One of the lesser known (or understood) features of WSUS is the ability to assign a computer to more than one Target Group. Multiple Target Groups can be useful for managing special-case approval needs for a specific update, as when a small subset of computers should not receive a particular update. They can also be useful for creating custom reporting groups, when used in conjunction with the WSUS Reporting capability for filtering by Target Group.


When using multiple Target Groups to manage approvals, there’s often a question of the effective approval for an update.


  • If you have two peer groups and Update ‘A’ is Approved for Group ‘A’ and Update ‘A’ is Not Approved for Group ‘B’, then Group ‘A’ gets the update and Group ‘B’ does not. If a computer belongs to both groups, then the computer gets the update, because, unlike AD or NTFS ACLs, there is no “Deny” operation on a per-group basis. All it takes is one approval from one group where a computer has membership.
  • If you have a parent-child group, and Update ‘A’ is Approved for the Parent Group, by default the Child Group will inherit that approval unless explicitly marked as Not Approved for the child group.


In the case where a handful of systems need to NOT get an update, the only practical way to implement the solution is with a Parent->Child group, where the Child Group is the group of exclusions. The advantage to this is that the six systems will inherit all of the existing approvals from the Parent Group, but the specific update of interest can be set to Not Approved for the child group.


If you create peer groups, then you must remove the six machines from the original group or they’ll still have an approval for the unwanted update. Also, you’ll have to replicate all of the existing approvals from the existing group to the new group. Finally, removing a  computer from an existing (normal) group can be undesirable for many reasons, the most notable being reporting. For organizations that report by target group, removing systems from a regularly-assigned target group will negatively impact reporting. In the end, just way too much work to achieve the objective desired.


When the issue affecting the special-handling update goes away (i.e. the update is fixed, superseded, or expired), the only ‘undo’ that is required is to remove the systems from the child group and delete the group.

On Thursday (Nov 7) Microsoft announced the forthcoming content for Patch Tuesday – Nov 12, 2013.


Number of Releases: 8

Critical Security Updates: 3 addressing vulnerabilities in Windows and Internet Explorer.

Important Security Updates: 5 addressing vulnerabilities in Windows and Office 2003/2007/2010/2013.


You can have Microsoft's security bulletins sent directly to you:

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.


Microsoft also hosts a webcast where they discuss the releases, typically the Wednesday after Patch Tuesday:

Microsoft will host a webcast to address customer questions on the security bulletins on Nov 13, 2013, at 11:00 AM Pacific Time (US & Canada).

Register now for the November Security Bulletin Webcast.

You can also follow the MSRC team at @MSFTSecResponse.


Updates are typically released by Microsoft at 10am PDT (5pm UTC).

Configuring WSUS servers to synchronize relative to that time can be helpful in expediting availability of these security updates.

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.