Preliminary Guide for WSUS Analysis and Initial Assessment

Before optimising update management, troubleshooting patching issues, or preparing for a WSUS migration or cleanup, it is essential to perform a preliminary analysis of the WSUS (Windows Server Update Services) environment. In this article, we will discuss the Preliminary Guide for WSUS Analysis and Initial Assessment”. Please, see How to Disable the Password Manager of Google Chrome, and how to check the version of Windows ADK.

An initial WSUS assessment allows administrators to verify server configuration, synchronization status, update approvals, client compliance, computer group structure, and overall service health. The following PowerShell commands provide a structured and repeatable way to collect this information.

Important: All commands must be executed from PowerShell with administrative privileges on the WSUS server, with the WSUS PowerShell module installed.

Also, see “how to Disable the Firefox Password Manager in Windows 11“, how to configure Windows server update services, and Windows 2016 Servers do not show up on the WSUS console.

General WSUS Server Information

Please, use the command to determine WSUS version

(Get-WsusServer).Version

Server settings (Name, last sync time, synchronization source, replica status)

Get-WsusServer | Select-Object Name, UtcLastSyncTime, SyncFromMicrosoftUpdate, IsReplicaServer

These checks help confirm:

• WSUS build and compatibility
• Whether the server syncs directly from Microsoft Update
• Replica or upstream/downstream configuration

Update Synchronisation

Use this command to determine synchronisation status

Get-WsusServer | Select-Object LastSynchronizationInfo

You can also, synchronised update products and classifications

$wsus = Get-WsusServer
$wsus.GetSubscription().GetUpdateCategories() | Select-Object Title, Description
$wsus.GetSubscription().GetUpdateClassifications() | Select-Object Title, Description

This step verifies:

• Which Microsoft products are being synchronized
• Which update classifications are enabled
• Potential over-synchronization (unnecessary content)

Please, see Windows 2016 Servers do not show up on the WSUS console, Preliminary Active Directory Analysis – Assessment, and Guide Backup Azure Kubernetes Service by using Azure Backup.

Update Management

Use this command to update pending approval

Get-WsusUpdate -Classification All -Approval Unapproved

Approved updates

Get-WsusUpdate -Classification All -Approval Approved

Declined updates

Get-WsusUpdate -Classification All -Approval Declined

Updates required by clients (with installation percentage)

Get-WsusUpdate -Approval Approved |
Where-Object { $_.UpdateInstallationStateSummary.InstalledPercentage -lt 100 } |
Select-Object Title, @{
    Label="Needed By";
    Expression={$_.UpdateInstallationStateSummary.InstalledPercentage}
}

These commands provide insight into:

• Patch backlog
• Approval strategy effectiveness
• Client compliance gaps

Please, see Migrate Veeam One Database from SQL Server 2017 to 2025, Modern Backup Strategy with Veeam and Wasabi: Truly Immutable, and Uninstall Microsoft SQL Server 2025 from Windows.

Computer Group Management

List of computer target groups

Get-WsusComputerTargetGroup | Select-Object Name, Id

Number of computers per group

Get-WsusComputerTargetGroup | ForEach-Object {
    $_.Name + ": " + (Get-WsusComputer -TargetGroup $_).Count
}

This analysis helps validate:

• Logical grouping of clients
• Pilot vs production separation
• Group population balance

WSUS Event Log Review

Display WSUS-related events

Get-EventLog -LogName Application -Source "Windows Server Update Services"

Event log analysis is critical for identifying:

• Synchronization failures
• Database or content issues
• Client reporting problems

Please, see How to Install all Editions of Microsoft SQL Server 2025, and how to download and install the Windows ADK Patches

Reporting and Monitoring

Generate WSUS server status report

$wsus = Get-WsusServer
$wsusStatus = $wsus.GetStatus()
$wsusStatus | Select-Object LastSyncResult, LastSyncTime, NumberOfUpdatesNeeded

This provides a high-level operational overview of:

• Last synchronization outcome
• Overall update demand
• General WSUS health

Please, see How to install WSUS on Windows Server 2022, Query MBAM-protected Client for non-compliance [Part 2], and Why Software KVMs such as Synergy is replacing Hardware KVMs.

Automatic Approval Rules

View automatic approval rules

Get-WsusAutomaticApprovalRule | Select-Object Name, Enabled, UpdateClassifications

This step verifies:

• Presence of automation
• Risk of uncontrolled approvals
• Alignment with patching policies

Conclusion

A preliminary WSUS analysis is a fundamental activity for ensuring reliable, secure, and efficient Windows update management.

By reviewing synchronization settings, update approvals, client compliance, group organization, and server health, administrators can proactively identify inefficiencies and risks before they escalate into operational issues.

This guide can be used as:

• A baseline health check
• An audit preparation tool
• A starting point for WSUS optimization or modernization

I hope you found this guide very useful on “Preliminary Guide for WSUS Analysis and Initial Assessment”. Please feel free to leave a comment below.