Powershell WSUS commands to get update folder info

stay puft 221 Reputation points
2020-10-29T00:29:06.47+00:00

(I asked in Scripting, they sent me here)
I have an air gapped network that I need to patch. (By business policy, I am not allowed to use anything the is not Microsoft installed)

I have:

I have gotten past the first hurdle of exporting and importing the "list" of patches that WSUS checks against. So I have a WSUS(internet) that downloads all the patches I need for my regular environment, and it works great. So I export my list of available updates, and I import manually (sneaker-net) it into my WSUS(isolated). With my computers checking in, I now know what updates are needed.

My WSUS(Internet) has 10K updates available for thousands of clients and products, but the "list" is only <1gb. The "WSUS Content" folder is huge, and I only need maybe 200 of them.

I Need:

I would like to use PowerShell in WSUS(Isolated) to generate a list of needed patches by their FOLDERNAME so I can sneaker-net these over and place them in the proper place so WSUS can permit the download and install. In generic terms I want to;
get-wsusupdate -status Needed | Select UPDATEKB,NAME,GUID,FOLDERLOCATION

I have been doing A LOT of reading, and this simple task does not appear to be so simple.

I only Use PS to be dangerous, so any help would be greatly appreciated!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,938 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Rita Hu -MSFT 9,641 Reputation points
    2020-10-29T07:07:19.483+00:00

    Hi staypuft-3072,

    Thanks for your posting on this forum.

    I just want to explain the following two file for WSUS first:
    Metadata: The metadata is shown in the WSUS console. The file is located in the database.
    Binary update file: The files are used to install on the clients. The files are located in the wsus content folder.

    In an isolated environment, we could not connect to the Internet. The files(Both metadata and Binary update file) are exported from the connected WSUS and imported into the isolated WSUS. In my opinion, we just import the needed updates. That will be OK.

    In addition, it is recommended to select the needed Products and Classifications on the connected WSUS Server. Then we could sync and approve the needed updates. Note that we should approve the latest updates. For example, we could approve the latest cumulative updates and latest service stack updates on the connected WSUS. After approval, the updates will be downloaded to the content folder. Then we could import into the isolated WSUS server.

    Note that we could refer to the Offical Link to approve the latest updates for the clients.
    Windows 10 updates history
    Windows 8.1 and Windows Server 2012R2 updates history

    Thanks for your time.

    Regards,
    Rita


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. stay puft 221 Reputation points
    2020-10-29T19:05:51.663+00:00

    Thank you for the reply but I am sorry, I do not understand what you are trying to say. I do not see how this addresses my question at all.

    I have the metadata file and it has been imported, and my isolated computers only report a need for a limited # of patches. I can find these through the GUI and write them down one by one 200 times, but there must be an easier way, this is why I am asking about PowerShell. I need to know the binary file location for each patch that is needed, so I can copy ONLY those files, and NOT the entire wsus_content directory.

    What am I missing?? Are you saying that the ENTIRE metadata file and the ENTIRE binary file group (wsus_content) is required? this is not my experience so far.

    1 person found this answer helpful.
    0 comments No comments

  3. Rita Hu -MSFT 9,641 Reputation points
    2020-10-30T03:12:35.837+00:00

    Hi staypuft-3072,

    Thanks for your reply. I'm sorry that my explanation is not clear enough. In my opinion, it is difficult to achieve this feature via PowerShell now.

    In fact, the needed updates shown in the isolated WSUS have nothing to do with the binary update file. The needed updates are associated with the metadata. We should use the wsusutil.exe tool to export the metadata, however, the wsusutil.exe tool will export all the metadata files at one time and we can't only filter out the metadata of the needed updates. So it's hard to achieve your goal via PowerShell command.

    In my opinion, the only solution but not the best is to import the updates manually one by one on the connected WSUS. Here are the detail guilds for your reference:

    1. Import the needed updates on the connected WSUS manually

    Reference picture:
    36196-1.png

    2.Approve the needed updates

    3.Copy the Binary update files on the connected WSUS and print into the isolated WSUS

    4.Use the wsusutil.exe export and import command to import the metadata

    Regards,
    Rita


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.