Although I am an engineer, I used to be responsible for approving Windows updates for the whole company. Can you imagine a more boring task? It usually took me a couple hours to approve all the updates. No wonder I looked for a more efficient way to do it.

The PowerShell script discussed in this post is my solution.

Let’s go through the script line by line:

The $log variable stores the location of the log file. We need the log file to check what updates were approved, when, and to which WSUS groups.

I had to approve updates in stages to three client computer types—development (dev), production (prod), and then to all clients (clients). The corresponding groups exist on my WSUS server. With the help of the $switch variable, I determine which computer group I want to target.

Here, I set up the variable that stores the WSUS server name:

In order to manage WSUS with PowerShell, I first load the WSUS snap-in and then connect to the WSUS server.

This lines import a set of computer names which I store in the $group variable.

Here I check the value of the $switch variable to determine WSUS groups that I stored in text files, so I don't have to hardcode them in the script. Each line in the text file contains a WSUS group.

WSUS groups sample file

WSUS groups sample file

Here I’m checking if groups were assigned to the $groups variable. If not, the script has nothing to work with and has to exit.

Using the GetUpdates() method, I get the updates I’m going to approve from WSUS and store them in the $updates variable. As you can see, I have quite a few criteria for the updates: They have to be created between 6/1/2016 and 7/1/2016, shouldn’t be updates for computers with an Itanium processor (because we don’t have such computers). .Net framework updates should not be included (because they break some of our web clients). They should not be expired; they must belong to Windows or the Office product families and must be security or critical updates.

Now I’m looping through the groups that were stored in the $group variable. For each group name, I’m using the GetComputerTargetGroups() method to check whether the corresponding group exits in WSUS. If there is such group, I’m storing it in the $wgroup variable. Then I loop through all the updates stored in the $updates variable to approve and install them on the group stored in the $wgroup variable.

At the end of the script, I write information about the groups and approved updates into the log file using the Out-File cmdlet. With the help of the Select-Object cmdlet, I pick the information I’m interested in. This is what the log file looks like:

Sample log file

Sample log file

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

  1. Mark Plaga 4 months ago

    I believe that the below line should read: 

    This lines import a set of Computer Group names which I store in the $group variable. 

    or simply

    This lines import a set of  Group names which I store in the $group variable. 

    instead of,

    This lines import a set of computer names which I store in the $group variable.



  2. Mario 2 weeks ago

    Get-WsusUpdate -Approval Unapproved | where {$_.Update.Title -like "*Preview*"} | Deny-WsusUpdate
    start-transcript -path "C:\WSUSlogs\deny-wsus  $(get-date -f dd-MM-yyyy).txt" -Append
    Get-WsusUpdate -Approval Unapproved | where {$_.Update.Title -like "Feature update*"} | Deny-WsusUpdate
    start-transcript -path "C:\WSUSlogs\deny-wsus  $(get-date -f dd-MM-yyyy).txt" -Append
    $dotnetupdates = Get-WsusUpdate -Approval Unapproved | Where {$_.update.title -ilike "*.NET Framework*" -or $_.update.title -ilike "*.NET*"}
    $dotnetupdates | Approve-WsusUpdate -Action NotApproved -TargetGroupName "Windows10"
    $dotnetupdates | Approve-WsusUpdate -Action NotApproved -TargetGroupName "Windows Server"
    start-transcript -path "C:\WSUSlogs\deny-wsus  $(get-date -f dd-MM-yyyy).txt" -Append
    $AllUnaproved = Get-WsusUpdate -Classification All -Approval Unapproved -Status any
    $AllUnaproved | Approve-WsusUpdate -Action NotApproved -TargetGroupName "Windows Server"
    $AllUnaproved | Approve-WsusUpdate -Action NotApproved -TargetGroupName "Windows10"
    $AllUnaproved | Approve-WsusUpdate -Action NotApproved -TargetGroupName "All without .net"
    start-transcript -path "C:\WSUSlogs\deny-wsus  $(get-date -f dd-MM-yyyy).txt" -Append


    Hi here is mine but i need help about installing on the client pc

    i run this and all was ok but i was thinking will only download on client pc(client - my coworkers in my company)

    but not to install ....

    Can u help me to tell me how to change with parametars only to download but not to install...



Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2020


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account