您可能知道,现在无法在 WSUS 中为较旧的 Windows 操作系统选择批准或拒绝特定更新。对于服务器,一般来说,现在只有两种类型:每月安全更新汇总和包含所有安全和“质量”更新的全面汇总。
对于服务器,我只对评估和批准安全更新感兴趣,我将拒绝所有“质量”更新。但是,质量和安全更新似乎被归入同一类别和 MSRC 分类类别。区分两者的唯一方法似乎是更新标题本身(即更新标题是否包含“质量”)。
由于质量更新和安全更新的名称非常相似,而且我认为没有简单的方法可以在 WSUS 视图中将它们完全区分开来,我担心最终我或其他人会粗心大意,错误地批准质量更新。缓解此问题的最佳方法是自动拒绝所有质量更新。
有人知道怎么做吗?另一种解决方案可能是在 WSUS 中找到一个视图,以便更容易区分质量和安全更新,或者首先不要让服务器质量更新出现在 WSUS 中。
WSUS服务器是Windows 2008 R2,WSUS版本是3.2.7600.226。
答案1
此 powershell 脚本可用于自动阻止 WSUS 中的所有新质量更新。它必须直接在 WSUS 服务器上运行。至于脚本的工作原理,首先,脚本会搜索标题中带有“质量”一词的未经批准的可安装更新。如果发现任何此类更新,则会列出它们,并通过输入提示为用户提供继续并阻止更新或不阻止更新的选项。
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
$qualityUpdates | select title
Write-Host "=========================================="
$confirmation = Read-Host "$qualityUpdateCount quality updates out of $totalUpdateCount total non-approved installable updates were found. Decline? (y/n)"
if ($confirmation -eq 'y') {
$wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} | ForEach {
Write-Verbose ("Declining {0}" -f $_.Title) -Verbose
$_.Decline()
}
}
} Else {
Write-Host "No non-approved installable updates were found."
}
如果您想自动拒绝质量更新,请将上述脚本的稍微修改后的版本作为 Windows 任务运行。
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
$wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} | ForEach {
$_.Decline()
}
}
注:我在以下人员的帮助下编写了上述脚本Boe Prox 的出色 WSUS powershell 脚本教程。