How to automatically decline quality rollup updates in WSUS

windows wsus windows-update
5,555

This powershell script can be used to automatically block all new quality updates in WSUS. It must be run directly on the WSUS server. As far as how the script works, first the script searches for non-approved installable updates with the word "quality" in the title. If any such updates are found they are listed, and user is given the option to proceed and block the updates, or not, via an input prompt. 

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} 
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
    $qualityUpdates | select title
    Write-Host "=========================================="
    $confirmation = Read-Host "$qualityUpdateCount quality updates out of $totalUpdateCount total non-approved installable updates were found. Decline? (y/n)"
    if ($confirmation -eq 'y') {
        $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}  | ForEach {
            Write-Verbose ("Declining {0}" -f $_.Title) -Verbose
            $_.Decline()
        }
    }
} Else {
    Write-Host "No non-approved installable updates were found."
}

If you want to decline quality updates automatically, run a slightly modified version of the above script as a windows task.

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updateScope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Retrieve only updates that have not yet been approved
$updateScope.ApprovedStates = [Microsoft.UpdateServices.Administration.ApprovedStates]::NotApproved
# Retrieve only updates that are installable
$updateScope.IncludedInstallationStates = [Microsoft.UpdateServices.Administration.UpdateInstallationStates]::NotInstalled
$totalUpdateCount = $wsus.GetUpdateCount($updateScope)
$qualityUpdates = $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'} 
$qualityUpdateCount = $qualityUpdates.Length
if ($qualityUpdateCount -gt 0) {
    $wsus.GetUpdates($updateScope) | Where-Object {$_.Title -like '*quality*'}  | ForEach {
        $_.Decline()
    }
}

NOTE: I write the above script with some help from Boe Prox's great WSUS powershell scripting tutorial.

Share:
5,555

Related videos on Youtube

wrieedx
Author by

wrieedx

Updated on September 18, 2022

Comments

  • wrieedx
    wrieedx almost 2 years

    As you probably know, it is now not possible to pick and choose specific updates to approve or decline in WSUS for older Windows operating systems. For servers, generally speaking there are now only two types: a roll up for the month's security updates, and a comprehensive rollup that includes all security and "quality" updates.

    For servers, I am only interested in evaluating and approving security updates, and I will decline all "quality" updates. However, quality and security updates seem to be lumped together under the same class and MSRC classification categories. The only way to distinguish between the two appears to be the the update title itself (i.e. whether or not the update title includes "quality" or not).

    Because the names of the quality and security updates are very similar, and there is no easy way that I can see to completely separate them each other in the WSUS view, I am afraid that eventually either I or somebody else will get careless and approve a quality update by mistake. The best way to alleviate the problem is to simply automatically decline all quality updates.

    Does anybody know how to do this? An alternative solution could be to find a view in WSUS that makes it easier to discern between quality and security updates, or not having server quality updates show up in WSUS in the first place.

    The WSUS server is Windows 2008 R2 and WSUS version is 3.2.7600.226.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

WSUS Windows Update Client stuck
WSUS clients can't find updates
How can I move computer groups in WSUS?
How to disable WSUS on our domain?
WSUS Shows Incorrect Version & WSUS (isolated) fails to download updates
Declining superseded updates in WSUS
Edit Windows Update GPO Via Command Line
Default Microsoft Windows Update Server
Windows Updates taking a long time to install
Getting PCs to report to WSUS