WSUS: PowerShell
Aus Wiki-WebPerfect
Version vom 17. August 2018, 13:39 Uhr von Admin (Diskussion | Beiträge)
Inhaltsverzeichnis
Get Windows Update ID
Function Get-UpdateFromWSUSInfo { [CmdletBinding()] param ( [Parameter(Mandatory=$false)] [String]$WSUSServer = "localhost", [Parameter(Mandatory=$false)] [Int32]$PortNumber = 8530, [Parameter(Mandatory=$false)] [Boolean]$useSecureConnection = $False, [Parameter(Mandatory=$false)] [String]$KB = "" ) Process { [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WSUSServer,$False,$PortNumber) #Get all updates $updates = $WSUS.GetUpdates() If ($KB) { $UpdateSearched = ($Updates | ? {$_.Title -match $KB}) New-Object PSObject -Property @{ Id = $UpdateSearched.Id.UpdateId.ToString() Title = $UpdateSearched.Title Source = $UpdateSearched.UpdateSource.ToString() } } Else { #List every update and output some basic info about it ForEach ($update in $updates) { New-Object PSObject -Property @{ Id = $update.Id.UpdateId.ToString() Title = $update.Title Source = $update.UpdateSource.ToString() } } } } }
Remove Windows Update from WSUS
Function Remove-UpdateFromWSUS { [CmdletBinding()] param ( [Parameter(Mandatory=$false)] [String]$WSUSServer = "localhost", [Parameter(Mandatory=$false)] [Int32]$PortNumber = 8530, [Parameter(Mandatory=$false)] [Boolean]$useSecureConnection = $False, [Parameter(Mandatory=$false)] [String]$KB = "", [Parameter(Mandatory=$false)] [String]$RemoveUpdateID = "" ) Process { # Load .NET assembly [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WSUSServer,$False,$PortNumber) Write-Host "Connected sucessfully" -foregroundcolor "Green" #UpdateID (GUID of the update) to delete If (!$RemoveUpdateID) { $IDOfUpdateToRemove = ($WSUS.GetUpdates() | ? {$_.Title -match $KB}).Id.UpdateId.ToString() $RemoveUpdateID = $IDOfUpdateToRemove } $updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope $u=$WSUS.GetUpdates($updatescope) Foreach ($u1 in $u) { $a=New-Object Microsoft.UpdateServices.Administration.UpdateRevisionId $a=$u1.id If ($a.UpdateId -eq $RemoveUpdateID) { Write-Host "Deleting update " $a.UpdateId "..." $WSUS.DeleteUpdate($a.UpdateId) } } trap { write-host "Error Occurred" write-host "Exception Message: " write-host $_.Exception.Message write-host $_.Exception.StackTrace } } }
Error: Cannot Delete RevisionID: XXXX Because it is still deployed to a Non DSS Target Group
Solution
- Change the Approval-Status to "Not Approved"
WSUS Dual Scan
Check Dual Scan Konfiguration
$WinUpdateSvc = New-Object -ComObject "Microsoft.Update.ServiceManager" $WinUpdateSvc.Services | select Name, IsDefaultAUService
If Windows Update is True -> Dual Scan
If Windows Server Update Service is True -> only WSUS/SUP
Disable Dual Scan
Enable the GPO-Policy under Windows Components/Windows Update: Do not allow update deferral policies to cause scans against Windows Update
More Informations: https://blogs.technet.microsoft.com/swisspfe/2018/04/13/win10-updates-store-gpos-dualscandisabled-sup-wsus/
