locked
scope result [LatestRevisionApproved] is different between N/A vs N/A (inherited) RRS feed

  • Question


  • Hello

    I'm working with a PowerShellScript to generate an export of all approved Patches for a specifed wsus group.

    The code sequence about the scope is as fallow:

    $updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope;
    $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved; #LatestRevisionApproved;
    $updateScope.UpdateSources = [Microsoft.UpdateServices.Administration.UpdateSources]::MicrosoftUpdate;
    $updateScope.UpdateApprovalActions = [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install;

    Now I saw that every update with [not approved] is in this scope, although it isn't approved.

    The updates with [not approved (inherited)] are correct, meaning there aren't in the export file. (see printscreens in the end)

    Why is this scope differnet?

    Did anyone have an idea to solve this problem?

        I'm working with an windows server 2012 R2 en
        wsus version is 6.3.9600.16384




    Tuesday, September 9, 2014 1:39 PM

Answers

  • There is a wsus computer group 1 and 2, as example.

    • security patch xyz is "Not approved (inherited)" on group 1
    • same patch is "Not approved" on group 2

    Now, the if statement before is false for all updates with "Not approved (inherited)"

    But sadly, the if statement is true for all updates with "Not approved" This is my problem.

    If you could provide an example of actual data you're receiving, I think that would help.

    One thing that may be relevant is to know that there is no explicit state "Not Approved (inherited)", the "inherited" is simply a display indication that the "Not Approved" state is a function of a parent group's configuration.

    Maybe you have an other solution to generate an export for all approved updates on a specifed wsus computer group?

    Personally I'd just run the report from the console intended for this purpose and export the output to Excel.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Wednesday, September 10, 2014 4:26 PM

All replies

  • Now I saw that every update with [not approved] is in this scope, although it isn't approved.

    The updates with [not approved (inherited)] are correct, meaning there aren't in the export file. (see printscreens in the end)

    Why is this scope differnet?

    Did anyone have an idea to solve this problem?

    I don't really want to spend a couple of hours analyzing your PowerShell script, so suppose you tell us *exactly* why you think the output is wrong.

    Frankly, my educated GUESS would be that there's a BUG in your PowerShell script. Have you traced through your own script to ensure it's absolutely correct for what you want?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Wednesday, September 10, 2014 1:22 AM
  • Thanks for your Reply.

    I understand your point... I've debug my script and i saw some differents.

    Let me explain this again, it's a little bit difficult without the possibility to upload pictures:

    This is my scope for all intersting updates:

    $updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope;
    $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved; #LatestRevisionApproved;
    $updateScope.UpdateSources = [Microsoft.UpdateServices.Administration.UpdateSources]::MicrosoftUpdate;
    $updateScope.UpdateApprovalActions = [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install;

    After that all updates are into $theupdates

    $theupdates = $wsus.GetUpdates($updateScope);

    Then, for each object I check it for wsus computer group

    $theupdates | ForEach-Object {
    $update = $_
    if ($update.GetUpdateApprovals($ApprovedGr).Count -ne 0){
      $record = $update.Title;
      echo $record | Out-File $approvedlist -append
    }

    Now we are going to our wsus console.

    There is a wsus computer group 1 and 2, as example.

    • security patch xyz is "Not approved (inherited)" on group 1
    • same patch is "Not approved" on group 2

    Now, the if statement before is false for all updates with "Not approved (inherited)"

    But sadly, the if statement is true for all updates with "Not approved" This is my problem.

    Maybe you have an other solution to generate an export for all approved updates on a specifed wsus computer group?

    I'm working with this script many years on a w2k3r2 wsus. Now i migrate wsus to w2k12r2 and have this problem. It looks realy there is a prboblem about this "inherited"

    Wednesday, September 10, 2014 12:37 PM
  • There is a wsus computer group 1 and 2, as example.

    • security patch xyz is "Not approved (inherited)" on group 1
    • same patch is "Not approved" on group 2

    Now, the if statement before is false for all updates with "Not approved (inherited)"

    But sadly, the if statement is true for all updates with "Not approved" This is my problem.

    If you could provide an example of actual data you're receiving, I think that would help.

    One thing that may be relevant is to know that there is no explicit state "Not Approved (inherited)", the "inherited" is simply a display indication that the "Not Approved" state is a function of a parent group's configuration.

    Maybe you have an other solution to generate an export for all approved updates on a specifed wsus computer group?

    Personally I'd just run the report from the console intended for this purpose and export the output to Excel.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Wednesday, September 10, 2014 4:26 PM
  • Ok, good to have the informations about export to excel [wsus3.0 sp1 - need to export particular list of updates] and report functionality with standard console. I tested it now, it's fine.

    • First I've done the export to excel.
    • Then I export the excel to a .csv.
    • The last step is importing this .csv to a other isolated wsus server. It works fine now for me :-)

    Thanks a lot, in my eyes this thread can be closed...

    Thursday, September 11, 2014 12:20 PM