How to keep WSUS from automatically approving third-party updates

Automatic approval rules in WSUS are extremely useful, especially to admins in small shops that don't want to have to review and approve every single patch that lands on their WSUS server. A common example is to create an automatic approval rule that says something like, "Automatically approve all Critical and Security updates for the All Computers group." With a rule like this in place, WSUS will evaluate the Classification attribute of all updates, and then approve any updates that have a classification of either Critical or Security. This is great when all you're managing is updates from Microsoft, but what does a rule like this do in an environment that also supports third-party patch management?

Automatic Approvals and Third-party Updates

The important thing to note about this scenario with regard to third-party publishing is that third-party updates also have a Classification attribute. So, if you publish a Java patch to your WSUS server, for example, and that patch is classified as critical, WSUS would automatically approve that update, just like it would any critical Microsoft update. Where this causes issues is in environments that require more granular control over their third-party patches than the patches from Microsoft. If this sounds familiar, what you need is an automatic approval rule that addresses the Microsoft products in your environment, but leaves out any third-party products, which typically require more attention.

The Solution

The solution to the WSUS patching problem I just described is to create a more specific automatic approval rule. For example, you could create a rule that says something more like, "Automatically approve all Critical and Security updates in these Microsoft products for the All Computers group." That way, you can publish critical and security updates from third parties to your WSUS server, but still retain control over which updates you approve for which computer groups.

To create an automatic approval rule for specific Microsoft products in WSUS:

  1. In the WSUS console, create a new rule (or edit your existing rule) in Options > Automatic Approval Rules.
  2. In the rule, select the option, When an update is in a specific product.
  3. In the bottom pane, click any product. This should be a blue hyperlink.
  4. In the window that lists all of the Microsoft products, clear the check boxes next to any product that does not apply to your environment. The resulting list should contain all of the Microsoft products for which you want WSUS to automatically approve updates. If you leave all of the products selected, the rule will continue to apply to any product.
  5. Click OK.
  6. If you are creating this rule from scratch, select the appropriate options to define the classifications for which you wish to automatically approve updates and specify the applicable computer group(s).
  7. Click OK to save the rule.

After you have this rule in place, WSUS will only automatically approve the Microsoft updates that meet the specific criteria you defined in your rule. WSUS patch management simplified!


  • Is there any hope of incorporating the ability to create third-party specific approval rules when using WSUS? The "work around" described above seems to be only an all-or-nothing type of rule, so either most, or all, or my third party software updates are automatically approved, or I have to approve them all one by one.