We help IT Professionals succeed at work.

Finding WSUS approved counts

notta3d used Ask the Experts™
I need to find the number of approved updates that a machine needs. These are a mixture of Windows XP and Windows 7 computers. I'll be running this locally on each machine so I was hoping to find data such as the number of approved(pendingReboot,needed,downloaded.)

All the examples I've found so far only show how to return all the updates needed for the machine regardless of approval state. This is no good since I only care about the updates I've approved. Is Vbscript capable of getting this information from WSUS because most examples refer to Powershell or .net?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
What version of WSUS are you running?
In the same pane that you approve updates from, you can change the "Unapproved" to "Approved" to show a list. see attached....I may not be understanding what you are looking for though.
DonNetwork Administrator

You can get all this information with-in WSUS by running reports...just select Reports>>Update Status summary>>then select "Include Updates for these products"(the ones you approved)>>"Include updates that have status of" <needed>


Thanks guys. I understand what you're saying, but I'm going to need this data at a users desk where the WSUS console is not installed. I run a Vbscript on every machine to check many common issues in our environment and I also wanted to add how many approved updates are needed on the machine before I walk away. I could RDP into my console back at my office, but I was hoping to add the functionality into my already existing script.
DonNetwork Administrator

Then use wuinstall.exe /search


Searching for updates:
/search ¿ lists all update which are available. It either searches on the Windows Update Server in the Internet, or, if configured, on your WSUS. It has no impact on your system at all, it just does a search and lists what was found.


dstewartjr, that is a fantastic utility, but does it return only the needed approved updates or all updates needed on the machine? I ran it on one of my machines and it came back and said no updates were needed so I'm assuming approved.

The only problem, without really diving into it is the output format looks like it could be pretty nasty to parse. The pro version has the option to output to XML which would be a lot better, but it's been a busy year already and I can't ask for any money at the moment.
DonNetwork Administrator

Only approved, you can run it bypassing wsus to get that info as well
DonNetwork Administrator

WuInstall /search /bypass_wsus
DonNetwork Administrator

strike that ^^^ bypass only avail in PRO :(


Cool. I can't think of a reason that I would ever want to bypass our WSUS server, but it's always nice to have options.

I really only need the reporting option to tell me how many updates are needed on the machine, so other than the XML output we wouldn't need any of the other features that the Pro version offers. A /detectnow will get the job done for me.

I imagine the application was written in .NET, but do you think you can get this same information using Vbscript? When I write same information I mean just the reporting piece to tell me how many approved updates are not installed?
DonNetwork Administrator

The following procedure describes how to get the missing patches info.

Note: Place all downloaded files in 1 directory

Download from this message
ConvertXML.vbs, MBSA2LR.XSL, Start_MBSA_Scan.cmd

Download MBSA 2.2: http://www.microsoft.com/download/en/details.aspx?id=7558
File: MBSASetup-x86-EN.msi
Open the file with 7-zip, from within 7-zip open file Data.Cab
and extract  mbsacli.exe  and  wusscan.dll

Download the latest Microsoft cabfile (wsusscn2.cab) and place this in the same directory

Copy all the files to the local hard drive of the PC and run

A logfile will be generated named <computername>_MBSA_Scan.log.
This contains all the installed patches including the ones with status "Missing".
You can check the <computername>_MBSA_Scan.xml for more detailed info.

Good luck.


Sorry man. I got busy on another project and had to come back to this. This actually works pretty well telling me how many updates are needed on the current machine. I appreciate the assistance.