WSUS, Powershell and Computers

My role currently involves dealing with Windows in addition to the standard VMware/hardware infrastructure. If we ever thought that patching ESXi was fun, dealing with WSUS is whole other ball game. I will no doubt get around to writing a full post about it in the near future, as dealing with it has been quite time consuming and there are a few gotchas 😉

However the point of this post is looking at WSUS and automation, in this case using Powershell. There are two obvious approaches to using WSUS:

  • Approve everything to every computer group (depending on your patching schedule).
  • Approve only the required patches to each computer group.

The latter approach appeals to me, purely because we can ensure that a patch is approved/applied to a less important environment (think Dev -> UAT – > Production) and easily identify those patches that *haven’t* been required previously (Do you really want to apply a patch for the first time to Production ?)

So the crux of any script is going to be getting the computers in the WSUS Computer group so we can discover what patches need to be approved. There are two methods that I know of, though there could be more 🙂

Before I start, I’m using WSUS on Windows Server 2016/2019, and Powershell needs to be run as an Administrator in order to run the scripts (if your UAC is so inclined). I’m also being lazy and including screenshots from my workplace as opposed to sorting out a lab environment, so there won’t be any proper screenshots and all computer information will be omitted.


This command is included in the UpdateServices module, and is straight forward to use:

-ComputerTargetGroups <name>,<name>,<name>

The full documentation for this command is at

The last switch is important if you have a downstream WSUS server, as by default WSUS will only return computer information that it is responsible for. Using the switch will include all downstream computers in this group.

The data returned is also quite strange – this is the header for the table displayed by the command:

However, these are display names, there is no field called “Computer” or “Name”, so if you wanted to sort it by this you’d get nothing back !. Running the command below will show us what we need:

Get-WSUSComputer -All | Select -First 1 | Get-Member

So we can now discover the mapping is:

  • Computer is FullDomainName
  • IP Address is IPAddress
  • Operating System is OSDescription
  • Last Status Report is LastReportedStatusTime

Object Methods

Instead of using a provided command, which no doubt wraps the method calls, we can call the methods directly. The code below will do the same as a one-liner above !

$wsus = get-wsusserver
$wg = $wsus.GetComputerTargetGroups() | ? { $_.Name -eq "Infrastructure" }
$cscope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$cscope.IncludeDownstreamComputerTargets = $true;

Which is better ? That’s up to you and your style/comfort.

Which should you use ? That’s up to you too 🙂

The first scripts using WSUS that I found used methods to get the information, so this is how I’ve written most of my scripts. I have not found any advantage using one way instead of the other, but that doesn’t mean there isn’t. I hate to be non-committal, but like most tech, choose the one that works for you 🙂