WSUS Helper is a tool designed to supplement the WSUS console with additional functionality that can be useful when managing a non-trivial environment. In particular, it can help reconcile your WSUS environment with Active Directory. It is not intended to replace the WSUS console, so it is expected that you use the two together, along with any other WSUS tools you may use.


There are no particular installation requirements for WSUS Helper. Simply download the recommended version from the Downloads page and unzip the WSUSHelper.exe to a directory of your choice.

For details of installing the required Windows Server Update Services components, please refer to the following Microsoft documentation:

Functions for Group management

WSUS Helper offers several functions for helping manage your WSUS computer groups.

Re-organising your Group structure

WSUS gives you the ability to organise computers into nested groups, but offers no way of changing these groups once you have created them. You cannot rename a group, nor can you make an existing group into a subgroup, or vice-versa. To re-organise your groups, you have to delete and recreate them, which means you lose any approvals specific to the group (along with the client membership information itself).

WSUS Helper can’t solve this completely, because the ability to rename or move groups simply does not exist in the WSUS API. However, it does allow you to:

  • Copy specific group-level approvals from one group to another.
  • Add all the clients that are in a particular group to another group.
  • Add or remove multiple specific clients to and from individual groups.

Together, these function allow you to create an exact replica of an existing group. Just create the new group in the WSUS Console (with its new name and position in your group hierarchy) and then copy the clients and approvals to the new group. You can then remove the old group at your leisure.

About adding & removing clients to and from groups

You might think this feature is already available in the WSUS console, but the existing implementation is quite limited. If you select multiple computers in the WSUS Console and use the Change Membership function, it doesn’t just add the computers to a new group – it amalgamates all the groups that each client is a member of, and makes every one of the selected clients a member of every group. Consider the following:

  • CLIENT1 is a member of GroupA
  • CLIENT2 is a member of GroupA and GroupB

You want to add both clients to GroupC, so you select them both in the WSUS console and do so using Change Membership. What happens in the following:

  • CLIENT1 becomes a member of GroupA, GroupB, and GroupC
  • CLIENT2 becomes a member of GroupA, GroupB, and GroupC

You never wanted to add CLIENT1 to GroupB, just to GroupC, but because you also selected a client that was a member of GroupB, the entire selection gets added. The same applies to group removals – if you wanted to remove both the above clients from GroupA, you’d also end up adding CLIENT1 to GroupB inadvertently.

With only 2 clients this is easy to work around, but if you wanted to add 50 clients to a new group, and they were already in a mix of 10 different groups, it becomes much trickier to manage. WSUS Helper solves this by only adding or removing clients to or from the individual group you pick, regardless of what other groups any of the clients are in.

Reconcile with Active Directory

WSUS Helper can help you determine which clients are actually good candidates for removal by comparing the data in WSUS with your Active Directory. By doing this, you can:

  • Determine which of the clients in WSUS have Active or Disabled accounts in AD, and which have no account at all.
  • Determine whether any of the computers in your AD have not contacted WSUS at all.

One of the biggest advantages of WSUS – that it does not require Active Directory – is sometimes also its biggest weakness, since it has no awareness of Active Directory at all. This means that when you decommission a computer from your environment, you probably already disable or remove its account in AD, but WSUS has no way of knowing this, so the reporting data (including complaints that it has not recently contacted the WSUS server) will remain in WSUS until you remove it manually.

The WSUS console already offers a cleanup tool to assist with this, but the only parameter it checks to determine which clients are candidates for removal is how long it has been since the client last contacted the WSUS server. If a client has not contacted WSUS in 30 days, it will be considered for removal. However, there are other reasons why this contact may not have happened other than the decommissioning of the system. The Windows Update client on the system may be broken, or the system may be out of use temporarily.

Auditing multiple update installation

The WSUS console already offers reporting of client have installed a particular update – but only for a single individual update, or for all of the updates in a particular product or classification. Sometimes, this isn’t fine-grained enough.

For example, when a Microsoft KB article is published with fixes for a security vulnerability, this usually results in multiple updaters associated with the KB article: 1 for each platform. When you are auditing security vulnerabilities on your network, you don’t care which of the versions is installed, you just want to know that all your machines have installed one of them.

WSUS Helper allows you to tabulate the installation results of multiple specific updates across multiple clients. This feature was primarily designed to allow you to search for a KB article number, and tabulate the install status of each associated updated with each client in WSUS. However, it can be used on any selection of updates that have some text string in common.

Last edited Sep 9, 2013 at 6:22 PM by AngryTechnician, version 6


No comments yet.