windows – 如何自动拒绝WSUS中的质量汇总更新

您可能知道,现在无法选择特定的更新来批准或拒绝旧版 Windows操作系统的WSUS.对于服务器,一般来说现在只有两种类型：本月安全更新的汇总,以及包含所有安全性和“质量”更新的综合汇总.

对于服务器,我只对评估和批准安全更新感兴趣,我将拒绝所有“质量”更新.但是,质量和安全更新似乎在同一类和MSRC分类类别下混为一谈.区分两者的唯一方法似乎是更新标题本身(即更新标题是否包括“质量”).

因为质量和安全更新的名称非常相似,并且在WSUS视图中我没有看到完全将它们彼此分开的简单方法,我担心最终我或其他人都会粗心大意并批准质量更新错误.解决问题的最佳方法是简单地自动拒绝所有质量更新.

有人知道怎么做这个吗？另一种解决方案是在WSUS中查找视图,以便更容易区分质量和安全更新,或者首先不在WSUS中显示服务器质量更新.

WSUS服务器是Windows 2008 R2,WSUS版本是3.2.7600.226.

此PowerShell脚本可用于自动阻止WSUS中的所有新质量更新.它必须直接在WSUS服务器上运行.至于脚本的工作原理,首先脚本会在标题中搜索未经批准的可安装更新,并使用“quality”一词.如果找到任何此类更新,则会列出这些更新,并通过输入提示为用户提供继续和阻止更新的选项.

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} 
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
    $qualityUpdates | select title
    Write-Host "=========================================="
    $confirmation = Read-Host "$qualityUpdateCount quality updates out of $totalUpdateCount total non-approved installable updates were found. Decline? (y/n)"
    if ($confirmation -eq 'y') {
        $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}  | ForEach {
            Write-Verbose ("Declining {0}" -f $_.Title) -Verbose
            $_.Decline()
        }
    }
} Else {
    Write-Host "No non-approved installable updates were found."
}

如果要自动拒绝质量更新,请将上述脚本的略微修改版本作为Windows任务运行.

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} 
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
    $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}  | ForEach {
        $_.Decline()
    }
}

注意：我在Boe Prox’s great WSUS powershell scripting tutorial的帮助下编写了上面的脚本.

windows – 如何自动拒绝WSUS中的质量汇总更新

相关文章