WSUS: PowerShell
Aus Wiki-WebPerfect
Version vom 9. Juni 2020, 09:40 Uhr von Admin (Diskussion | Beiträge)
Inhaltsverzeichnis
Get Windows Update ID
-> This function/script is moved to GitHub!
Function Get-UpdateFromWSUSInfo { [CmdletBinding()] param ( [Parameter(Mandatory=$false)] [String]$WSUSServer = "localhost", [Parameter(Mandatory=$false)] [Int32]$PortNumber = 8530, [Parameter(Mandatory=$false)] [Boolean]$useSecureConnection = $False, [Parameter(Mandatory=$false)] [String]$KB = "" ) Process { [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WSUSServer,$False,$PortNumber) #Get all updates $updates = $WSUS.GetUpdates() If ($KB) { $UpdateSearched = ($Updates | ? {$_.Title -match $KB}) New-Object PSObject -Property @{ Id = $UpdateSearched.Id.UpdateId.ToString() Title = $UpdateSearched.Title Source = $UpdateSearched.UpdateSource.ToString() } } Else { #List every update and output some basic info about it ForEach ($update in $updates) { New-Object PSObject -Property @{ Id = $update.Id.UpdateId.ToString() Title = $update.Title Source = $update.UpdateSource.ToString() } } } } }
Remove Windows Update from WSUS
-> This function/script is moved to GitHub!
Function Remove-UpdateFromWSUS { [CmdletBinding()] param ( [Parameter(Mandatory=$false)] [String]$WSUSServer = "localhost", [Parameter(Mandatory=$false)] [Int32]$PortNumber = 8530, [Parameter(Mandatory=$false)] [Boolean]$useSecureConnection = $False, [Parameter(Mandatory=$false)] [String]$KB = "", [Parameter(Mandatory=$false)] [String]$RemoveUpdateID = "" ) Process { # Load .NET assembly [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WSUSServer,$False,$PortNumber) Write-Host "Connected sucessfully" -foregroundcolor "Green" #UpdateID (GUID of the update) to delete If (!$RemoveUpdateID) { $IDOfUpdateToRemove = ($WSUS.GetUpdates() | ? {$_.Title -match $KB}).Id.UpdateId.ToString() $RemoveUpdateID = $IDOfUpdateToRemove } $updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope $u=$WSUS.GetUpdates($updatescope) Foreach ($u1 in $u) { $a=New-Object Microsoft.UpdateServices.Administration.UpdateRevisionId $a=$u1.id If ($a.UpdateId -eq $RemoveUpdateID) { Write-Host "Deleting update " $a.UpdateId "..." $WSUS.DeleteUpdate($a.UpdateId) } } trap { write-host "Error Occurred" write-host "Exception Message: " write-host $_.Exception.Message write-host $_.Exception.StackTrace } } }
Error: Cannot Delete RevisionID: XXXX Because it is still deployed to a Non DSS Target Group
Solution
- Change the Approval-Status to "Not Approved"
Check WSUS Agent ID (SusClientId)
On WSUS search your system:
Get-WsusComputer -NameIncludes <Hostname> | fl *
Check the ID from the WSUS-Computer with the "SusClientID" on the Client (have to be the same):
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" -Name SusClientId
If there is a mismatch, remove the WSUS-Computer Object in the WSUS-Console and run following on your client:
wuauclt /detectnow /reportnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
c:\windows\system32\UsoClient.exe startscan
Dual Scan (on Windows 10 & Windows Server 2016)
Check Dual Scan Konfiguration
$WinUpdateSvc = New-Object -ComObject "Microsoft.Update.ServiceManager" $WinUpdateSvc.Services | select Name, IsDefaultAUService
If Windows Update is True -> Dual Scan
If Windows Server Update Service is True -> only WSUS/SUP
Disable Dual Scan
Enable the GPO-Policy under Windows Components/Windows Update -> Do not allow update deferral policies to cause scans against Windows Update
More Informations: https://blogs.technet.microsoft.com/swisspfe/2018/04/13/win10-updates-store-gpos-dualscandisabled-sup-wsus/
