DSCResources/MSFT_UpdateServicesApprovalRule/MSFT_UpdateServicesApprovalRule.psm1
# DSC resource to manage WSUS Approval Rule. # Classifications ID reference... # # Applications = 5C9376AB-8CE6-464A-B136-22113DD69801 # Connectors = 434DE588-ED14-48F5-8EED-A15E09A991F6 # Critical Updates = E6CF1350-C01B-414D-A61F-263D14D133B4 # Definition Updates = E0789628-CE08-4437-BE74-2495B842F43B # Developer Kits = E140075D-8433-45C3-AD87-E72345B36078 # Feature Packs = B54E7D24-7ADD-428F-8B75-90A396FA584F # Guidance = 9511D615-35B2-47BB-927F-F73D8E9260BB # Security Updates = 0FA1201D-4330-4FA8-8AE9-B877473B6441 # Service Packs = 68C5B0A3-D1A6-4553-AE49-01D3A7827828 # Tools = B4832BD8-E735-4761-8DAF-37F882276DAB # Update Rollups = 28BC880E-0592-4CBF-8F95-C79B17911D5F # Updates = CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 # Load Common Module $script:resourceHelperModulePath = Join-Path -Path $PSScriptRoot -ChildPath '..\..\Modules\DscResource.Common' Import-Module -Name $script:resourceHelperModulePath $script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US' -FileName 'MSFT_UpdateServicesApprovalRule.strings.psd1' <# .SYNOPSIS Returns the current Approval Rules .PARAMETER Name If provided, returns details of a specific rule #> function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [System.String] $Name ) try { $WsusServer = Get-WsusServer $Ensure = 'Absent' $Classifications = $null $Products = $null $ComputerGroups = $null $Enabled = $null if ($null -ne $WsusServer) { Write-Verbose -Message ('Identified WSUS server information: {0}' -f $WsusServer) $ApprovalRule = $WsusServer.GetInstallApprovalRules() | Where-Object -FilterScript { $_.Name -eq $Name } if ($null -ne $ApprovalRule) { $Ensure = 'Present' if ( -Not ($Classifications = @($ApprovalRule.GetUpdateClassifications().ID.Guid))) { $Classifications = @('All Classifications') } if ( -Not ($Products = @($ApprovalRule.GetCategories().Title))) { $Products = @('All Products') } if ( -Not ($ComputerGroups = @($ApprovalRule.GetComputerTargetGroups().Name))) { $ComputerGroups = @('All Computers') } $Enabled = $ApprovalRule.Enabled } } else { Write-Verbose -Message 'Did not identify an instance of WSUS' } } catch { New-InvalidOperationException -Message $script:localizedData.WSUSConfigurationFailed -ErrorRecord $_ } $returnValue = @{ Ensure = $Ensure Name = $Name Classifications = $Classifications Products = $Products ComputerGroups = $ComputerGroups Enabled = $Enabled } $returnValue } <# .SYNOPSIS Sets approval rules .PARAMETER Ensure Determines if the rule should be created or removed. Accepts 'Present'(default) or 'Absent'. .PARAMETER Name Name of the rule to create .PARAMETER Classifications Classification for the rule or All Classifications .PARAMETER Products The name of the product for the rule or All Products .PARAMETER ComputerGroups The name of the computer group to apply the rule to or All Computers .PARAMETER Enabled Boolean to set rule enabled or disabled .PARAMETER Synchronize Boolean, when enabled the rule will synchronize with Windows Update This applies because the rule will approve updates as they are sync'd .PARAMETER RunRuleNow Boolean that has the same effect as clicking 'Run Rule Now' when Set occurs The impact is updates already sync'd will also be approved Otherwise, the rule is not applied to existing content #> function Set-TargetResource { [CmdletBinding()] param ( [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter(Mandatory = $true)] [System.String] $Name, [Parameter()] [System.String[]] $Classifications = @('All Classifications'), [Parameter()] [System.String[]] $Products = @('All Products'), [Parameter()] [System.String[]] $ComputerGroups = @('All Computers'), [Parameter()] [System.Boolean] $Enabled, [Parameter()] [System.Boolean] $Synchronize, [Parameter()] [System.Boolean] $RunRuleNow ) try { if ($WsusServer = Get-WsusServer) { switch ($Ensure) { 'Present' { if ($ApprovalRule = $WsusServer.GetInstallApprovalRules() | Where-Object -FilterScript { $_.Name -eq $Name }) { Write-Verbose -Message $script:localizedData.UseExistingApprovalRule } else { Write-Verbose -Message $script:localizedData.CreateApprovalRule $ApprovalRule = $WsusServer.CreateInstallApprovalRule($Name) } if ($ApprovalRule) { $ApprovalRule.Enabled = $Enabled $ApprovalRule.Save() $ClassificationCollection = New-Object ` -TypeName Microsoft.UpdateServices.Administration.UpdateClassificationCollection foreach ($Classification in $Classifications) { if ($WsusClassification = Get-WsusClassification | Where-Object -FilterScript { $_.Classification.ID.Guid -eq $Classification }) { $ClassificationCollection.Add($WsusServer.GetUpdateClassification(` $WsusClassification.Classification.Id)) } else { Write-Verbose -Message ($script:localizedData.ClassificationNotFound -f $Classification) } } $ApprovalRule.SetUpdateClassifications($ClassificationCollection) $ApprovalRule.Save() $ProductCollection = New-Object -TypeName Microsoft.UpdateServices.Administration.UpdateCategoryCollection foreach ($Product in $Products) { if ($WsusProduct = Get-WsusProduct | Where-Object -FilterScript { $_.Product.Title -eq $Product }) { $ProductCollection.Add($WsusServer.GetUpdateCategory($WsusProduct.Product.Id)) } } $ApprovalRule.SetCategories($ProductCollection) $ApprovalRule.Save() $ComputerGroupCollection = New-Object -TypeName Microsoft.UpdateServices.Administration.ComputerTargetGroupCollection foreach ($ComputerGroup in $ComputerGroups) { if ($WsusComputerGroup = $WsusServer.GetComputerTargetGroups() | Where-Object -FilterScript { $_.Name -eq $ComputerGroup }) { $ComputerGroupCollection.Add($WsusComputerGroup) } } $ApprovalRule.SetComputerTargetGroups($ComputerGroupCollection) $ApprovalRule.Save() if ($RunRuleNow) { Write-Verbose -Message ($script:localizedData.RunApprovalRule -f $Name) try { $ApprovalRule.ApplyRule() } catch { New-InvalidOperationException -Message ( $script:localizedData.RuleFailedToApply -f $Name ) -ErrorRecord $_ } } } else { New-InvalidOperationException -Message ( $script:localizedData.RuleFailedToCreate -f $Name ) -ErrorRecord $_ } } 'Absent' { if ($ApprovalRule = $WsusServer.GetInstallApprovalRules() | Where-Object -FilterScript { $_.Name -eq $Name }) { $WsusServer.DeleteInstallApprovalRule($ApprovalRule.Id) } else { Write-Verbose -Message ($script:localizedData.RuleDoNotExist -f $ApprovalRule.Name) } } } } else { Write-Verbose -Message $script:localizedData.GetWsusServerFailed } } catch { $errorMessage = $script:localizedData.RuleFailedToCreate -f $Name New-InvalidOperationException -Message $errorMessage -ErrorRecord $_ } if ( -Not (Test-TargetResource @PSBoundParameters)) { $errorMessage = $script:localizedData.TestFailedAfterSet New-InvalidResultException -Message $errorMessage -ErrorRecord $_ } else { if ($Synchronize) { Write-Verbose -Message $script:localizedData.SyncWsus try { $WsusServer.GetSubscription().StartSynchronization() } catch { $errorMessage = $script:localizedData.FailedSyncStart New-InvalidOperationException -Message $errorMessage -ErrorRecord $_ } } } } <# .SYNOPSIS Tests approval rules .PARAMETER Ensure Determines if the rule should be created or removed. Accepts 'Present'(default) or 'Absent'. .PARAMETER Name Name of the rule to create .PARAMETER Classifications Classification for the rule or All Classifications .PARAMETER Products THe name of the product for the rule or All Products .PARAMETER ComputerGroups The name of the computer group to apply the rule to or All Computers .PARAMETER Enabled Boolean to set rule enabled or disabled .PARAMETER Synchronize Boolean, when enabled the rule will synchronize with Windows Update This applies because the rule will approve updates as they are sync'd .PARAMETER RunRuleNow Boolean that has the same effect as clicking 'Run Rule Now' when Set occurs The impact is updates already sync'd will also be approved Otherwise, the rule is not applied to existing content #> function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter(Mandatory = $true)] [System.String] $Name, [Parameter()] [System.String[]] $Classifications = @('All Classifications'), [Parameter()] [System.String[]] $Products = @('All Products'), [Parameter()] [System.String[]] $ComputerGroups = @('All Computers'), [Parameter()] [System.Boolean] $Enabled, [Parameter()] [System.Boolean] $Synchronize, [Parameter()] [System.Boolean] $RunRuleNow ) $result = $true $ApprovalRule = Get-TargetResource -Name $Name if ($ApprovalRule.Ensure -ne $Ensure) { Write-Verbose -Message $script:localizedData.EnsureTestFailed $result = $false } if ($result -and ($ApprovalRule.Ensure -eq 'Present')) { if ($null -ne (Compare-Object -ReferenceObject ($ApprovalRule.Classifications | Sort-Object -Unique) -DifferenceObject ($Classifications | Sort-Object -Unique) -SyncWindow 0)) { Write-Verbose -Message $script:localizedData.ClassificationTestFailed $result = $false } if ($null -ne (Compare-Object -ReferenceObject ($ApprovalRule.Products | Sort-Object -Unique) -DifferenceObject ($Products | Sort-Object -Unique) -SyncWindow 0)) { Write-Verbose -Message $script:localizedData.ProductsTestFailed $result = $false } if ($null -ne (Compare-Object -ReferenceObject ($ApprovalRule.ComputerGroups | Sort-Object -Unique) -DifferenceObject ($ComputerGroups | Sort-Object -Unique) -SyncWindow 0)) { Write-Verbose -Message $script:localizedData.ComputerGrpTestFailed $result = $false } if ($ApprovalRule.Enabled -ne $Enabled) { Write-Verbose -Message $script:localizedData.EnabledTestFailed $result = $false } } $result } Export-ModuleMember -Function *-TargetResource |