From 9af29e32922d922c9943b2b2810e59792f849c14 Mon Sep 17 00:00:00 2001 From: goofoo Date: Wed, 20 May 2026 08:59:42 -0400 Subject: [PATCH] fix: correct service flags so -WSUS actually respects WSUS Previously the -WSUS switch passed -WindowsUpdate to Get-WindowsUpdate, which forces the online Windows Update service ID (9482F4B4...) and bypasses WSUS filtering entirely, returning all Microsoft-hosted updates regardless of what WSUS has approved. Fix: when -WSUS is specified, call Get-WindowsUpdate with no service flag so the Windows Update Agent routes through the WSUS server configured by Group Policy. When -WSUS is not specified, use -MicrosoftUpdate to query Microsoft's catalog directly and return every available update. Closes #109 --- .../Get Available Windows Updates.ps1 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/PowerShell Scanners/Get Available Windows Updates/Get Available Windows Updates.ps1 b/PowerShell Scanners/Get Available Windows Updates/Get Available Windows Updates.ps1 index 883ee17..24f3ef2 100644 --- a/PowerShell Scanners/Get Available Windows Updates/Get Available Windows Updates.ps1 +++ b/PowerShell Scanners/Get Available Windows Updates/Get Available Windows Updates.ps1 @@ -7,10 +7,14 @@ Param( # The Collection object this cmdlet emits is really weird. # We have to assign it to a variable to get it to work properly in a pipeline. If ($WSUS) { - $GWU = Get-WindowsUpdate -WindowsUpdate + # No service flag: the Windows Update Agent uses the service configured by GPO (i.e. WSUS). + # -WindowsUpdate forces the online WU service ID and bypasses WSUS filtering. + $GWU = Get-WindowsUpdate } Else { - $GWU = Get-WindowsUpdate + # -MicrosoftUpdate queries Microsoft's catalog directly, returning all available updates + # regardless of what the machine's WSUS policy would approve. + $GWU = Get-WindowsUpdate -MicrosoftUpdate } <#