[WSUS operational automation] replaced update program tried to deny script in automatically

This article is an automatic translation of the article[f5736a99db6cb84cdfc0] below.
https://qiita.com/speaktech/items/f5736a99db6cb84cdfc0

1. tried

WSUS Maintenance Guide of [3. unnecessary update program is trying to set in already rejected! ] In reference to the (https://blogs.technet.microsoft.com/jpwsus/2017/12/11/decline-is-yrfrnd/), try the *"reject replaced update program"script * and I tried.

Since there was a notice not listed officially, leaves as a work log.

2. verification environment

• Microsoft humbly made"deny replaced update program"script (Decline-SupersededUpdates.ps1)
• Windows Server 2019 Standard version 1809
• Powershell version 5.1.17763.592
• WSUS version 10.0.17763.678

3. verification procedure

3.1 script analysis

Definition of the argument in the script is as follows.

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$True,Position=1)]
    [string] $UpdateServer, 
    [Parameter(Mandatory=$False)]
    [switch] $UseSSL,   
    [Parameter(Mandatory=$True, Position=2)]
    $Port,
    [switch] $SkipDecline,
    [switch] $DeclineLastLevelOnly
)

To summarize in the table, looks like.

| Argument name | type | mandatory | Description |
|:----------------- | ------------------:|:--------- ---------:|:------------------:|
| UpdateServer | string | 〇 | as the value of the argument, specify the IP address or FQDN of the WSUS server |
| Port | - | 〇 | as the value of the argument, specify the port that WSUS will use |
| UseSSL | switch | × | used when WSUS uses SSL communication |
| SkipDecline | switch | × | used to determine the number of test run or replaced update program |
| DeclineLastLevelOnly | switch | × | used to deny only update program that was replaced with the final level (** ※ 1 **) |

** ※ 1: **
The update program that has been replaced by the final level, refers to the first replaced update program.
For example, the update version 1 is replaced by the Update 2 version, if the Update 2 version has been replaced by the update program version 3, the update program that has been replaced by the final level will be a thing of the first edition.
In the script, the final level"Superseded Updates (Last Level),"the update program that was replaced with, the replaced update program except for the final level has been described as"Superseded Updates (Intermediate)".

Next, the definition of the output of the script is as follows.

$outPath = Split-Path $script:MyInvocation.MyCommand.Path
$outSupersededList = Join-Path $outPath "SupersededUpdates.csv"
$outSupersededListBackup = Join-Path $outPath "SupersededUpdatesBackup.csv"
"UpdateID, RevisionNumber, Title, KBArticle, SecurityBulletin, LastLevel" | Out-File $outSupersededList

When you run, you create a list of updates that were replaced on the WSUS the (SupersededUpdates.csv) in the same path as the script.
Actually if the"deny"is executed, and copy the list, make a backup (SupersededUpdatesBackup.csv).

3.2 test script execution

First of all, let's test run using the SkipDecline argument.
Also save it to a file (Decline-SupersededUpdates.log) summary information of the replaced update program is issued to the standard output.

powershell -ExecutionPolicy Unrestricted -Command "C:\Tools\WSUS\Decline-SupersededUpdates.ps1 -UpdateServer localhost -Port 8530 -SkipDecline" >> C:\Tools\WSUS\Decline-SupersededUpdates.log

Output results are as follows.

• all of the update on the WSUS is 87
• update program other than the denial state is 87 (all unapproved state)
• replaced update 69
• final level other than the superseded update program is 58 pieces
• final level update program of eleven

Decline-SupersededUpdates.log

Connecting to WSUS server localhost on Port 8530... Connected.
Getting a list of all updates... Done
Parsing the list of updates... Done.
List of superseded updates: C:\Tools\WSUS\SupersededUpdates.csv

Summary:
========
All Updates = 87
Any except Declined = 87
All Superseded Updates = 69
    Superseded Updates (Intermediate) = 58
    Superseded Updates (Last Level) = 11

SkipDecline flag is set to True. Skipped declining updates

Done

SupersededUpdates.csv(参考)

UpdateID, RevisionNumber, Title, KBArticle, SecurityBulletin, LastLevel
0fa3afd0-ef18-4967-8fb9-c1f03c537e7f, 200, 2019-04 Security Update for Adobe Flash Player for Windows 10 Version 1903 for x86-based Systems (KB4493478), 4493478, , False
4efec717-3b81-4c2f-a988-a345196b691b, 200, 2019-04 Security Update for Adobe Flash Player for Windows 10 Version 1903 for ARM64-based Systems (KB4493478), 4493478, , False

....(略)....

d1d399c6-3a78-436e-a3f2-7962fee86ad1, 200, 2019-05 Servicing Stack Update for Windows 10 Version 1903 for ARM64-based Systems (KB4498523), 4498523, , True
41a6b6d6-6976-49b5-a4c4-0121dc96189c, 200, 2019-05 Servicing Stack Update for Windows 10 Version 1903 for x86-based Systems (KB4498523), 4498523, , True

Production run of ### 3.3 script
Finally, try to production run and remove the SkipDecline argument.
Summary information of the replaced update program is issued to the standard output is also saved to a file (Decline-SupersededUpdates.log).

powershell -ExecutionPolicy Unrestricted -Command "C:\Tools\WSUS\Decline-SupersededUpdates.ps1 -UpdateServer localhost -Port 8530" >> C:\Tools\WSUS\Decline-SupersededUpdates.log

Execution results are as follows.

** <"Rejected"update program before execution (0/87)> **

: Arrow_down:: arrow_down:: arrow_down:: arrow_down:: arrow_down:: arrow_down:: arrow_down:

** **

Indeed, we confirmed that the check and have been replaced update program that 69 there has been denied all.
The execution contents by the Powershell in reference to the WSUS Maintenance Guide, can be automated is set to the task scheduler .

4. Summary

• try the WSUS Maintenance Guide"deny replaced update program"has been introduced in the script and I tried.
• showed how the specification/use script.
• was confirmed to be able to reject the update program that was replaced in the script.

And content that was introduced in this article, [WSUS Maintenance Guide] has been introduced in (https://blogs.technet.microsoft.com/jpwsus/2018/03/08/maintenance-guide/) 2.WSUS Clean by combining the contents of the up Wizard, since the actual file of the rejected update program is deleted, cleanup you can enhance the effect.

5. digression

For support of Windows 7 it is completed in January 2020, and finally I think that the operation of the Windows 10 comes into full swing. For Windows 10-related update program has a large size, it has become important to the maintenance of WSUS than ever. You can contribute even a little to the automation of troublesome WSUS operation and it is fortunate.
In the future, that was introduced a script in the architecture (x86/x64/ARM64) unit as a reference, to create a script that can deny the update program, I'd like to introduce.
While Mappitsu, Thank you for choosing I'm reading up to here.