WSUS per Powershell konfigurieren oder zurücksetzen

Wie das Konfigurieren und Auslesen des WSUS (Windows Server Update Services) im Einzelnen funktioniert kann im Internet zu genüge nachgelesen werden. Hinweisen möchte ich an dieser Stelle an den sehr empfehlenswerten Blog von „The Scripting Guys“ von Microsoft Devblogs. Dort findet ihr sehr viele fortgeschrittene und tiefergehende Informationen zu Powershell, auf denen sämtliche meiner Scripte bestehen. Warum das Rad neu erfinden…

WSUS per Powershell konfigurieren

Das Powershellscript zum Konfigurieren des WSUS muss in dieser Variant auf dem betroffenen WSUS lokal ausgeführt werden. Zum ausführen per Remote ersetzt einfach das „localhost“ in der Zeile „$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer(„localhost“,$FALSE,8530) „

Ansonsten ist der Rest ziemlich selbsterklärend. Zu aktivierende Produkte tragt ihr in das Array „$wsus_enable_products“ und die Kategorien in “$wsus_enable_categories“

# PS-Script: reset WSUS configuration
# Version: 21.07.2017
#
# Requirements:
# - powershell 2.0
# - Windows 8.a and newer
# - installed WSUS Console
# 
#
# Configuration:
#
#### Configuration ####

$wsus_enable_products=@("Office 2010","Office 2013 ","Office 2016","New Dictionaries for Microsoft IMEs",
                        "Windows 10 LTSB","Windows 10","Windows 10 Language Packs","Windows 10 Language Interface Packs",
                        "Windows 8.1",
                        "Windows 7",
                        "Windows Dictionary Updates",
                        "Windows Embedded Standard 7",
                        "Windows Server 2003",
                        "Windows Server 2008","Windows Server 2008 R2",
                        "Windows Server 2012","Windows Server 2012 R2",
                        "Windows Server 2016")

$wsus_enable_categories=@('Critical Updates',
                        'Definition Updates',
                        'Security Updates',
                        'Update Rollups')



##### WSUS CONFIG START ####
[void][reflection.assembly]::LoadWithPartialName(“Microsoft.UpdateServices.Administration”)
        $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer("localhost",$FALSE,8530)
        
$wsus_Config = $wsus.GetConfiguration()

## set Languages
write-host "--> set updatelanguage to EN"
$wsus_Config.AllUpdateLanguagesEnabled = $false           
$wsus_Config.SetEnabledUpdateLanguages("en")       
$wsus_Config.Save()

## configure products
Write-host "--> disable all products"
 
Get-WsusServer | Get-WsusProduct | Set-WsusProduct -Disable
#Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -match "Windows" } | Set-WsusProduct -Disable
 
Write-host "--> enable products:"

foreach($wsus_product in $wsus_enable_products){
  Write-host "---> "$wsus_product" enabled..."
  Get-WsusServer | Get-WsusProduct | Where-Object -FilterScript { $_.product.title -eq $wsus_product } | Set-WsusProduct
}
 
## configure classifications
Write-host "--> Configure the Classifications"

Write-host "---> all Classifications disabled"
Get-WsusClassification  | Set-WsusClassification -Disable

foreach($wsus_category in $wsus_enable_categories){

  Write-host "---> " $wsus_category" enabled..."
  Get-WsusClassification | Where-Object {    $_.Classification.Title -in ($wsus_category)} | Set-WsusClassification
}
        
## setup autmomatic approval rule
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

$rule = $wsus.GetInstallApprovalRules() | Where {$_.Name -eq "Default Automatic Approval Rule"}

$class = $wsus.GetUpdateClassifications() | ? {$_.Title -In (
                'Critical Updates',
                'Definition Updates',
                'Security Updates',
                'Update Rollups'
                )}

$class_coll = New-Object Microsoft.UpdateServices.Administration.UpdateClassificationCollection
$class_coll.AddRange($class)
$rule.SetUpdateClassifications($class_coll)
$rule.Enabled = $True
$rule.Save()
 
Write-Verbose "Run Default Approval Rule" -Verbose
$rule.ApplyRule()