Misc.

2020/02/04

サンプル スクリプト:Windows Update 関連の設定確認 (get-wusettings.ps1)

かなり強引なつくりで、美しくありませんが、なんとなく作ってみたスクリプト。get-wusettings.ps1(英語版)とget-wusettingsj.ps1(日本語版)。

Get Windows Update Settings from Windows 10 registry (get-wusettings_v3.zip)
https://gallery.technet.microsoft.com/scriptcenter/Get-Windows-Update-bed521e1
(※注:2020/06 で Technet Galallery 廃止されます。なのでコードをこのページの最後に追加)

実行結果はこんな感じ。Windows Update の自動更新の設定、WSUS クライアントの設定、Windows Update for Business(WUfB)のローカルおよびポリシー設定、Windows バージョンをチェック。設定アプリのブランチ選択(1903で廃止)はチェックしてません。(v2 でローカルの SAC/SAC-T もチェック、v3 で最後に ver & build 情報追加と v2 で追加した SAC/SAC-T チェックのバグ修正)


いろいろ設定しているとやかましくなります。おかしな設定を見つけると何となく指摘します(指摘内容はあくまでも自論です)。
Microsoft Endpoint Configuration Manager (旧称 System Center ...)のクライアントかもしれない場合は最後に出力。WMI の root\ccm の存在と、%Windir%\ccmsetup の存在をチェックにて(あくまでもクライアントの可能性)。

(ちゃんとテストしてるわけではありません。あしからず。)

2020/03/16 追記:
※注:2020/06 で Technet Galallery 廃止されるそうなので、get-wiusettings_v3.zip の中身を追記しました。

[get-wusettings.ps1]
Write-Host ""
$WUSettingsNoAutoUpdate = ""
$WUSettingsNoAutoUpdate = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ErrorAction SilentlyContinue).NoAutoUpdate
$WUSettingsAUOptions = ""
$WUSettingsAUOptions = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ErrorAction SilentlyContinue).AUOptions
$WSUSSetting = ""
$WSUSSetting = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ErrorAction SilentlyContinue).UseWUServer
$WSUSSettingWUServer = ""
$WSUSSettingWUServer = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).WUServer
$WUfBSettingBranchLocal = ""
$WUfBSettingFULocal = ""
$WUfBSettingQULocal = ""
$WUfBSettingBranchLocal = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -ErrorAction SilentlyContinue).BranchReadinessLevel
$WUfBSettingFULocal = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -ErrorAction SilentlyContinue).DeferFeatureUpdatesPeriodInDays
$WUfBSettingQULocal = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -ErrorAction SilentlyContinue).DeferQualityUpdatesPeriodInDays
$WUfBSettingBranch = ""
$WUfBSettingFU = ""
$WUfBSettingQU = ""
$WUfBSettingFUdays = ""
$WUfBSettingQUdays = ""
$WUfBSettingBranch = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).BranchReadinessLevel
$WUfBSettingFU = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferFeatureUpdates
$WUfBSettingQU = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferQualityUpdates
$WUfBSettingFUdays = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferFeatureUpdatesPeriodInDays
$WUfBSettingQUdays = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferQualityUpdatesPeriodInDays
$ConfigMgrClient = ""
$ConfigMgrClient = (Get-WmiObject -Query "Select * from __Namespace WHERE Name='CCM'" -Namespace root -ErrorAction SilentlyContinue)

if ($WSUSSetting -eq "1") {
    $EffectiveWSUS = "enabled"
} else {
    $EffectiveWSUS = "disabled"
}
if ((($WUfBSettingFULocal -eq "0") -and ($WUfBSettingQULocal -eq "0")) -or (($WUfBSettingFULocal.Length -eq 0) -and ($WUfBSettingQULocal.Length -eq 0))) {
    $EffectiveWUfBLocal = "disabled"
} else {
    $EffectiveWUfBLocal = "enabled"
}
if (($WUfBSettingFU -eq "1") -or ($WUfBSettingQU -eq "1")) {
    $EffectiveWUfBPolicy = "enabled"
} else {
    $EffectiveWUfBPolicy = "disabled"
}
if (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBLocal -eq "enabled") -and ($EffectiveWUfBPolicy -eq "enabled")) {
    $EffectiveWSUS = "* WSUS and WUfB settings are mixed. This state is not recommended. "
    $EffectiveWUfBLocal = "* this setting has no effect. "
    $EffectiveWUfBPolicy = "* WSUS and WUfB settings are mixed. This state is not recommended. "
} elseif (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBLocal -eq "enabled")) {
    $EffectiveWSUS = "* WSUS and WUfB settings are mixed. This state is not recommended. "
    $EffectiveWUfBLocal = "* WSUS and WUfB settings are mixed. This state is not recommended. "
    $EffectiveWUfBPolicy = ""
} elseif (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBPolicy -eq "disabled")) {
    $EffectiveWSUS = "* This setting is effective. "
    $EffectiveWUfBLocal = ""
    $EffectiveWUfBPolicy = ""
} elseif (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBPolicy -eq "enabled")) {
    $EffectiveWSUS = "* WSUS and WUfB settings are mixed. This state is not recommended. "
    $EffectiveWUfBLocal = ""
    $EffectiveWUfBPolicy = "* WSUS and WUfB settings are mixed. This state is not recommended. "
} elseif (($EffectiveWUfBLocal -eq "enabled") -and ($EffectiveWUfBPolicy -eq "enabled")) {
    $EffectiveWSUS = ""
    $EffectiveWUfBLocal = "* this setting has no effect. "
    $EffectiveWUfBPolicy = "* This setting is effective. "
} else {
    $EffectiveWSUS = ""
    $EffectiveWUfBLocal = ""
    $EffectiveWUfBPolicy = ""
}

# Check WU Settings
if ($WUSettingsNoAutoUpdate.Length -eq 0) {
    Write-Host "Windows Update (Policies): Not Configured (Windows 10 default is automatic)"
} else {
      if ($WUSettingsNoAutoUpdate -eq "1") {
        Write-Host "Windows Update (Policies): Manual (Disabled)"
    } elseif ($WUSettingsAuOptions -eq "3") {
        Write-Host "Windows Update (Policies): Download only"
    } elseif ($WUSettingsAuOptions -eq "4") {
        Write-Host "Windows Update (Policies): Automatic"
    } else {
        Write-Host "Windows Update (Policies): Custom"
    }
    Write-Host "  (This setting is in Computer Configuration\Adminisrative Template\Windows Component\Windows Update\Configure Automatic Updates. )"

}
Write-Host ""
# Check WSUS Settings
if ($WSUSSetting.Length -eq 0) {
    Write-Host "WSUS Client: Not Configured"
} else {
    if ($WSUSSetting -eq "0") {
        Write-Host "WSUS Client: Disabled"
    } else {
        Write-Host "WSUS Client: Enabled"
        Write-Host "  WSUS Server:" $WSUSSettingWUServer
    }
    Write-Host "  ("$EffectiveWSUS"This setting is in Computer Configuration\Adminisrative Template\Windows Component\Windows Update\Specify intranet Microsoft update service location.)"
}
Write-Host ""
# Check Local WUfB Settings
if ((($WUfBSettingFULocal -eq "0") -and ($WUfBSettingQULocal -eq "0") -and ($WUfBSettingBranchLocal -eq "16")) -or (($WUfBSettingFULocal.Length -eq 0) -and ($WUfBSettingQULocal.Length -eq 0)) -or ($WUfBSettingBranchLocal.Length -eq 0)) {
    Write-Host "Windows Update for Business (Settings app): Not Configured"
} else {
    Write-Host "Windows Update for Business (Settings app): Enabled"
    if ($WUfBSettingBranchLocal -eq "16") {
        Write-Host "  Update Channel: SAC"
        } elseif ($WUfBSettingBranchLocal -eq "32") {
        Write-Host "  Update Channel: SAC-T (for 1809 and below only)"
    } else {
        Write-Host "  Update Channel: Preview Build"
    }
    Write-Host "  After a feature update is released, defer receiving it for this days:" $WUfBSettingFULocal
    Write-Host "  After a quality update is released, defer receiving it for this days:" $WUfBSettingQULocal
    Write-Host "  ("$EffectiveWUfBLocal"These settings are in Settings > Update & Security > Windows Update > Advanced Options > Chose when updates are installed. (Hidden in WSUS client))"
}
Write-Host ""
# Check WUfB Settings Policies
if (($WUfBSettingFU -eq "1") -or ($WUfBSettingQU -eq "1")) {
    Write-Host "Windows Update for Business (Policies): Enabled"
        if ($WUfBSettingBranch.Lengsh -eq 0) {
        Write-Host "  Update Channel: Not Confiured"
        Write-Host "  After a feature update is released, defer receiving it for this days: Not Configured"
        } else {
        if ($WUfBSettingBranch -eq "32") {
            Write-Host "  Update Channel: SAC-T (for 1809 and below only)"
        } else {
            Write-Host "  Update Channel: Preview Build"
        }
        Write-Host "  After a feature update is released, defer receiving it for this days:" $WUfBSettingFUdays
        }
    if ($WUfBSettingQU.Length -eq 0){
        Write-Host "  After a quality update is released, defer receiving it for this days: Not Configured"
    } else {
        Write-Host "  After a quality update is released, defer receiving it for this days:" $WUfBSettingQUdays
    }
    Write-Host "  ("$EffectiveWUfBPolicy"These settings are in Computer Configuration\Adminisrative Template\Windows Component\Windows Update\Windows Update for Business.)"
} else {
    Write-Host "Windows Update for Business (Policies): Not Configured"
}
Write-Host ""
# Check ConfigMgr Client
if (($ConfigMgrClient.Length -ne 0) -and (Test-Path "C:\Windows\CCMSETUP")) {
    Write-Host "***************************************************************************"
    Write-Host "* This device may be managed by Microsoft Endpoint Configuration Manager. *"
    Write-Host "***************************************************************************"
}
Write-Host ""
$WinVer = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ReleaseId
$WinBuild = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentBuild
$WinRev = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
Write-Host "Current update status: version"$WinVer", build" $WinBuild"."$WinRev
Write-Host ""
Write-Host "(Note: This script does not support the identification of devices managed by Microsoft Intune or other update tools.)"
Write-Host ""
[get-wusettingsj.ps1]
Write-Host ""
$WUSettingsNoAutoUpdate = ""
$WUSettingsNoAutoUpdate = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ErrorAction SilentlyContinue).NoAutoUpdate
$WUSettingsAUOptions = ""
$WUSettingsAUOptions = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ErrorAction SilentlyContinue).AUOptions
$WSUSSetting = ""
$WSUSSetting = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ErrorAction SilentlyContinue).UseWUServer
$WSUSSettingWUServer = ""
$WSUSSettingWUServer = (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).WUServer
$WUfBSettingBranchLocal = ""
$WUfBSettingFULocal = ""
$WUfBSettingQULocal = ""
$WUfBSettingBranchLocal = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -ErrorAction SilentlyContinue).BranchReadinessLevel
$WUfBSettingFULocal = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -ErrorAction SilentlyContinue).DeferFeatureUpdatesPeriodInDays
$WUfBSettingQULocal = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -ErrorAction SilentlyContinue).DeferQualityUpdatesPeriodInDays
$WUfBSettingBranch = ""
$WUfBSettingFU = ""
$WUfBSettingQU = ""
$WUfBSettingFUdays = ""
$WUfBSettingQUdays = ""
$WUfBSettingBranch = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).BranchReadinessLevel
$WUfBSettingFU = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferFeatureUpdates
$WUfBSettingQU = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferQualityUpdates
$WUfBSettingFUdays = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferFeatureUpdatesPeriodInDays
$WUfBSettingQUdays = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue).DeferQualityUpdatesPeriodInDays
$ConfigMgrClient = ""
$ConfigMgrClient = (Get-WmiObject -Query "Select * from __Namespace WHERE Name='CCM'" -Namespace root -ErrorAction SilentlyContinue)

if ($WSUSSetting -eq "1") {
    $EffectiveWSUS = "enabled"
} else {
    $EffectiveWSUS = "disabled"
}
if ((($WUfBSettingFULocal -eq "0") -and ($WUfBSettingQULocal -eq "0")) -or (($WUfBSettingFULocal.Length -eq 0) -and ($WUfBSettingQULocal.Length -eq 0))) {
    $EffectiveWUfBLocal = "disabled"
} else {
    $EffectiveWUfBLocal = "enabled"
}
if (($WUfBSettingFU -eq "1") -or ($WUfBSettingQU -eq "1")) {
    $EffectiveWUfBPolicy = "enabled"
} else {
    $EffectiveWUfBPolicy = "disabled"
}
if (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBLocal -eq "enabled") -and ($EffectiveWUfBPolicy -eq "enabled")) {
    $EffectiveWSUS = "* WSUS と WUfB の設定が混在しています。この設定は推奨されません。"
    $EffectiveWUfBLocal = "* この設定は無視されます。"
    $EffectiveWUfBPolicy = "* WSUS と WUfB の設定が混在しています。この設定は推奨されません。"
} elseif (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBLocal -eq "enabled")) {
    $EffectiveWSUS = "(* WSUS と WUfB の設定が混在しています。この設定は推奨されません。"
    $EffectiveWUfBLocal = "* WSUS と WUfB の設定が混在しています。この設定は推奨されません。"
    $EffectiveWUfBPolicy = ""
} elseif (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBPolicy -eq "disabled")) {
    $EffectiveWSUS = "* この設定が優先されます。"
    $EffectiveWUfBLocal = ""
    $EffectiveWUfBPolicy = ""
} elseif (($EffectiveWSUS -eq "enabled") -and ($EffectiveWUfBPolicy -eq "enabled")) {
    $EffectiveWSUS = "* WSUS と WUfB の設定が混在しています。この設定は推奨されません。"
    $EffectiveWUfBLocal = ""
    $EffectiveWUfBPolicy = "* WSUS と WUfB の設定が混在しています。この設定は推奨されません。"
} elseif (($EffectiveWUfBLocal -eq "enabled") -and ($EffectiveWUfBPolicy -eq "enabled")) {
    $EffectiveWSUS = ""
    $EffectiveWUfBLocal = "* この設定は無視されます。"
    $EffectiveWUfBPolicy = "* この設定が優先されます。"
} else {
    $EffectiveWSUS = ""
    $EffectiveWUfBLocal = ""
    $EffectiveWUfBPolicy = ""
}

# Check WU Settings
if ($WUSettingsNoAutoUpdate.Length -eq 0) {
    Write-Host "Windows Update (ポリシー): 未構成 (Windows 10 の既定は自動)"
} else {
      if ($WUSettingsNoAutoUpdate -eq "1") {
        Write-Host "Windows Update (ポリシー): 手動 (無効)"
    } elseif ($WUSettingsAuOptions -eq "3") {
        Write-Host "Windows Update (ポリシー): ダウンロードのみ"
    } elseif ($WUSettingsAuOptions -eq "4") {
        Write-Host "Windows Update (ポリシー): 自動"
    } else {
        Write-Host "Windows Update (ポリシー): カスタム"
    }
    Write-Host "  (設定場所:コンピューターの構成\管理用テンプレート\Windows コンポーネント\Windows Update\自動更新を構成する)"

}
Write-Host ""
# Check WSUS Settings
if ($WSUSSetting.Length -eq 0) {
    Write-Host "WSUS クライアント: 未構成"
} else {
    if ($WSUSSetting -eq "0") {
        Write-Host "WSUS クライアント: 無効"
    } else {
        Write-Host "WSUS クライアント: 有効"
        Write-Host "  WSUS サーバー:" $WSUSSettingWUServer
    }
    Write-Host "  ("$EffectiveWSUS"設定場所:コンピューターの構成\管理用テンプレート\Windows コンポーネント\Windows Update\イントラネットの Microsoft 更新サービスの場所を指定する)"
}
Write-Host ""
# Check Local WUfB Settings
if ((($WUfBSettingFULocal -eq "0") -and ($WUfBSettingQULocal -eq "0") -and ($WUfBSettingBranchLocal -eq "16")) -or (($WUfBSettingFULocal.Length -eq 0) -and ($WUfBSettingQULocal.Length -eq 0)) -or ($WUfBSettingBranchLocal.Length -eq 0)) {
    Write-Host "Windows Update for Business (設定アプリ): 未構成"
} else {
    Write-Host "Windows Update for Business (設定アプリ): 有効"
    if ($WUfBSettingBranchLocal -eq "16") {
        Write-Host "  更新チャネル(Windows 準備レベル): SAC"
    } elseif ($WUfBSettingBranchLocal -eq "32") {
        Write-Host "  更新チャネル(Windows 準備レベル): SAC-T (1809 以前のみ)"
    } else {
        Write-Host "  更新チャネル(Windows 準備レベル): Preview Build"
    }
    Write-Host "  機能更新プログラムがリリースされた後、受信を延期する日数:" $WUfBSettingFULocal
    Write-Host "  品質更新プログラムがリリースされた後、受信を延期する日数:" $WUfBSettingQULocal
    Write-Host "  ("$EffectiveWUfBLocal"設定場所:設定アプリ > 更新とセキュリティ > Windows Update > 詳細オプション > 更新プログラムをいつインストールするかを選択する(WSUS クライアントでは非表示))"
}
Write-Host ""
# Check WUfB Settings Policies
if (($WUfBSettingFU -eq "1") -or ($WUfBSettingQU -eq "1")) {
    Write-Host "Windows Update for Business (ポリシー): 有効"
        if ($WUfBSettingBranch.Lengsh -eq 0) {
        Write-Host "  更新チャネル(Windows 準備レベル): 未構成"
        Write-Host "  機能更新プログラムがリリースされた後、受信を延期する日数: 未構成"
        } else {
        if ($WUfBSettingBranch -eq "16") {
            Write-Host "  更新チャネル(Windows 準備レベル): SAC"
                } elseif ($WUfBSettingBranch -eq "32") {
            Write-Host "  更新チャネル(Windows 準備レベル): SAC-T (1809 以前のみ)"
        } else {
            Write-Host "  更新チャネル(Windows 準備レベル): Preview Build"
        }
        Write-Host "  機能更新プログラムがリリースされた後、受信を延期する日数:" $WUfBSettingFUdays
        }
    if ($WUfBSettingQU.Length -eq 0){
        Write-Host "  品質更新プログラムがリリースされた後、受信を延期する日数: 未構成"
    } else {
        Write-Host " 品質更新プログラムがリリースされた後、受信を延期する日数:" $WUfBSettingQUdays
    }
    Write-Host "  ("$EffectiveWUfBPolicy"設定場所:コンピューターの構成\管理用テンプレート\Windows コンポーネント\Windows Update\Windows Update for Business)"
} else {
    Write-Host "Windows Update for Business (ポリシー): 未構成"
}
Write-Host ""
# Check ConfigMgr Client
if (($ConfigMgrClient.Length -ne 0) -and (Test-Path "C:\Windows\CCMSETUP")) {
    Write-Host "**********************************************************************************************"
    Write-Host "* この PC は Microsoft Endpoint Configration Manager によって管理されている可能性があります。*"
    Write-Host "**********************************************************************************************"
}
Write-Host ""
$WinVer = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ReleaseId
$WinBuild = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentBuild
$WinRev = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
Write-Host "現在の更新状態: バージョン"$WinVer", ビルド" $WinBuild"."$WinRev
Write-Host ""
Write-Host "(注意: このスクリプトは Microsoft Intune やその他の更新ツールで管理される PC の調査には対応していません。)"
Write-Host ""

0 件のコメント:

コメントを投稿

注: コメントを投稿できるのは、このブログのメンバーだけです。