WSUS: PowerShell

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche

Get Windows Update ID

Function Get-UpdateFromWSUSInfo {
    [CmdletBinding()]
 
    param (
        [Parameter(Mandatory=$false)]
        [String]$WSUSServer = "localhost",
 
        [Parameter(Mandatory=$false)]
        [Int32]$PortNumber = 8530,
 
        [Parameter(Mandatory=$false)]
        [Boolean]$useSecureConnection = $False,
 
        [Parameter(Mandatory=$false)]
        [String]$KB = ""
    )
 
    Process {
        [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
        $WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WSUSServer,$False,$PortNumber)
 
        #Get all updates
        $updates = $WSUS.GetUpdates()
 
        If ($KB) {
            $UpdateSearched = ($Updates | ? {$_.Title -match $KB})
 
            New-Object PSObject -Property @{
                Id = $UpdateSearched.Id.UpdateId.ToString()
                Title = $UpdateSearched.Title
                Source = $UpdateSearched.UpdateSource.ToString()
            }
        } Else {
            #List every update and output some basic info about it
            ForEach ($update in $updates) {
                New-Object PSObject -Property @{
                    Id = $update.Id.UpdateId.ToString()
                    Title = $update.Title
                    Source = $update.UpdateSource.ToString()
                }
            }
        }
    }
}


Remove Windows Update from WSUS

Function Remove-UpdateFromWSUS {
    [CmdletBinding()]
 
    param (
        [Parameter(Mandatory=$false)]
        [String]$WSUSServer = "localhost",
 
        [Parameter(Mandatory=$false)]
        [Int32]$PortNumber = 8530,
 
        [Parameter(Mandatory=$false)]
        [Boolean]$useSecureConnection = $False,
 
        [Parameter(Mandatory=$false)]
        [String]$KB = "",
 
        [Parameter(Mandatory=$false)]
        [String]$RemoveUpdateID = ""
    )
 
    Process {
        # Load .NET assembly
        [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
        $WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WSUSServer,$False,$PortNumber)
        Write-Host "Connected sucessfully" -foregroundcolor "Green"
 
        #UpdateID (GUID of the update) to delete 
        If (!$RemoveUpdateID) {
            $IDOfUpdateToRemove = ($WSUS.GetUpdates() | ? {$_.Title -match $KB}).Id.UpdateId.ToString()
            $RemoveUpdateID = $IDOfUpdateToRemove
        }
 
        $updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
        $u=$WSUS.GetUpdates($updatescope)
 
        Foreach ($u1 in $u) {
            $a=New-Object Microsoft.UpdateServices.Administration.UpdateRevisionId
            $a=$u1.id  
 
            If ($a.UpdateId -eq $RemoveUpdateID) {  
                     Write-Host "Deleting update " $a.UpdateId "..."
                      $WSUS.DeleteUpdate($a.UpdateId)
            }
        }  
 
        trap {
            write-host "Error Occurred"
            write-host "Exception Message: " 
            write-host $_.Exception.Message
            write-host $_.Exception.StackTrace
        }
    }
}


Error: Cannot Delete RevisionID: XXXX Because it is still deployed to a Non DSS Target Group

Wsus ps error.png


Solution

  • Change the Approval-Status to "Not Approved"

Wsus ps solution.png



WSUS Dual Scan

Check Dual Scan Konfiguration

$WinUpdateSvc = New-Object -ComObject "Microsoft.Update.ServiceManager"
$WinUpdateSvc.Services | select Name, IsDefaultAUService

Wsus-dualscan.png
If Windows Update is True -> Dual Scan
If Windows Server Update Service is True -> only WSUS/SUP

Disable Dual Scan

Enable the GPO-Policy under Windows Components/Windows Update: Do not allow update deferral policies to cause scans against Windows Update

More Informations: https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/