Getting breakout for the update MSRC Severity level per machine in WSUS through Powershell RRS feed

  • General discussion

  • Currently I use Powershell to pull the number of updates and their status per machine.  See the code snippet below of the portions of the script which do the heavy lifting:  

    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($Server,$False,$Port)
    $ComputerScope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
    $UpdateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
    $SumPerComputer = $wsus.GetSummariesPercomputerTarget($UpdateScope, $ComputerScope)

    Unfortunately, I now need to be able to break the security updates out the same totals by MSRC Severity (i.e. - "Important", "Critical", "Unspecified", etc.).  While the GetUpdates method seems to have a "MsrcSeverity" property available, I don't see a way of getting that per machine. 

    Any ideas?

    • Changed type Bill_Stewart Friday, July 27, 2018 8:20 PM
    • Moved by Bill_Stewart Friday, July 27, 2018 8:20 PM This is not "scripts on demand"
    Friday, May 11, 2018 2:25 PM

All replies

  • Use WSUS.

    -- Bill Stewart [Bill_Stewart]

    Friday, May 11, 2018 3:08 PM
  • We do use WSUS.  That is where it is pulling the data but it won't pull reports with the needed information. 
    Friday, May 11, 2018 4:36 PM
  • If the built-in reports don't provide what you need and a script is required, you can put a script request on the script request page. (If you need a guaranteed answer, however, it's probably best to hire someone to write it for you.)

    -- Bill Stewart [Bill_Stewart]

    Friday, May 11, 2018 5:45 PM
  • "GetUpdates" is for the Updates.

    "GetSummariesPercomputerTarget" is for your computers (but with this one you can use "GetUpdateClassifications" to define  "Applications; Critical Updates; Definition Updates; Drivers; Feature Packs; Security Updates; Service Packs; Tools; Update Rollups; Updates; Upgrades"

    If you want to do a spreadsheet with subdivision (MSRC severity) for each computer of your WSUS you need to go deep in your script.

    I wrote some script for manage WSUS with powershell, if you explain me your goal or send me your script may be I could help.


    Monday, May 14, 2018 3:21 PM
  • Thanks and that is what I was looking for with this - a concept to use to start scripting. 

    The issue is that we need per-machine summaries for each installation state (Installed, InstalledPendingReboot, etc.).  That I was able to get using the $wsus.GetSummariesPercomputerTarget($UpdateScope, $ComuterScope) method.  However, now we need to be able to break that down by MSRCSeverity and unfortunately that isn't an option in either scope so, as you mentioned, we have to go deep and essentially try to replicate the method above while grabbing the MSRC Severity. 

    I took a look over the weekend and am working with the GetUpdates method and an updatescope to get an initial set of updates and then using the GetUpdateInstallationInfoPerComputerTarget method with a $Computerscope. 

    Unfortunately, while it appears to work, it takes a looooooooong time... a WSUS server with ~1000 machines and ~2200 updates takes about 24+ hours to run (WAY too long) so looking at ways to shorten it (Excluding installation states, etc.).


    • Edited by JCJCJCJCJC Tuesday, May 15, 2018 1:10 PM
    Tuesday, May 15, 2018 1:09 PM
  • The Net classes are extremely slow if there is no underlying database view and some indexes are missing.

    I can suggest querying the database directly using SQL.  Run the query analyzer and add indexes where required.


    Tuesday, May 15, 2018 1:14 PM
  • Unfortunatly time is against you when you work with GetUpdates.

    You can reduce the return of GetUpdates if you delete All KB that are declined, with this.

    $KB = $Wsus.GetUpdates()
    $Delete = $KB | Where-Object {($_.IsDeclined -eq $true)}
    $Delete | ForEach-Object {
        $ListOfID = $_."id"
        $IDToDelete = $ListOfID | Select-Object -ExpandProperty UpdateID

    But the result you want with the numbers of your computers and updates, take many time.

    I check my script collection but I can't promise you I have something for you.

    Tuesday, May 15, 2018 1:48 PM
  • It is usually faster to use the GUI to remove all updates that do not apply are superseded or are declined.  This can be done by just checking the boxes.  It will still take a lot of time the first time you do it.

    You can also use this script to clean up the database: https://gallery.technet.microsoft.com/scriptcenter/fd39c7d4-05bb-4c2d-8a99-f92ca8d08218

    I also recommend running the following re-index script as WSUS indexes seem to get trashed frequently.


    In the end reporting by computer will still be slow because there are no indexes that support this.  Using SQL to the database will be faster.


    Tuesday, May 15, 2018 2:07 PM
  • I've found something for you in my collection, but what "UpdateInstallationState" do you want?

    Installed, NotInstalled, NotApplicable, PendingReboot? All of them?

    @JRV I'm completly agree with you, but my last post is not to declined but delete KB of WSUS and WID, after this script it's recommended to re-index the base.

    Wednesday, May 16, 2018 1:12 PM
  • The GUI will delete all unused, declined, superseded and other updates with a few clicks.

    I didn't say to "decline" but to delete the declined updates.

    I did one WSUS and cut the storage down to less than 100Gb from nearly 700Gb.  This was because the installation selected for every device type and product.  WSUS should be set to only download the updates you actually need.  It is my firm belief that the database should always be moved to a non-system drive and be the only active software on the drive for performance reasons.


    • Edited by jrv Wednesday, May 16, 2018 1:29 PM
    Wednesday, May 16, 2018 1:28 PM