WSUS rots quietly. Synchronisation fails for two months and nobody notices, the database hits the 200 GB mark and queries crawl, half the clients stop reporting because their client ID got duplicated. None of that shows in a green icon. The audit has to actually ask the WSUS API.
This guide audits WSUS server status, client compliance and missing critical updates from PowerShell, and ships the Dargslan.WsusHealth module plus a free PDF cheat sheet.
Table of Contents
Step 1: Server status + last sync
Connect via the Microsoft.UpdateServices.Administration assembly:
[reflection.assembly]::LoadWithPartialName('Microsoft.UpdateServices.Administration') | Out-Null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer('wsus01', $false, 8530)
$wsus.GetStatus()
$wsus.GetSubscription().GetLastSynchronizationInfo() | Select StartTime, Result
Targets: last sync within 48 hours, last sync result Succeeded. Anything older points at a network or upstream WSUS issue.
Step 2: Client compliance buckets
$summary = $wsus.GetSummariesPerComputerTarget(
(New-Object Microsoft.UpdateServices.Administration.UpdateScope),
(New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope))
$summary | Group-Object {
if ($_.NotInstalledCount + $_.DownloadedCount + $_.FailedCount -eq 0) { 'UpToDate' }
elseif ($_.FailedCount -gt 0) { 'Failed' }
else { 'NeedingUpdates' }
} | Select Name, Count
Defensible target: ≥ 90 % UpToDate, ≤ 5 % Failed.
Step 3: Missing critical updates
Filter the update scope to Critical Updates and Security Updates only, then list clients with NotInstalledCount > 0. The module's Get-DargslanWsusMissingCritical -Top 50 returns the worst offenders sorted descending.
Step 4: Server cleanup
Run the WSUS Server Cleanup Wizard quarterly — it deletes superseded updates, computer records that have not contacted in 30 days and unneeded files. From PowerShell:
$cleanup = New-Object Microsoft.UpdateServices.Administration.CleanupScope
$cleanup.DeclineSupersededUpdates = $true
$cleanup.DeclineExpiredUpdates = $true
$cleanup.CleanupObsoleteUpdates = $true
$cleanup.CompressUpdates = $true
$cleanup.CleanupObsoleteComputers = $true
$cleanup.CleanupUnneededContentFiles = $true
$wsus.GetCleanupManager().PerformCleanup($cleanup)
A pragmatic PASS / WARN / FAIL score
- Last sync within 48 h (1 pt)
- Last sync result Succeeded (1 pt)
- ≥ 90 % clients UpToDate (1 pt)
- ≤ 5 % clients Failed (1 pt)
4/4 PASS, 2-3 WARN, 0-1 FAIL.
Dargslan.WsusHealth module
Install-Module Dargslan.WsusHealth -Scope CurrentUser
Import-Module Dargslan.WsusHealth
Export-DargslanWsusHealthReport -Server wsus01 -Port 8530 -OutDir C:\reports
FAQ
What about Windows Update for Business / Intune?
Different model — Intune compliance reports replace WSUS. The audit logic does not apply.
Cleanup wizard times out
Run the cleanup steps individually, smallest first, with a window of several hours. Old WSUS DBs need EXEC spDeleteUpdate against SUSDB to make progress.
Cheat sheet?
Free PDF at /cheat-sheets/wsus-server-health-audit-2026.
