这是我最终使用的代码。它有效,但我不禁感觉有更好的方法。
.Synopsis
Approve WSUS updates for installation.
.DESCRIPTION
This script takes the name of a WSUS approval group, and approves updates based on their age.
.NOTES
Author: Mike Hashemi
V1 date: 24 Feb 2014
.LINK
.PARAMETER PrimaryWSUSServer
Default value: server.domain.local. This parameter specifies the DNS name of the primary WSUS server.
.PARAMETER PatchingGroup
Manadatory parameter. Valid values are 'Alpha','Beta','Production','Excluded','Workstations','COC-OMI-WORKSTATIONS'. The value of this parameter determines what patching groups will have updates approved for installation. Multiple groups can be entered at once, unless one of the is Alpha
.EXAMPLE
.\manageWSUSUpdates-Parameterized.ps1 -PatchingGroup Alpha
In this example, the script will approve all updates with an approval status not equal to 'IsDeclined', for installation to servers in the Alpha group.
.EXAMPLE
.\manageWSUSUpdates-Parameterized.ps1 -PatchingGroup Beta
In this example, the script will get the list of updates approved for the Alpha group, in the last three months (from the date the script is run), and will approve them for installation to servers in the Beta group.
#>
[CmdletBinding()]
param(
[string]$PrimaryWSUSServer = “server.domain.local”,
[Parameter(Mandatory=$True)]
[ValidateSet('Alpha','Beta','Production','Excluded','Workstations','COC-OMI-WORKSTATIONS')]
[string[]]$PatchingGroup
)
#Initialize variables
$BeginScriptTime = Get-Date
# Load the Required .NET assembly
[void][reflection.assembly]::LoadWithPartialName(“Microsoft.UpdateServices.Administration”)
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($PrimaryWSUSServer,$False)
Function Approve-AlphaPatches {
#Get the list of all updates that are not declined.
$unapprovedUpdates = $wsus.getupdates() | where {$_.isdeclined -ne $true}
#If an update has a license agreement, accept it
$license = $unapprovedUpdates | where {$_.RequiresLicenseAgreementAcceptance}
$license | ForEach {$_.AcceptLicenseAgreement()}
#Get members of Alpha patching group.
$installGroup = $wsus.GetComputerTargetGroups() | where {$_.Name -eq $PatchingGroup}
#Approve updates for the Beta group.
Foreach ($update in $unapprovedUpdates) {
$update.Approve(“Install”,$installGroup)
}
}
Function Approve-NonAlphaPatches {
Foreach ($group in $PatchingGroup) {
#Get the updates that have arrived in the last three months.
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::LatestRevisionApproved
$updateScope.FromArrivalDAte = (Get-Date).AddMonths(-3)
#Get the updates approved for the Alpha group.
$alphaGroup = $wsus.GetComputerTargetGroups() | Where {$_.Name -eq 'Alpha'}
$updateScope.ApprovedComputerTargetGroups.add($alphaGroup)
$Updates = $wsus.GetUpdates($updateScope)
#Get members of Alpha patching group.
$installGroup = $wsus.GetComputerTargetGroups() | where {$_.Name -eq $group}
#Approve updates for the user-specified patching group.
Foreach ($update in $updates) {
$update.Approve(“Install”,$installGroup)
}
}
}
#Begin Script
If (($PatchingGroup.Count -gt 1) -and ($PatchingGroup -ccontains 'Alpha')) {
Write-Error ("This script cannot approve Alpha patches with other patching groups. If you want to approve more groups at the same time, please approve the rest in a second execution of the script.")
Return
}
Else {
If ($PatchingGroup -eq 'Alpha') {
Approve-AlphaPatches
}
Else {
Approve-NonAlphaPatches
}
}