Windows
如何在 WSUS 中自動拒絕質量匯總更新
您可能知道,現在無法選擇特定更新來批准或拒絕舊 Windows 作業系統的 WSUS。對於伺服器,一般來說現在只有兩種類型:一個月的安全更新匯總,以及包括所有安全和“質量”更新的綜合匯總。
對於伺服器,我只對評估和批准安全更新感興趣,我會拒絕所有“質量”更新。但是,質量和安全更新似乎被歸為同一類和 MSRC 分類類別。區分兩者的唯一方法似乎是更新標題本身(即更新標題是否包含“質量”)。
由於質量更新和安全更新的名稱非常相似,而且我無法在 WSUS 視圖中看到將它們完全分開的簡單方法,我擔心最終我或其他人會粗心並批准一個錯誤地更新質量。緩解該問題的最佳方法是簡單地自動拒絕所有質量更新。
有人知道怎麼做這個嗎?另一種解決方案可能是在 WSUS 中找到一個更容易區分質量和安全更新的視圖,或者首先在 WSUS 中不顯示伺服器質量更新。
WSUS 伺服器是 Windows 2008 R2,WSUS 版本是 3.2.7600.226。
此 powershell 腳本可用於自動阻止 WSUS 中的所有新質量更新。它必須直接在 WSUS 伺服器上執行。至於腳本是如何工作的,首先腳本會搜尋標題中帶有“質量”一詞的未經批准的可安裝更新。如果發現任何此類更新,則會列出它們,並且使用者可以通過輸入提示選擇是否繼續並阻止更新。
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer(); $updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope # Retrieve only updates that have not yet been approved $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved # Retrieve only updates that are installable $updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled $totalUpdateCount = $wsus.GetUpdateCount($updateScope) $qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} $qualityUpdateCount = $qualityUpdates.Length if ($qualityUpdateCount -gt 0) { $qualityUpdates | select title Write-Host "==========================================" $confirmation = Read-Host "$qualityUpdateCount quality updates out of $totalUpdateCount total non-approved installable updates were found. Decline? (y/n)" if ($confirmation -eq 'y') { $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} | ForEach { Write-Verbose ("Declining {0}" -f $_.Title) -Verbose $_.Decline() } } } Else { Write-Host "No non-approved installable updates were found." }
如果您想自動拒絕質量更新,請將上述腳本的略微修改版本作為 Windows 任務執行。
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer(); $updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope # Retrieve only updates that have not yet been approved $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved # Retrieve only updates that are installable $updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled $totalUpdateCount = $wsus.GetUpdateCount($updateScope) $qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} $qualityUpdateCount = $qualityUpdates.Length if ($qualityUpdateCount -gt 0) { $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} | ForEach { $_.Decline() } }
注意:我在Boe Prox 的 WSUS powershell scripting tutorial 的幫助下編寫了上述腳本。