Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows Server 2016 / How to Approve and Decline WSUS Updates?

September 26, 2019 Windows Server 2012 R2Windows Server 2016

How to Approve and Decline WSUS Updates?

One of the main tasks of a WSUS administrator (Windows Server Update Services) is to manage approval of updates to be installed on Windows computers and servers. After installation and configuration, the WSUS server starts to regularly download new updates for selected products from Microsoft Update servers.

Contents:
  • Managing Target WSUS Groups
  • Manual Approval and Update Installation Using WSUS
  • How to Configure Automatic Approval Rules in WSUS?
  • How to Decline Installed Updates in WSUS?
  • Ways to Approve WSUS Updates for Productive Environments

Managing Target WSUS Groups

After the updates have been downloaded to the WSUS server, you can deploy them on your computers. Prior to the computers will download and install new updates, they must be approved (or declined) by a WSUS administrator. It is important to note that in most cases it is recommended to test all new Microsoft updates on some workstations and servers before installing them on the productive computers.

To organize testing and installation of updates on a domain computers and servers, a WSUS administrator must create computer groups. Depending on the business tasks, types of user workstations and server categories, you can create different groups of computers. In general, it is reasonable to create the following WSUS target groups in the Computers -> All computers section of the WSUS console:

  1. Test_Srv_WSUS — a group of test servers (servers uncritical for business or dedicated servers with the test environment identical to the productive one);
  2. Test_Wks_WSUS — test workstations;
  3. Prod_Srv_WSUS — productive Windows servers;
  4. Prod_Wks_WSUS — all user workstations.

configuring wsus target computer groups

These computer groups may be filled with computer objects manually (usually it makes sense for test groups) or you can link computers and servers to WSUS groups using the Group Policy setting – Enable client-side targeting.

After the WSUS groups have been created, you can approve updates for them. There are two ways to approve updates to be installed on the computers: manual or automatic.

Manual Approval and Update Installation Using WSUS

Open the WSUS (Update Services) console and select Updates section. It displays a summary report of all available updates. By default, there are 4 subsections: All Updates, Critical Updates, Security Updates and WSUS Updates. You can approve the installation of the specific update by finding it in one of these sections (you can search it by KB name in the update search console or by Microsoft security bulletin number) or filter the updates by the release date.

search for update in wsus console

Display the list of unapproved updates (use the Approval=Unapproved filter). Find the update you need, right-click it and select Approve in the menu.

approve update in wsus manually

In the next window select the WSUS group of computers to approve the installation of this update on (for example, Test_Srv_WSUS). Select Approve for Install. You can approve an update for all computer groups at once by selecting All Computers, or for each group individually. For example, you can approve the update installation on a test group, and in 4-7 days approve it for all computers if no problems occurred.

approve update for install

A window with the update approval results appears. If the update has been approved successfully, the message Result: Success will be displayed. Close this window.

sucessfull update approval

As you can see, it is how the specific update is approved manually. It is quite time-consuming, since you have to approve each update individually. If you don’t want to approve updates manually, you may create some automatic updates approval rules (auto-approval).

How to Configure Automatic Approval Rules in WSUS?

Automatic approval allows you to approve new updates that appeared on your WSUS server automatically without an administrator involvement and assign their installation on the target computers. Automatic approval of WSUS updates is based on approval rules.

In the WSUS management console, open Options and select Automatic Approvals.

In the next window, there is only one rule with the name Default Automatic Approval Rule (it is disabled by default) in the Update Rules tab.

To create a new rule, click New Rule.

Default Automatic Approval Rule

An approval rule configuration consists of 3 steps. You must select the update properties, the WSUS computer target group you want to install the update on and the name of the rule.

configure wsus auto-approval rule

If you click a blue link, the corresponding property window will appear.

select update classificatiop

For example, you can enable automatic approval of security updates for your test servers. To do it, in Choose Update Classifications section select Critical Updates, Security Updates, Definition Updates (uncheck all other options). Then, in the Approve the update for dialog box select the WSUS group with the name Test_Srv_WSUS.

configure new automatic approval rule for test group

In the Advanced tab, you can check the corresponding options: if you want to automatically approve updates to the WSUS product itself or automatically approve the updates that have been changed by Microsoft. Usually all options in this tab are checked.

automatically approve updates to the wsus product itself

Now, when your WSUS server downloads new updates on the next second Tuesday of the month (or if you import them manually), they will be approved and automatically installed on the test server group. By default, Window scan your WSUS server for new updates every 22 hours. In order critical computers get new updates as soon as possible, you can change the synchronization frequency using the Automatic Update detection frequency policy (see the case WSUS error: Exceeded max server round trips) and set it to once in several hours (you can also scan for updates manually using PSWindowsUpdate module).

If there are a lot of clients on your WSUS server (over 2,000 computers), the performance of the update server with the standard configuration may be low with the constant error 0x80244022 in the windowsupdate.log, so it has to be optimized (see this article).

How to Decline Installed Updates in WSUS?

If one of the approved updates has caused any problems on computers or servers, a WSUS administrator can decline it. To do it, find the update in the WSUS console, right-click it and select Decline.

decline update in wsus

Then select the WSUS group you want to cancel installation for and select Approved for Removal. In some time the update will be removed on a WSUS clients (the process is described in detail in the article How to Uninstall Windows Updates).

Ways to Approve WSUS Updates for Productive Environments

After you have installed and tested updates in your test groups and made sure that there have been no problems (usually the testing takes 3-6 days), you can approve new updates on the productive systems. However, you cannot automatically approve the installation of updates in productive systems with some delay (for example, in 7 days).

Unfortunately, the WSUS console doesn’t offer any opportunity to copy all approved updates from one WSUS group of computers to another. You can search new updates manually and approve them to be installed in productive groups of servers and computers. It is quite time-consuming.

I wrote a simple PowerShell script that collects the list of updates approved for the test group and automatically approves all found updates for the productive group (see the article Copying Approvals Between WSUS Target Groups). I run the script in 7 days after the updates have been installed and tested on the test computer groups. If there have been any problem patches, they must be declined for the test group.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
How to View and Parse WindowsUpdate.log on Windows 10 / Windows Server 2016?
next post
How to Disable UAC Prompt for Specific Applications in Windows 10?

Related Reading

How to Troubleshoot, Repair and Rebuild the WMI...

March 2, 2021

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Run Program without Admin Privileges and to Bypass UAC Prompt?
  • Licensing Mode for Remote Desktop Session Host is not Configured
  • Updating List of Trusted Root Certificates in Windows 10/8.1/7
  • Configuring Port Forwarding on Windows
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Installing SFTP (SSH FTP) Server on Windows with OpenSSH
  • How to Install .NET Framework 3.5 on Windows Server 2012 R2
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top