Generate patch report from WSUS

Hey scripters, today I want to share with you my script for generate patch report from WSUS.

On our blog we already show you how to check if specific patch is installed on your machine. But what in case that we want to generate report for servers\workstations which are managed by WSUS?
There are many of other tools which can better manage patch management process, however some environments still need to use this tool.

How script works?
At the beginning 4 variables should be provided:
TargetGroup – WSUS group for which we want to generate patch report,
WSUSServer – name of the WSUS server,
Severity – severity of patch which should be included in report,
Product – name of the product for which report should be generated eg. “Windows Server 2012 R2”

In next steps script check all patches from current month and filtering it via severity and porduct.
It is also check which are approved for defined patch group.
Final steps are checking which computer belongs to patch group and adding them to report list.

Script:

### Provide configuration data ###
$TargetGroup = "Test Group"
$WSUSServer = "Name of WSUS server"
$Severity = "Critical"
$Product = "Windows Server 2012 R2"

$report = @()
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer("$WSUSServer",$False,8530)
$CompSc = new-object Microsoft.UpdateServices.Administration.ComputerTargetScope
$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope; 
$Month = (Get-Date).Month
$updateScope.FromCreationDate  = (Get-Date -Month $Month -Day 1)
$updateScope.UpdateApprovalActions = [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install
$DCs = $null
$DCs += Get-WsusComputer | select * | Where-Object {($_.RequestedTargetGroupNames -eq "Test DCs")}

$updates = $wsus.GetUpdates($updateScope)
$updates = $updates | Where-Object {$_.ProductTitles -eq "$Product" -and $_.MsrcSeverity -eq "$Severity"} 
foreach($update in $updates){
    $AllUpdates = $update.GetUpdateInstallationInfoPerComputerTarget($CompSc) | Where-Object {$_.UpdateApprovalAction -eq "Install"} 
    foreach($up in $AllUpdates){ 
        $TargetID = $null
        $TargetID = $DCs |? {$_.Id -eq $up.ComputerTargetID}
        If($TargetID.Id){
                  $Comp = $wsus.GetComputerTarget($TargetID.Id)
 
                  $info = "" | select UpdateTitle, PatchReleaseDate, KB, Computername, OS ,IpAddress, UpdateInstallationStatus, UpdateApprovalAction, Severity 
                  $info.UpdateTitle = $update.Title
                  $info.PatchReleaseDate = $update.CreationDate
                  $info.KB = "KB"+($update.KnowledgebaseArticles)
                  $Info.Severity = $update.MsrcSeverity
                  $info.Computername = $Comp.FullDomainName
                  $info.OS = $Comp.OSDescription
                  $info.IpAddress = $Comp.IPAddress
                  $info.UpdateInstallationStatus = $up.UpdateInstallationState
                  $info.UpdateApprovalAction = $up.UpdateApprovalAction
                  $report+=$info
        }
    }
}

$report

And that is all, we’ve generate patch report from WSUS!

I hope it will be usefull for some of you 😉
Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *