fix: correct service flags so -WSUS actually respects WSUS#146
Open
kbaker827 wants to merge 1 commit into
Open
fix: correct service flags so -WSUS actually respects WSUS#146kbaker827 wants to merge 1 commit into
kbaker827 wants to merge 1 commit into
Conversation
Previously the -WSUS switch passed -WindowsUpdate to Get-WindowsUpdate, which forces the online Windows Update service ID (9482F4B4...) and bypasses WSUS filtering entirely, returning all Microsoft-hosted updates regardless of what WSUS has approved. Fix: when -WSUS is specified, call Get-WindowsUpdate with no service flag so the Windows Update Agent routes through the WSUS server configured by Group Policy. When -WSUS is not specified, use -MicrosoftUpdate to query Microsoft's catalog directly and return every available update. Closes pdqcom#109
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
-WSUSparameter having no effect: the scanner was returning non-approved updates even when-WSUSwas specified-WSUSnow callsGet-WindowsUpdatewith no service flag (so the WU Agent routes through the WSUS server configured by Group Policy), and the default (no-WSUS) now uses-MicrosoftUpdateto query Microsoft's full catalogRoot cause
The original code called
Get-WindowsUpdate -WindowsUpdatewhen-WSUSwas specified. In PSWindowsUpdate,-WindowsUpdateexplicitly requests service ID9482F4B4-E343-43B6-B170-9A65BC822C77(the online Windows Update service), which bypasses WSUS filtering entirely and returns all Microsoft-hosted updates regardless of approval status.The correct approach for WSUS is to call
Get-WindowsUpdatewith no service flag. The Windows Update Agent then uses whatever service is configured by Group Policy — which is the WSUS server when the machine is WSUS-managed.Change
If ($WSUS) { - $GWU = Get-WindowsUpdate -WindowsUpdate + # No service flag: WU Agent uses the GPO-configured service (WSUS) + $GWU = Get-WindowsUpdate } Else { - $GWU = Get-WindowsUpdate + # -MicrosoftUpdate queries Microsoft's catalog directly, bypassing WSUS + $GWU = Get-WindowsUpdate -MicrosoftUpdate }Test plan
-WSUSon a machine pointing to a WSUS server — confirm only WSUS-approved updates are returned-WSUS— confirm all available updates are returned (including those not in WSUS)Closes #109