一次批准一个计算机组的WSUS更新

时间:2014-02-17 14:27:53

标签: powershell

我们有一个WSUS服务器和四个计算机组(Alpha,Beta,Production,Workstations)。我们的修补程序让我们批准了Alpha组的所有“未批准”补丁,就在它们被微软发布之后。一周后,我们批准了针对Beta组的上一周的所有更新。一周后,我们对生产做同样的事情。

我正在编写一个脚本(直到下周才能测试),并想知道是否有更好的方法来获取批准用于Alpha的更新列表。这是代码:

$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved
$updateScope.FromArrivalDAte = (Get-Date).AddMonths(-1)
$wsusGroup = $wsus.GetComputerTargetGroups() | Where {$_.Name -eq "$PatchingGroup"}
$updateScope
$updateScope.getType()
$updateScope.count
$updateScope.ApprovedComputerTargetGroups.add($wsusGroup)
$wsus.GetUpdates($updateScope)
$Updates = $wsus.GetUpdates($updateScope)

我假设我可以使用$ Updates变量并为Beta和Production组执行以下操作:

Foreach ($update in $updates) {
    $update.Approve(“Install”,$PatchingGroup)
}

这是否有效,是否有更好的方法?

3 个答案:

答案 0 :(得分:3)

这是我最终使用的代码。它有效,但我不禁觉得有更好的方法。

<# 
.Synopsis
    Approve WSUS updates for installation.
.DESCRIPTION 
    This script takes the name of a WSUS approval group, and approves updates based on their age.
.NOTES 
    Author: Mike Hashemi
    V1 date: 24 Feb 2014
.LINK

.PARAMETER PrimaryWSUSServer
    Default value: server.domain.local. This parameter specifies the DNS name of the primary WSUS server.
.PARAMETER PatchingGroup
    Manadatory parameter. Valid values are 'Alpha','Beta','Production','Excluded','Workstations','COC-OMI-WORKSTATIONS'. The value of this parameter determines what patching groups will have updates approved for installation. Multiple groups can be entered at once, unless one of the is Alpha
.EXAMPLE
    .\manageWSUSUpdates-Parameterized.ps1 -PatchingGroup Alpha 
    In this example, the script will approve all updates with an approval status not equal to 'IsDeclined', for installation to servers in the Alpha group.
.EXAMPLE
    .\manageWSUSUpdates-Parameterized.ps1 -PatchingGroup Beta
    In this example, the script will get the list of updates approved for the Alpha group, in the last three months (from the date the script is run), and will approve them  for installation to servers in the Beta group.
#>
[CmdletBinding()]
param(
    [string]$PrimaryWSUSServer = “server.domain.local”,

    [Parameter(Mandatory=$True)]
    [ValidateSet('Alpha','Beta','Production','Excluded','Workstations','COC-OMI-WORKSTATIONS')]
    [string[]]$PatchingGroup
)

#Initialize variables
$BeginScriptTime = Get-Date

# Load the Required .NET assembly
[void][reflection.assembly]::LoadWithPartialName(“Microsoft.UpdateServices.Administration”)

$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($PrimaryWSUSServer,$False)

Function Approve-AlphaPatches {
    #Get the list of all updates that are not declined.
    $unapprovedUpdates = $wsus.getupdates() | where {$_.isdeclined -ne $true}

    #If an update has a license agreement, accept it
    $license = $unapprovedUpdates | where {$_.RequiresLicenseAgreementAcceptance}
    $license | ForEach {$_.AcceptLicenseAgreement()}

    #Get members of Alpha patching group.
    $installGroup = $wsus.GetComputerTargetGroups() | where {$_.Name -eq $PatchingGroup}

    #Approve updates for the Beta group.
    Foreach ($update in $unapprovedUpdates) {
        $update.Approve(“Install”,$installGroup)
    }
}

Function Approve-NonAlphaPatches {
    Foreach ($group in $PatchingGroup) {
        #Get the updates that have arrived in the last three months.
        $updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
        $updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved
        $updateScope.FromArrivalDAte = (Get-Date).AddMonths(-3)

        #Get the updates approved for the Alpha group.
        $alphaGroup = $wsus.GetComputerTargetGroups() | Where {$_.Name -eq 'Alpha'}
        $updateScope.ApprovedComputerTargetGroups.add($alphaGroup)
        $Updates = $wsus.GetUpdates($updateScope)

        #Get members of Alpha patching group.
        $installGroup = $wsus.GetComputerTargetGroups() | where {$_.Name -eq $group}

        #Approve updates for the user-specified patching group.
        Foreach ($update in $updates) {
            $update.Approve(“Install”,$installGroup)
        }
    }
}

#Begin Script
If (($PatchingGroup.Count -gt 1) -and ($PatchingGroup -ccontains 'Alpha')) {
    Write-Error ("This script cannot approve Alpha patches with other patching groups. If you want to approve more groups at the same time, please approve the rest in a second execution of the script.")
    Return
}
Else {
    If ($PatchingGroup -eq 'Alpha') {
        Approve-AlphaPatches
    }
    Else {
        Approve-NonAlphaPatches
    }
}

答案 1 :(得分:1)

我在原始帖子中看不到对特定版本PowerShell的任何引用,但Windows 8.1 / Windows Server 2012 R2 WSUS模块是否可能实现您的目标?

有一个名为Approve-WsusUpdate的函数,它有一个-TargetGroupName参数。

http://technet.microsoft.com/en-us/library/hh826164.aspx

如果您没有使用Windows 8.1和PowerShell 4.0版,请原谅我的无知。

答案 2 :(得分:0)

我添加了一个排除列表,以防止重新启用已禁用的更新:

#Load KBs to exclude
$pattern = '[^0-9]'
if(Test-Path ($PSScriptRoot + '\exclude.csv')){
    $exclude = @(Import-Csv ($PSScriptRoot + '\exclude.csv') -Delimiter ';' -Encoding UTF8 | SELECT KBArticle)
}

    #Approve updates for the Beta group.
    Foreach ($update in $unapprovedUpdates) {
        if (($exclude -eq $null) -or ($exclude | where {($_.KBArticle -replace $pattern, '') -ne $update.KnowledgebaseArticles} )){
            $update.Approve(“Install”,$installGroup)
        }
    }

exclude.csv如下:

KBArticle
KB4011052