One of the main tasks of a WSUS administrator (Windows Server Update Services) is to manage approval of updates to be installed on Windows computers and servers. After installation and configuration, the WSUS server starts to regularly download new updates for selected products from Microsoft Update servers.
Managing Target WSUS Groups
After the updates have been downloaded to the WSUS server, you can deploy them on your computers. Prior to the computers will download and install new updates, they must be approved (or declined) by a WSUS administrator. It is important to note that in most cases it is recommended to test all new Microsoft updates on some workstations and servers before installing them on the productive computers.
To organize testing and installation of updates on a domain computers and servers, a WSUS administrator must create computer groups. Depending on the business tasks, types of user workstations and server categories, you can create different groups of computers. In general, it is reasonable to create the following WSUS target groups in the Computers -> All computers section of the WSUS console:
- Test_Srv_WSUS — a group of test servers (servers uncritical for business or dedicated servers with the test environment identical to the productive one);
- Test_Wks_WSUS — test workstations;
- Prod_Srv_WSUS — productive Windows servers;
- Prod_Wks_WSUS — all user workstations.
These computer groups may be filled with computer objects manually (usually it makes sense for test groups) or you can link computers and servers to WSUS groups using the Group Policy setting – Enable client-side targeting.
After the WSUS groups have been created, you can approve updates for them. There are two ways to approve updates to be installed on the computers: manual or automatic.
Manual Approval and Update Installation Using WSUS
Open the WSUS (Update Services) console and select Updates section. It displays a summary report of all available updates. By default, there are 4 subsections: All Updates, Critical Updates, Security Updates and WSUS Updates. You can approve the installation of the specific update by finding it in one of these sections (you can search it by KB name in the update search console or by Microsoft security bulletin number) or filter the updates by the release date.
Display the list of unapproved updates (use the Approval=Unapproved filter). Find the update you need, right-click it and select Approve in the menu.
In the next window select the WSUS group of computers to approve the installation of this update on (for example, Test_Srv_WSUS). Select Approve for Install. You can approve an update for all computer groups at once by selecting All Computers, or for each group individually. For example, you can approve the update installation on a test group, and in 4-7 days approve it for all computers if no problems occurred.
A window with the update approval results appears. If the update has been approved successfully, the message Result: Success will be displayed. Close this window.
As you can see, it is how the specific update is approved manually. It is quite time-consuming, since you have to approve each update individually. If you don’t want to approve updates manually, you may create some automatic updates approval rules (auto-approval).
How to Configure Automatic Approval Rules in WSUS?
Automatic approval allows you to approve new updates that appeared on your WSUS server automatically without an administrator involvement and assign their installation on the target computers. Automatic approval of WSUS updates is based on approval rules.
In the WSUS management console, open Options and select Automatic Approvals.
In the next window, there is only one rule with the name Default Automatic Approval Rule (it is disabled by default) in the Update Rules tab.
To create a new rule, click New Rule.
An approval rule configuration consists of 3 steps. You must select the update properties, the WSUS computer target group you want to install the update on and the name of the rule.
If you click a blue link, the corresponding property window will appear.
For example, you can enable automatic approval of security updates for your test servers. To do it, in Choose Update Classifications section select Critical Updates, Security Updates, Definition Updates (uncheck all other options). Then, in the Approve the update for dialog box select the WSUS group with the name Test_Srv_WSUS.
In the Advanced tab, you can check the corresponding options: if you want to automatically approve updates to the WSUS product itself or automatically approve the updates that have been changed by Microsoft. Usually all options in this tab are checked.
Now, when your WSUS server downloads new updates on the next second Tuesday of the month (or if you import them manually), they will be approved and automatically installed on the test server group. By default, Window scan your WSUS server for new updates every 22 hours. In order critical computers get new updates as soon as possible, you can change the synchronization frequency using the Automatic Update detection frequency policy (see the case WSUS error: Exceeded max server round trips) and set it to once in several hours (you can also scan for updates manually using PSWindowsUpdate module).
How to Decline Installed Updates in WSUS?
If one of the approved updates has caused any problems on computers or servers, a WSUS administrator can decline it. To do it, find the update in the WSUS console, right-click it and select Decline.
Then select the WSUS group you want to cancel installation for and select Approved for Removal. In some time the update will be removed on a WSUS clients (the process is described in detail in the article How to Uninstall Windows Updates).
Ways to Approve WSUS Updates for Productive Environments
After you have installed and tested updates in your test groups and made sure that there have been no problems (usually the testing takes 3-6 days), you can approve new updates on the productive systems. However, you cannot automatically approve the installation of updates in productive systems with some delay (for example, in 7 days).
Unfortunately, the WSUS console doesn’t offer any opportunity to copy all approved updates from one WSUS group of computers to another. You can search new updates manually and approve them to be installed in productive groups of servers and computers. It is quite time-consuming.
I wrote a simple PowerShell script that collects the list of updates approved for the test group and automatically approves all found updates for the productive group (see the article Copying Approvals Between WSUS Target Groups). I run the script in 7 days after the updates have been installed and tested on the test computer groups. If there have been any problem patches, they must be declined for the test group.