How do I automatically approve important updates from WSUS?

windows wsus

Solution 1:

My advice is to only configure Auto Approval rules for a limited set of Windows Updates, generally anything that is classified a Security Update, and only to a limited set of your servers and workstations.

You can then manually approve those updates for a wider set of your servers and workstations after a period of testing.

As an aside, be aware that there is a distinction between Classifications vs. Severity. Microsoft has helpfully reused the term 'critical' to refer to both a classification of Windows Update and a Severity Rating so you have Critical Updates that fix a specific problem that addresses a critical, non-security-related bug (Classification) and you have Security Updates that have Severity Rating of Critical. You will notice the same applied to Updates with a Severity of 'Important'.

My focus with Windows Update is primarily to ensure that security vulnerabilities are fixed, hence I only really have Auto Approval rules for Updates that are classified as Security Updates irregardless of their severity. If I find a Critical Update that needs to be deployed that is generally a one-off for our organization. I don't bother with any others.

Also be aware that Service Packs and Feature Rollups contain Security Updates along with a host of other things. You need to think very, very carefully about how you want to handle these Classifications of updates because of how much other stuff they include. Again, my organization's focus is on security vulnerabilities so we do not approve Service Packs or Update Rollups on any automatic or wide-spread basis unless we have a specific need to do so.

I would advise that you only auto approve Security Updates and you are more selective with Critical Updates but it is really what works best in your organization.

WSUS Auto Approval Rules

Solution 2:

I think the confusion isn't with the auto-approval process, but with Microsoft's terminology. Updates listed as important are really just Security Updates. That being said, there are multiple ways to approve these updates, whether you prefer GUI or powershell is up to you.

enter image description here

Also, remember that Critical Updates are non security related updates that MS has deemed critical. Critical security updates are listed as security updates with the Critical severity rating.

Related

Multiple DHCP uplinks - How to ignore DNS and default route on all but one?
yum list available - not showing all packages
DNS settings for DCs in remote sites
Security Risks of a One-Way Trust Relationship between Domains
Reverse DNS does not contain the hostname error from MXToolBox
Is it possible to / how would one include vars files from other vars files?
How does nginx distribute traffic among IPs associated with an upstream DNS name?
how to specify a partial domain in blacklist with SpamAssassin
I setup a DNS but I don't Get Response From my Domain And IntoDNS have errors why?
Copy mails from old to new postfix installation
Do I need 1 RDS Cluster for each DB or a single RDS Cluster for all my DBs?
Postfix can't receive external mails since TLS has been set up