2

we have 3 WSUS Replica Servers and one central server the replicas are connected to. From the central server we are managing the 3 replicas. All Clients are only connected to the replicas.

I am trying to create a PowerShell Script, that should approve only updates, that are required by any server.

My problem is: If I am quering the information about the "needed" count on the central server, I always get zero patches. This is because no clients are connected to the central server. How do I get this information for the sum of all four (or in practice three) servers?

What I currently have is:

# Get WSUS Server
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null 
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();  

$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope; 
$computerScope = new-object Microsoft.UpdateServices.Administration.ComputerTargetScope;

#Get all available Updates
$wsusupdates = $wsus.GetUpdates($updateScope)

$updateTotalCount = $wsus.GetUpdateCount($updateScope)
foreach($update in $wsusupdates)
{
    # Get the summary
    $summary = $update.GetSummary($computerscope); 
    $neededCount = ($summary.InstalledPendingRebootCount + $summary.NotInstalledCount)

    # Only install, if any server needs the update
    if ($neededCount -gt 0)
    {
        $update.Approve("Install", ($wsus.GetComputerTargetGroups() | Where-Object{$_.Name -eq $aSelectedWsusGroup}))
    }
}

The key part is the line

$summary = $update.GetSummary($computerscope);

where I get the information of the updates - incl. the counts I need for the "is needed" calculation in the line after.

Finally the question is: How to include the replica server data in the update summary to figure out, if an update is required?

BTW: I tried to run the script remotely on the replicas from the central WSUS server but the approve-command is not allowed on replica servers.

Hunv
  • 143
  • 1
  • 3
  • Have the downstream computers reported in the DSS, and the replicas rolled up status reports to the USS? If you've set the DSS not to roll up, then you can query needed updates from each DSS, then look up the updates on the USS by UpdateId and approve them. – Matthew Wetmore Dec 24 '16 at 09:44
  • @MatthewWetmore I assume so, because the MMC console shows all computers, including the ones connected to the replicas. – Hunv Dec 24 '16 at 17:36
  • Can you try setting this explicitly before querying? https://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.computertargetscope.includedownstreamcomputertargets(v=vs.85).aspx I'm not sure which way it defaults. $computerScope.IncludeDownstreamComputerTargets = $true – Matthew Wetmore Dec 24 '16 at 18:01
  • I'm assuming this was your issue, and posted as answer. – Matthew Wetmore Dec 24 '16 at 21:09

1 Answers1

0

Add the $computerScope.IncludeDownstreamComputerTargets = $true

$computerScope = new-object Microsoft.UpdateServices.Administration.ComputerTargetScope;
$computerScope.IncludeDownstreamComputerTargets = $true

Assuming:

  • replica server has enabled roll-up,
  • sufficient time has passed for both clients to report to their server, and the roll-up from the downstream server (DSS) to the upstream server (USS). By this point, you should see updates as needed in the UI.
Matthew Wetmore
  • 1,631
  • 12
  • 20