Windows

如何在 WSUS 中自動拒絕質量匯總更新

  • October 26, 2016

您可能知道,現在無法選擇特定更新來批准或拒絕舊 Windows 作業系統的 WSUS。對於伺服器,一般來說現在只有兩種類型:一個月的安全更新匯總,以及包括所有安全和“質量”更新的綜合匯總。

對於伺服器,我只對評估和批准安全更新感興趣,我會拒絕所有“質量”更新。但是,質量和安全更新似乎被歸為同一類和 MSRC 分類類別。區分兩者的唯一方法似乎是更新標題本身(即更新標題是否包含“質量”)。

由於質量更新和安全更新的名稱非常相似,而且我無法在 WSUS 視圖中看到將它們完全分開的簡單方法,我擔心最終我或其他人會粗心並批准一個錯誤地更新質量。緩解該問題的最佳方法是簡單地自動拒絕所有質量更新。

有人知道怎麼做這個嗎?另一種解決方案可能是在 WSUS 中找到一個更容易區分質量和安全更新的視圖,或者首先在 WSUS 中不顯示伺服器質量更新。

WSUS 伺服器是 Windows 2008 R2,WSUS 版本是 3.2.7600.226。

此 powershell 腳本可用於自動阻止 WSUS 中的所有新質量更新。它必須直接在 WSUS 伺服器上執行。至於腳本是如何工作的,首先腳本會搜尋標題中帶有“質量”一詞的未經批准的可安裝更新。如果發現任何此類更新,則會列出它們,並且使用者可以通過輸入提示選擇是否繼續並阻止更新。

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} 
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
   $qualityUpdates | select title
   Write-Host "=========================================="
   $confirmation = Read-Host "$qualityUpdateCount quality updates out of $totalUpdateCount total non-approved installable updates were found. Decline? (y/n)"
   if ($confirmation -eq 'y') {
       $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}  | ForEach {
           Write-Verbose ("Declining {0}" -f $_.Title) -Verbose
           $_.Decline()
       }
   }
} Else {
   Write-Host "No non-approved installable updates were found."
}

如果您想自動拒絕質量更新,請將上述腳本的略微修改版本作為 Windows 任務執行。

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} 
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
   $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}  | ForEach {
       $_.Decline()
   }
}

注意:我在Boe Prox 的 WSUS powershell scripting tutorial 的幫助下編寫了上述腳本。

引用自:https://serverfault.com/questions/809645