Получение состояния компьютеров и обновлений на сервере WSUS с помощью Powershell
31 Jul 2018
local_offer
WSUS
local_offer
powershell
# Загружаем библиотеку
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
# Подключаемся к серверу, где 8530 - порт WSUS (по умолчанию 80)
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer('bd2.mkucou.local', $False, 8530)
# Области компьютеров и обновлений
$computerscope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
# Получаем сводную таблицу в формате HTML
$wsus.GetSummariesPerComputerTarget($updatescope,$computerscope) | Select @{L='ComputerTarget';E={($wsus.GetComputerTarget([guid]$_.ComputerTargetId)).FullDomainName}}, @{L='NeededCount';E={($_.DownloadedCount + $_.NotInstalledCount)}}, DownloadedCount, NotInstalledCount, InstalledCount, FailedCount | ConvertTo-Html -Fragment
# Сводная таблица группы
$groups = @{}
$wsus.GetComputerTargetGroups() | ForEach {$groups[$_.Name]=$_.id;$groups[$_.ID]=$_.name}
$pcgroup = @($wsus.GetComputerTargets($computerscope) | Where {$_.ComputerTargetGroupIds -eq $groups['MKUCOU']}) | Select -expand Id
$wsus.GetSummariesPerComputerTarget($updatescope,$computerscope) | Where {$pcgroup -Contains $_.ComputerTargetID} | Format-Table @{L='ComputerTarget';E={($wsus.GetComputerTarget([guid]$_.ComputerTargetId)).FullDomainName}}, @{L='NeededCount';E={($_.DownloadedCount + $_.NotInstalledCount)}}, DownloadedCount, NotInstalledCount, InstalledCount, FailedCount
Вывод (группа: MKUCOU):
ComputerTarget NeededCount DownloadedCount NotInstalledCount InstalledCount FailedCount
-------------- ----------- --------------- ----------------- -------------- -----------
c012.mkucou.local 6 0 6 179 0
c023.mkucou.local 11 5 6 174 0
c011.mkucou.local 6 0 6 201 0
c025.mkucou.local 6 0 6 178 0
c030.mkucou.local 12 6 6 174 0
c010.mkucou.local 6 0 6 174 0
c015.mkucou.local 6 0 6 192 0
c0007.mkucou.local 9 3 6 176 0
c021.mkucou.local 12 3 9 173 0
c020.mkucou.local 6 0 6 175 0
c024.mkucou.local 6 0 6 177 0
c031.mkucou.local 12 6 6 178 0
c0004.mkucou.local 14 7 7 173 1
c0005.mkucou.local 6 0 6 183 0
c0008.mkucou.local 19 10 9 171 2
c016.mkucou.local 6 0 6 176 0
c026.mkucou.local 13 6 7 172 0
c029.mkucou.local 12 6 6 209 0
Перечисление групп:
$wsus.GetComputerTargetGroups() | Select Name, Id
Name Id
---- --
Неназначенные компьютеры b73ca6ed-5727-47f3-84de-015e03f6a88a
NoUpdate 0f500ead-9304-4152-bfe4-0e0b1085b642
MKUCOU 7f757425-7d51-4d40-a1e1-554e9b5ad029
UKRGO cb748bc2-cb9e-43ba-95e6-68ca1f32f44b
Все компьютеры a0a08746-4dbe-4a37-9adf-9e7652c0b421
_Servers 248cb884-ec6a-48fc-8553-c52a205494e4
RIM 65dabc7d-25b1-4873-aaad-f2f1fa9917a3
Поиск состояния обновлений (требующих внимание):
function GetUpdateState {
param([string[]]$kbnumber,
[string]$wsusserver,
[string]$port
)
$report = @()
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($wsusserver,$False,8530)
$CompSc = new-object Microsoft.UpdateServices.Administration.ComputerTargetScope
$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope
$updateScope.UpdateApprovalActions = [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install
foreach ($kb in $kbnumber){
$updates = $wsus.GetUpdates($updateScope) | ?{$_.Title -match $kb}
foreach($update in $updates){
$update.GetUpdateInstallationInfoPerComputerTarget($CompSc) | ?{$_.UpdateApprovalAction -eq "Install"} | % {
$Comp = $wsus.GetComputerTarget($_.ComputerTargetId)
$info = "" | select UpdateTitle, SecurityBulletins, Computername, OS ,IpAddress, UpdateInstallationStatus, UpdateApprovalAction
$info.UpdateTitle = $update.Title
$info.SecurityBulletins = ($update.SecurityBulletins -join ';')
$info.Computername = $Comp.FullDomainName
$info.OS = $Comp.OSDescription
$info.IpAddress = $Comp.IPAddress
$info.UpdateInstallationStatus = $_.UpdateInstallationState
$info.UpdateApprovalAction = $_.UpdateApprovalAction
$report += $info
}
}
}
$report | ?{$_.UpdateInstallationStatus -ne 'NotApplicable' -and $_.UpdateInstallationStatus -ne 'Unknown' -and $_.UpdateInstallationStatus -ne 'Installed' }
}
# CVE-2017-5715 and CVE-2017-5754 (Meltdown и Spectre)
$CVE20175715 = "KB4056898", "KB4056897", "KB4056890", "KB4056892"
# MS17-010 (WannaCrypt)
$MS17010 = "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4015217", "KB4015219", "KB4015221", "KB4015438", "KB4015549", "KB4015550", "KB4015551", "KB4016635", "KB4016636", "KB4016637", "KB4016871", "KB4019215", "KB4019216", "KB4019264", "KB4019472", "KB4019473", "KB4019474", "KB4022726"
GetUpdateState -kbnumber $MS17010 -wsusserver bd2.mkucou.local -port 8530
Вывод (не установленные обновления из MS17-010):
PS C:\> GetUpdateState -kbnumber $MS17010 -wsusserver bd2.mkucou.local -port 8530
UpdateTitle : 2017-05 Security Monthly Quality Rollup for Windows 7 for x86-based Systems (KB4019264)
SecurityBulletins :
Computername : m004.rim.muzey-rezh.ru
OS : Windows 7 Профессиональная
IpAddress : 192.168.224.104
UpdateInstallationStatus : NotInstalled
UpdateApprovalAction : Install