Only approved patches

Only approved patches

Postby kennethkarlsson » 08.02.2019, 14:25

Is there any way to only download and install approved patches?
kennethkarlsson
 
Posts: 2
Joined: 08.02.2019, 14:02

Re: Only approved patches

Postby Dalai » 08.02.2019, 16:29

No, there isn't. WSUS Offline was never intended to do Opt-in (download/install only certain updates). What you can do is blacklist updates you don't want (Opt-out). Search wsusoffline\doc\faq-enu.txt for "exclude" for information on how to do that.

Regards
Dalai
Dalai
 
Posts: 780
Joined: 12.07.2016, 21:00

Re: Only approved patches

Postby kennethkarlsson » 12.02.2019, 16:03

Thanks for your answer.

Unfortunately using a blacklist would not work as patches are continually being tested and then approved by the IT department on our internal WSUS server.
kennethkarlsson
 
Posts: 2
Joined: 08.02.2019, 14:02

Re: Only approved patches

Postby Dalai » 12.02.2019, 17:01

Well, if there already is a WSUS server, I'd use that to install only approved/tested updates. Or, if you're familiar with batch scripting, sift through WSUS Offline's InstallOSUpdate.cmd to find out how it installs updates, and write a script of your own to install the updates you want (kind of manually).

Example from one of my scripts:
Code: Select all
dism.exe /Online /Quiet /NoRestart /Add-Package /PackagePath:"%~1" /IgnoreCheck
wusa.exe "%~1" /quiet /norestart
The first is for .CAB updates, the second for .MSU ones. There are also switches for .EXE updates, but they sometimes use different ones.

HTH

Regards
Dalai
Dalai
 
Posts: 780
Joined: 12.07.2016, 21:00

Re: Only approved patches

Postby hbuhrmester » 14.02.2019, 10:25

There is a hidden option wsusonly for that.

If you specify a local WSUS server, then WSUS Offline Update will try this server first, to get all dynamic updates. If that fails, it will use the Microsoft download servers as a fallback and get all missing updates there. In the end, all dynamic updates will be downloaded, without any filtering applied.

If you also specify the option wsusonly, then only the local WSUS server is used for dynamic updates. This allows administrators to get only WSUS approved updates.

This doesn't work for static updates, which are always downloaded from the Internet.

The option wsusonly must be manually added to the configuration file UpdateGenerator.ini. Please see:

viewtopic.php?f=3&t=8573
viewtopic.php?f=3&t=3973

More discussions may be found with the forum search or a general search engine, for example DuckDuckGo:

https://duckduckgo.com/?q=wsus+approved ... ffline.net
hbuhrmester
 
Posts: 356
Joined: 11.10.2013, 20:59


Return to Installation / Updating

Who is online

Users browsing this forum: No registered users and 18 guests