Approve all downloads automatically

Question

I'm looking at possibly changing how we handle our automatic updates, notably I'd like to automatically push out any updates with the 'security update' or 'critical updates' heading.

I already have update management rules out there that will apply the updates on the schedule I want, like follows.

...
Force downloads: No
Force installs: No
Use Microsoft Update Catalog: No
Include Only Approved: Yes
Approved Only Option: Any approved update
Dont include superseded: No
Install exclusive update only if found: No
Planning Mode: No
Reboot Options: Do not post-reboot computer
Post-Grace Period Enabled: No
Do not include exclusive updates: No
Wake On Lan: Disabled
Rule: Classification equals 'Security Updates'
Rule: Classification equals 'Critical Updates'

This works well, and allows me to to stop security updates that will break things from going out by declining the packages. What I'd really like to do is mark all downloaded packages as approved by default. That way I can manually disapprove them if they cause issues. How do I do that?

kellytice · Answer

The current version of Patch Manager has an option for Auto-Publishing 3rd party updates if you right-click the Software Publishing node.  From my understanding, you can toggle it on for some of the 3rd party updates - those that have direct download links (Firefox, Chrome, Adobe Reader, WinZip, etc...).    I do not believe it will work for some other 3rd party packages (Java, Adobe Flash, Skype are examples) since those require you to agree to the redistribution agreement or EULA or take some other action to get the binary content downloaded.

Note that when a Package comes into Patch Manager from whatever catalog, as noted previously, even if you publish it into WSUS it still needs to be Approved if you wish to deploy it using the Windows Update Agent scheduling through Group Policy.

Most of the packages will have a Classification of either Security Updates or Critical Updates...and as far as WSUS is concerned, when a package is published into WSUS and becomes an 'update' there WSUS sees that as "HEY, I have a new update!" and will process it through WSUS' Automatic Approval rules (if such rules exist at the time of publishing) the same way it would process a Microsoft Update that has just come into the system.

So, if you have an Automatic Approval Rule that says "auto approve all Critical Updates and Security Updates for my All Computers group", that rule will apply to published 3rd party updates as well as Microsoft Updates.

frgpugs · Answer

You can auto approve for microsoft updates through wsus via patch manager, you dont have to do that on the wsus server itself, but for third party i cant find a way to do it either.  You can put in a ticket with solarwinds and they may know if its possible or not.

timb · Answer

@frgpugs thanks. It looks like you are right, at least in part.. We can't auto approve within Patch Manager directly but it can be done via WSUS for Microsoft updates. Digging through the documentation and the forums at least turned that much up.

Hopefully there is some way we can automate / script these third party packages as well, but if that is available it isn't obvious.