但是微軟釋出的更新常常會出包, 有的隔天就回收, 有的兩周內回收, 再釋出新版
為了避免中招當白老鼠, MS 的建議是要建立測試環境然後手動 Approve
問題是有多少公司企業有這種美國時間跟人力呢?
不要在更新一發佈就立刻 Auto Approve 我覺得是權宜之計
但還是無法完全避免 Update 與應用程式發生相容性問題
若要做到延遲 Approve 就會需要用到 PowerShell 了
首先 WSUS 不要設定 Auto Approve
然後參考以下 Script 每天執行就好了 (可以附帶執行 Clean Up , 參考這篇)
*. 紅字部分的判斷可加可不加, Malicious Software Removal Tool 在被取代後並不會立刻 Superseded
$WSUSServer = (Get-WSUSServer).Name
[Int32]$portNumber = 8530
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($WSUSServer,$False,$portNumber)
$Today = Get-Date
$UpdateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$UpdateScope.FromArrivalDate = $Today.AddDays(-60)
$UpdateScope.ToArrivalDate = $Today.AddDays(-30)
$UpdateList = $WSUS.GetUpdates($UpdateScope) | Where-Object {($_.PublicationState -ne "Expired") -and ($_.UpdateClassificationTitle -ne 'Drivers') -and ($_.IsDeclined -eq $False) -and ($_.IsApproved -eq $False)
-and ($_.IsSuperseded -eq $True)}
write-host $UpdateList.count
#$UpdateList | Out-GridView
$TargetGroup = $WSUS.GetComputerTargetGroups() | ? { $_.Name -eq 'All Computers'}
if ($UpdateList.count -gt 0) {
foreach ($item in $UpdateList) {
[string]$id = $item.id.UpdateId.Guid
$Update = $WSUS.GetUpdate([guid]$id)
$Update.AcceptLicenseAgreement()
$Info = $Update.Approve('Install',$TargetGroup)
write-host "Approved [KB$($item.KnowledgebaseArticles)] $($item.Title)"
}
}
也可以整合 WSUS Clean Up 一起做
$DateTimeString = Get-Date -format yyyyMMdd_HHmmss
$TranscriptLog = (Get-Item -Path ".\" -Verbose).FullName + "\" + ("WSUS Clean Up " + $DateTimeString + ".log")
start-transcript -path $TranscriptLog
write-host ""
write-host "*** Check Updates to Approve Before 30 Days"
write-host ""
$WSUSServer = (Get-WSUSServer).Name
[Int32]$portNumber = 8530
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$WSUS = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($WSUSServer,$False,$portNumber)
$Today = Get-Date
$UpdateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$UpdateScope.FromArrivalDate = $Today.AddDays(-60)
$UpdateScope.ToArrivalDate = $Today.AddDays(-30)
$UpdateList = $WSUS.GetUpdates($UpdateScope) | Where-Object {($_.PublicationState -ne "Expired") -and ($_.UpdateClassificationTitle -ne 'Drivers') -and ($_.IsDeclined -eq $False) -and ($_.IsApproved -eq $False)
-and ($_.IsSuperseded -eq $True)}
write-host "*** There are"$UpdateList.count"Update(s) to be Approved"
write-host " "
#$UpdateList | Out-GridView
$TargetGroup = $WSUS.GetComputerTargetGroups() | ? { $_.Name -eq 'All Computers'}
if ($UpdateList.count -gt 0) {
foreach ($item in $UpdateList) {
[string]$id = $item.id.UpdateId.Guid
$Update = $WSUS.GetUpdate([guid]$id)
$Update.AcceptLicenseAgreement()
$Info = $Update.Approve('Install',$TargetGroup)
write-host "Approved [KB$($item.KnowledgebaseArticles)] $($item.Title)"
}
}
write-host ""
write-host "*** Start Clean Up"
write-host ""
do {
$Result = Invoke-WsusServerCleanup -CleanupObsoleteUpdates
write-host $Result
} while ($Result -ne 'Obsolete Updates Deleted:0')
do {
$Result = Invoke-WsusServerCleanup -CleanupUnneededContentFiles
write-host $Result
} while ($Result -ne 'Diskspace Freed:0')
do {
$Result = Invoke-WsusServerCleanup -CompressUpdates
write-host $Result
} while ($Result -ne 'Updates Compressed:0')
do {
$Result = Invoke-WsusServerCleanup -DeclineExpiredUpdates
write-host $Result
} while ($Result -ne 'Expired Updates Declined: 0')
do {
$Result = Invoke-WsusServerCleanup -DeclineSupersededUpdates
write-host $Result
} while ($Result -ne 'Obsolete Updates Deleted:0')
write-host ""stop-transcript
# Mail Variablen
$MailSMTPServer = "smtp.contoso.com"
$MailFrom = "wsus@contoso.com"
$MailTo = "admin@contoso.com"
$MailSubject = "WSUS Server Cleanup $DateFormat - ${env:COMPUTERNAME}"
$MailBody = Get-Content $TranscriptLog | Out-String
# Mail versenden
Send-MailMessage -SmtpServer $MailSMTPServer -From $MailFrom -To $MailTo -subject $MailSubject -body $MailBody -Encoding Unicode
Remove-Item $TranscriptLog
沒有留言:
張貼留言