您可能知道,现在无法选择特定的更新来批准或拒绝旧版
Windows操作系统的WSUS.对于服务器,一般来说现在只有两种类型:本月安全更新的汇总,以及包含所有安全性和“质量”更新的综合汇总.
对于服务器,我只对评估和批准安全更新感兴趣,我将拒绝所有“质量”更新.但是,质量和安全更新似乎在同一类和MSRC分类类别下混为一谈.区分两者的唯一方法似乎是更新标题本身(即更新标题是否包括“质量”).
因为质量和安全更新的名称非常相似,并且在WSUS视图中我没有看到完全将它们彼此分开的简单方法,我担心最终我或其他人都会粗心大意并批准质量更新错误.解决问题的最佳方法是简单地自动拒绝所有质量更新.
有人知道怎么做这个吗?另一种解决方案是在WSUS中查找视图,以便更容易区分质量和安全更新,或者首先不在WSUS中显示服务器质量更新.
WSUS服务器是Windows 2008 R2,WSUS版本是3.2.7600.226.
此PowerShell脚本可用于自动阻止WSUS中的所有新质量更新.它必须直接在WSUS服务器上运行.至于脚本的工作原理,首先脚本会在标题中搜索未经批准的可安装更新,并使用“quality”一词.如果找到任何此类更新,则会列出这些更新,并通过输入提示为用户提供继续和阻止更新的选项.
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer(); $updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope # Retrieve only updates that have not yet been approved $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved # Retrieve only updates that are installable $updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled $totalUpdateCount = $wsus.GetUpdateCount($updateScope) $qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} $qualityUpdateCount = $qualityUpdates.Length if ($qualityUpdateCount -gt 0) { $qualityUpdates | select title Write-Host "==========================================" $confirmation = Read-Host "$qualityUpdateCount quality updates out of $totalUpdateCount total non-approved installable updates were found. Decline? (y/n)" if ($confirmation -eq 'y') { $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} | ForEach { Write-Verbose ("Declining {0}" -f $_.Title) -Verbose $_.Decline() } } } Else { Write-Host "No non-approved installable updates were found." }
如果要自动拒绝质量更新,请将上述脚本的略微修改版本作为Windows任务运行.
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer(); $updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope # Retrieve only updates that have not yet been approved $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved # Retrieve only updates that are installable $updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled $totalUpdateCount = $wsus.GetUpdateCount($updateScope) $qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} $qualityUpdateCount = $qualityUpdates.Length if ($qualityUpdateCount -gt 0) { $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} | ForEach { $_.Decline() } }
注意:我在Boe Prox’s great WSUS powershell scripting tutorial的帮助下编写了上面的脚本.