updateinfo.title
            }
          }  

    This code produces a short report of pending updates on the majority of my computers, but In some I got results like these

         Status    Approval ArrivalDate Title                                                                                                                               
          ------    -------- ----------- -----                                                                                                                               
    NotInstalled NotApproved 08-Aug-2017 Update for Windows Server 2012 R2 (KB4033428)                                                                                       
    NotInstalled NotApproved 10-Jan-2018 Microsoft .NET Framework 4.7 for Windows 8.1 and Windows Server 2012 R2 for x64 (KB3186539)                                         
    NotInstalled NotApproved 11-Jul-2018 Microsoft .NET Framework 4.7.1 for Windows 8.1 and Windows Server 2012 R2 for x64 (KB4033369)                                       
    NotInstalled NotApproved 24-Jul-2018 Update for Windows Server 2012 R2 (KB4339284)                                                                                       
    NotInstalled NotApproved 10-Oct-2018 2018-10 Security Only Quality Update for Windows Server 2012 R2 for x64-based Systems (KB4462941)                                   
    NotInstalled NotApproved 18-Oct-2018 Update for Windows Server 2012 R2 (KB4462901)

    What is the reason that some computers are reporting 'NotApproved' action? Is the following filter the appropriate by my purposes -> [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install

    Or should I add a second filtering like -> $mycomputer.GetUpdateInstallationInfoPerUpdate($updateScope) | where {$_.UpdateApprovalAction -ne 'NotApproved'}

    Best Regards

    Thursday, January 10, 2019 11:52 AM

All replies

  • Hello,
     
    Check if those updates have an approved status but not approved for the group which includes your specific computer. In other words, they have been approved for other computer groups.
     
    If yes, you may need to specify the computer groups in your script.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 11, 2019 5:43 AM
  • Hi,

    Thanks, I've found that some computers that i was using to test my script were under 'Unnasigned Computers', and when I've assigned to a different group my search worked expected.

    But Why the following filter was not working as expected? What I understand is  that it's supposed to filter and show only these updates that are marked/approved for install.

    That's true that these packages aren't set for 'install' on 'Unnasigned Computers' group, then why are showed? Why this filter doesn't work when computer is under this group?

    $updateScope.UpdateApprovalActions = [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install  

    Best Regards

    Friday, January 11, 2019 8:36 AM
  • Hello,
     
    As I mentioned above, your filter chooses all the updates which have been approved for install but not approved for specific computer group.
     
    I am not quite familiar with PowerShell, however, you need to get the computer group including the computer and then choose updates approved for that computer group.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 11, 2019 10:16 AM