Using WUA to Scan for Updates Offline with PowerShell

 How to perform an offline scan using WUA and PowerShell.

 
 
 
 
 
5 Star
(1)
10,630 times
Add to favorites
Windows Update
12/12/2019
E-mail Twitter del.icio.us Digg Facebook
  • Windows Server 2019
    2 Posts | Last post January 22, 2020
    • Hi there,
      
      Has anyone tested this on Windows Server 2019 and can confirm success?
      
      Thanks.
    • Hi,
      
      yes this also works with WS2019, it just wasn't available to choose when I published the script here.
      
      Thanks,
      Andrei
  • Remote Computer
    4 Posts | Last post December 12, 2019
    • I placed all the files needed on the remote computer c:\temp folder including the PowerShell script named MBSA.ps1 and when attempting to run the following ps command:
      
      Invoke-Command -ComputerName Computer1 -ScriptBlock { C:\Temp\MBSA.ps1 }
      
      It throws this error message - although I have a domain admin account using Powershell in administrator mode. I have already checked that I can run this locally with no problems as well ensured that I have WMI and DCOM is enabled. 
      
      Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 
       + CategoryInfo                      : OperationStopped: (:) [] , UnauthorizedAccessException
       + FullyQualifiedErrorID          : System.UnauthorizedAccessException
       + PSComputerName             : Computer1         
      
      
      Has anyone had any luck running this script against several computers?
    • Hi Jmarie561,
      
      that functionality is no more. I will see if there is any way to run a scan like this remotely, but AFAIK it is not possible.
      
      Thanks,
      Andrei
    • I have tried something else:
      
      I am trying to do run it by calling the wsusscn2.cab from a share, but does not work.
      Ex:
      $server= $Env:Computername
      $UpdateSession = New-Object -ComObject Microsoft.Update.Session 
      $UpdateServiceManager  = New-Object -ComObject Microsoft.Update.ServiceManager 
      $UpdateService = $UpdateServiceManager.AddScanPackageService("Offline Sync Service", "D:\UpdateScan\wsusscn2.cab", 1) 
      => This works fine
      
      I create a share that contain the wsusscn2.cab then i map it with  
      net use J: \\Server\UpdateScan
      or 
      New-PSDrive -Name "J"  -PSProvider "FileSystem" -Root "\\Server\UpdateScan"
      
      and run the fallowing line:
      $UpdateService = $UpdateServiceManager.AddScanPackageService("Offline Sync Service", "J:\wsusscn2.cab", 1) 
      
      I gett the error mesasge: 
      The system cannot find the file specified. (Exception from HRESULT: 0x80070002)
      At line:5 char:1
      + $UpdateService = $UpdateServiceManager.AddScanPackageService("Offline ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OperationStopped: (:) [], FileNotFoundException
          + FullyQualifiedErrorId : System.IO.FileNotFoundException
      
      So.. basically UpdateServiceManager.AddScanPackageService does not want to access things that are remote, they need to be locally.... Is there any way to tick this?
    • Hi Adrian,
      
      The "proper" way to use the WUA API remotely is described here, but I didn't have time to play around with it and get it to work:
      https://docs.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-from-a-remote-computer
  • getting an error the system cannot find the file specified
    5 Posts | Last post August 28, 2019
    • On this line. ine 17 - $SearchResult = $UpdateSearcher.Search("IsInstalled=0")
      it starts and runs but after several seconds this pops up. 
      any direction would be helpful
      Thanks, matt
    • more explanation; below is what I output
       PS C:\WINDOWS\system32> C:\Temp\Scan-UpdatesOffline.ps1
      Searching for updates... 
      
      The system cannot find the file specified. (Exception from HRESULT: 0x80070002)
      At C:\Temp\Scan-UpdatesOffline.ps1:18 char:1
      + $SearchResult=$UpdateSearcher.Search("IsInstalled=0")
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OperationStopped: (:) [], FileNotFoundException
          + FullyQualifiedErrorId : System.IO.FileNotFoundException
       
      There are no applicable updates.
    • Looks like it is possible a security control from implementing RMF? not disabling what GPO would cause it not to work
    • I think this error is because you need to unblock the WSUS cab file. Run the followig Powershell Commands to download the latest version and unblock
      
      
      Set-Location -Path c:\Temp
      Invoke-WebRequest -Uri http://go.microsoft.com/fwlink/p/?LinkID=74689 -UseDefaultCredentials -OutFile $wsusUpdates -Verbose
      Unblock-File -Path 'c:\temp\wsusscn2.cab'
    • # missing declaration
      
      [String] $wsusUpdates = 'c:\temp\wsusscn2.cab'
      Set-Location -Path c:\Temp
      
      Invoke-WebRequest -Uri http://go.microsoft.com/fwlink/p/?LinkID=74689 -UseDefaultCredentials -OutFile $wsusUpdates -Verbose
      
      Unblock-File -Path $wsusUpdates
  • Remote use
    3 Posts | Last post August 09, 2019
    • Can this be altered to scan multiple computers remotely?
    • Did you ever get it to work on several? I get an error message when attempting to do this script remotely using invoke-command. 
    • that functionality is no more. I will see if there is any way to run a scan like this remotely, but AFAIK it is not possible.
      
      Thanks,
      Andrei
  • Syntax
    1 Posts | Last post July 23, 2019
    • So others have it. Here is what the script looks like with Craig's changes.
      #Using WUA to Scan for Updates Offline with PowerShell 
      #VBS version: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/aa387290(v=vs.85) 
       
      $UpdateSession = New-Object -ComObject Microsoft.Update.Session 
      $UpdateServiceManager  = New-Object -ComObject Microsoft.Update.ServiceManager 
      $UpdateService = $UpdateServiceManager.AddScanPackageService("Offline Sync Service", "c:\temp\wsusscn2.cab", 1) 
      $UpdateSearcher = $UpdateSession.CreateUpdateSearcher()  
       
      Write-Output "Searching for updates... `r`n" 
       
      $UpdateSearcher.ServerSelection = 3 #ssOthers 
       
      $ServiceID = $UpdateService.ServiceID
      #$UpdateSearcher.ServiceID = $UpdateService.ServiceID 
      $UpdateSearcher.ServiceID = "$ServiceID"
      
      $SearchResult = $UpdateSearcher.Search("IsInstalled=0 and CategoryIDs contains '0FA1201D-4330-4FA8-8AE9-B877473B6441'") # or "IsInstalled=0 and IsInstalled=1" to also list the installed updates as MBSA did 
       
      $Updates = $SearchResult.Updates 
       
      if($Updates.Count -eq 0){ 
          Write-Output "There are no applicable updates." 
          return $null 
      } 
       
      Write-Output "List of applicable items on the machine when using wssuscan.cab: `r`n" 
       
      $i = 0 
      foreach($Update in $Updates){  
          Write-Output "$($i)> $($Update.Title)" 
          $i++ 
      }
  • Windows Server 2016
    7 Posts | Last post July 10, 2019
    • When executing this script on Server 2016 Std. 
      
      It returns the following.
      The system cannot find the file specified. (Exception from HRESULT: 0x80070002)
      At C:\kworking\tools\Scan-UpdatesOffline.ps1:6 char:1
      + $UpdateService = $UpdateServiceManager.AddScanPackageService("Offline ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OperationStopped: (:) [], FileNotFoundException
          + FullyQualifiedErrorId : System.IO.FileNotFoundException
      
      Searching for updates...
      
      The string universal unique identifier (UUID) is invalid. (Exception from HRESULT: 0x800706A9)
      At C:\kworking\tools\Scan-UpdatesOffline.ps1:13 char:1
      + $UpdateSearcher.ServiceID = $UpdateService.ServiceID
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OperationStopped: (:) [], COMException
          + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
      
      Value does not fall within the expected range.
      At C:\kworking\tools\Scan-UpdatesOffline.ps1:15 char:1
      + $SearchResult = $UpdateSearcher.Search("IsInstalled=0") # or "IsInsta ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OperationStopped: (:) [], ArgumentException
          + FullyQualifiedErrorId : System.ArgumentException
      
      There are no applicable updates.
    • Did you download the Wsusscn2.cab file and place it in the c:\temp directory as referenced by the script? I had the same issue and found the reference to the file which I had not downloaded. The link I got to download the file was: http://go.microsoft.com/fwlink/p/?LinkID=74689 which came from the following article: https://docs.microsoft.com/en-us/windows/desktop/Wua_Sdk/using-wua-to-scan-for-updates-offline
    • Run the script step by step to see at which line it returns exception. 
      Possibly, not enough permissions. 
    • Ensure that the wsusscn2.cab and the Scan-UpdatesOffline.ps1 are in the C:\Temp directory.  Then in File Explorer, right click on each file and select permissions.  From there click the Unblock box and then OK.
    • Hi Matt,
      
      I had the same issue and as the error confirms it was this line causing the problem " $UpdateSearcher.ServiceID = $UpdateService.ServiceID"
      
      If I took the value of $UpdateService.ServiceID and assigned directly it worked. I basically wound up having to add a variable and then quote that variable. After this it worked for me.
      
      So replace the offending line for these two:
      
      $ServiceID = $UpdateService.ServiceID
      $UpdateSearcher.ServiceID = "$ServiceID" 
      
      Hope this helps someone else to not waste the time I did! :)
      
      Regards,
      Craig
      
    • Hello Craig,
      
      Thank you for the quick workaround! Much appreciated.
    • Hi all,
      
      I will modify the script and use .ToString() as this fixes the problem as well. Thanks Craig for the suggestion!
      
      Andrei
  • Hi, is it possible to filter only Security Updates
    2 Posts | Last post October 16, 2018
    • is it possible to filter only Security Updates, I mean "update classification = Security updates"
    • Hi Jayasimha,
      
      you can include Criteria to only return the Updates with the "Security Updates" category ID:
      $SearchResult = $UpdateSearcher.Search("IsInstalled=0 and CategoryIDs contains '0FA1201D-4330-4FA8-8AE9-B877473B6441'") 
      
      
      More info:
      WSUS Classification GUIDs
      https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ff357803(v=vs.85)
      
      Hope this helps,
      Andrei