Before optimising update management, troubleshooting patching issues, or preparing for a WSUS migration or cleanup, it is essential to perform a preliminary analysis of the WSUS (Windows Server Update Services) environment. In this article, we will discuss the Preliminary Guide for WSUS Analysis and Initial Assessment”. Please, see How to Disable the Password Manager of Google Chrome, and how to check the version of Windows ADK.

An initial WSUS assessment allows administrators to verify server configuration, synchronization status, update approvals, client compliance, computer group structure, and overall service health. The following PowerShell commands provide a structured and repeatable way to collect this information.

Important: All commands must be executed from PowerShell with administrative privileges on the WSUS server, with the WSUS PowerShell module installed.

Also, see “how to Disable the Firefox Password Manager in Windows 11“, how to configure Windows server update services, and Windows 2016 Servers do not show up on the WSUS console.

General WSUS Server Information

Please, use the command to determine WSUS version

(Get-WsusServer).Version

Server settings (Name, last sync time, synchronization source, replica status)

Get-WsusServer | Select-Object Name, UtcLastSyncTime, SyncFromMicrosoftUpdate, IsReplicaServer

These checks help confirm:

WSUS build and compatibility
Whether the server syncs directly from Microsoft Update
Replica or upstream/downstream configuration

Update Synchronisation

Use this command to determine synchronisation status

Get-WsusServer | Select-Object LastSynchronizationInfo

You can also, synchronised update products and classifications

$wsus = Get-WsusServer
$wsus.GetSubscription().GetUpdateCategories() | Select-Object Title, Description
$wsus.GetSubscription().GetUpdateClassifications() | Select-Object Title, Description

This step verifies:

Which Microsoft products are being synchronized
Which update classifications are enabled
Potential over-synchronization (unnecessary content)

Please, see Windows 2016 Servers do not show up on the WSUS console, Preliminary Active Directory Analysis – Assessment, and Guide Backup Azure Kubernetes Service by using Azure Backup.

Update Management

Use this command to update pending approval

Get-WsusUpdate -Classification All -Approval Unapproved

Approved updates

Get-WsusUpdate -Classification All -Approval Approved

Declined updates

Get-WsusUpdate -Classification All -Approval Declined

Updates required by clients (with installation percentage)

Get-WsusUpdate -Approval Approved |
Where-Object { $_.UpdateInstallationStateSummary.InstalledPercentage -lt 100 } |
Select-Object Title, @{
    Label="Needed By";
    Expression={$_.UpdateInstallationStateSummary.InstalledPercentage}
}

These commands provide insight into:

Patch backlog
Approval strategy effectiveness
Client compliance gaps

Please, see Migrate Veeam One Database from SQL Server 2017 to 2025, Modern Backup Strategy with Veeam and Wasabi: Truly Immutable, and Uninstall Microsoft SQL Server 2025 from Windows.

Computer Group Management

List of computer target groups

Get-WsusComputerTargetGroup | Select-Object Name, Id

Number of computers per group

Get-WsusComputerTargetGroup | ForEach-Object {
    $_.Name + ": " + (Get-WsusComputer -TargetGroup $_).Count
}

This analysis helps validate:

Logical grouping of clients
Pilot vs production separation
Group population balance

WSUS Event Log Review

Get-EventLog -LogName Application -Source "Windows Server Update Services"

Event log analysis is critical for identifying:

Synchronization failures
Database or content issues
Client reporting problems

Please, see How to Install all Editions of Microsoft SQL Server 2025, and how to download and install the Windows ADK Patches

Reporting and Monitoring

Generate WSUS server status report

$wsus = Get-WsusServer
$wsusStatus = $wsus.GetStatus()
$wsusStatus | Select-Object LastSyncResult, LastSyncTime, NumberOfUpdatesNeeded

This provides a high-level operational overview of:

Last synchronization outcome
Overall update demand
General WSUS health

Please, see How to install WSUS on Windows Server 2022, Query MBAM-protected Client for non-compliance [Part 2], and Why Software KVMs such as Synergy is replacing Hardware KVMs.

Automatic Approval Rules

View automatic approval rules

Get-WsusAutomaticApprovalRule | Select-Object Name, Enabled, UpdateClassifications

This step verifies:

Presence of automation
Risk of uncontrolled approvals
Alignment with patching policies

Conclusion

A preliminary WSUS analysis is a fundamental activity for ensuring reliable, secure, and efficient Windows update management.

By reviewing synchronization settings, update approvals, client compliance, group organization, and server health, administrators can proactively identify inefficiencies and risks before they escalate into operational issues.

This guide can be used as: