If you follow me, you know that I’ve been playing a lot with WSUS in recent days and have discovered there’s an extremely simple way to extract the list of all the Microsoft Security Monthly Quality Rollups (which include cumulated security updates and non-security updates) residing on a WSUS server with the help of PowerShell.
The key cmdlet is Get-WsusUpdate. The Get-WsusUpdate cmdlet gets the Windows Server Update Services (WSUS) update object with details about existing updates.
$MSupdates = Get-WsusUpdate
Using Get-Member we can see the returned object type:
$MSupdates | Get-Member
TypeName: Microsoft.UpdateServices.Commands.WsusUpdate
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Approved Property string Approved {get;}
Classification Property string Classification {get;}
ComputersInstalledOrNotApplicable Property int ComputersInstalledOrNotApp
ComputersNeedingThisUpdate Property int ComputersNeedingThisUpdate
ComputersWithErrors Property int ComputersWithErrors {get;}
ComputersWithNoStatus Property int ComputersWithNoStatus {get
InstalledOrNotApplicablePercentage Property int InstalledOrNotApplicablePe
LanguagesSupported Property System.Collections.Specialized
LicenseAgreement Property string LicenseAgreement {get;}
MayRequestUserInput Property bool MayRequestUserInput {get;
MsrcNumbers Property System.Collections.Specialized
MustBeInstalledExclusively Property bool MustBeInstalledExclusivel
Products Property System.Collections.Specialized
Removable Property bool Removable {get;}
RestartBehavior Property string RestartBehavior {get;}
Update Property Microsoft.UpdateServices.Admin
UpdateId Property string UpdateId {get;}
UpdatesSupersededByThisUpdate Property System.Collections.Specialized
UpdatesSupersedingThisUpdate Property System.Collections.SpecializedThe key point here is that Get-WindowsUpdate used with no parameters reports patch information of the computer where it runs, which is just a subset of all the possible patches.
If you want to retrieve the list of all the patches hosted by your WSUS server here’s the syntaxt to use:
$MSupdates = Get-WsusUpdate -Verbose -Approval AnyExceptDeclined
Once you got that (it can take a while, and you’ll se the WSUS database pretty busy), you can easily select the patches that are Security Monthly Quality Rollups:
$MSupdates.Update |
? Title -match 'Security Monthly Quality Rollup' |
Format-Table title
Title
-----
2018-03 Security Monthly Quality Rollup for Windows Server 2012 R2...
2018-03 Security Monthly Quality Rollup for Windows Server 2012 fo...
2018-03 Security Monthly Quality Rollup for Windows 7 for x64-base...
2018-03 Security Monthly Quality Rollup for Windows Server 2008 R2...
2018-03 Security Monthly Quality Rollup for Windows 7 for x86-base...As you can see the monthly rollups I see here is the one from last March Patch Tuesday (KB4088876).
I could think of counting all these Monthly Rollups by OS:
$MSupdates.Update |
? Title -match 'Security Monthly Quality Rollup' |
Group ProductTitles | Select Name,Count | Sort -DescendingAll you need to know is simply what kind of patches you want to extract from this huge list. A few examples now.
Patches whose title starts with 2018:
$MSupdates.Update |
? Title -match '^2018' |
Formaat-table title, creationdate, knowledgebasearticles, producttitles, statePatches whose title starts with 2017-12 (in this regex the caret ^ matches the position before the first character in the string):
$MSupdates.Update |
? Title -match '^2017-12' |
Format-Table title, creationdate, knowledgebasearticles, producttitles, statePatches with a certain KB number:
$MSupdates.Update |
? KnowledgebaseArticles -match '4088876' |
Format-Table title, creationdate, knowledgebasearticles, producttitles, stateStay tuned for more PowerShell and get ready for today’s Patch Tuesday!