I've just written an extremely simple script to query our WSUS server to check how many servers need a patch that has been approved. Here's the code:
$patchID = "KB2992611"
$wsusServerName = "wsusserver"
$wsusserver = Get-WsusServer $wsusServerName -PortNumber 8530
# Get approved patches that are still needed:
$approvedandneeded = Get-WsusUpdate -UpdateServer $wsusserver -Status Needed -Approval Approved
# Filter to get the patch you're after:
$filteredUpdates = $approvedandneeded | Select-Object -ExpandProperty Update | Where-Object { $_.Title -match $patchID }
foreach($update in $filteredUpdates)
{
$updateDetails = Get-WsusUpdate -UpdateId $($update.UpdateID) -UpdateServer $server
Write-Output "Computers needing this update: $($updateDetails.ComputersNeedingThisUpdate) | $($update.Title)"
}Output
Computers needing this update: 0 | Security Update for Windows Server 2008 R2 x64 Edition (KB2992611) Computers needing this update: 0 | Security Update for Windows Server 2012 R2 (KB2992611) Computers needing this update: 0 | Security Update for Windows Server 2008 x64 Edition (KB2992611) Computers needing this update: 0 | Security Update for Windows Server 2008 (KB2992611) Computers needing this update: 0 | Security Update for Windows Server 2003 (KB2992611)
As you can see, the ComputersNeedingThisUpdate attribute/property is always showing 0. This is despite the WSUS console showing completely different results. I *know* most computers need that patch and I can see this through the console, just not via a script.
It's worth stating that the ComputersInstalledOrNotApplicable and ComputersWithNoStatus properties return accurate data, it's not a problem with the code.
Help is appreciated.
Regards,
Robin