This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create Post

How to keep WSUS from automatically approving third-party updates

phil3
Level 13
‎10-29-2012 10:10 AM
‎10-29-2012 10:10 AM

Automatic approval rules in WSUS are extremely useful, especially to admins in small shops that don't want to have to review and approve every single patch that lands on their WSUS server. A common example is to create an automatic approval rule that says something like, "Automatically approve all Critical and Security updates for the All Computers group." With a rule like this in place, WSUS will evaluate the Classification attribute of all updates, and then approve any updates that have a classification of either Critical or Security. This is great when all you're managing is updates from Microsoft, but what does a rule like this do in an environment that also supports third-party patch management?

Automatic Approvals and Third-party Updates

The important thing to note about this scenario with regard to third-party publishing is that third-party updates also have a Classification attribute. So, if you publish a Java patch to your WSUS server, for example, and that patch is classified as critical, WSUS would automatically approve that update, just like it would any critical Microsoft update. Where this causes issues is in environments that require more granular control over their third-party patches than the patches from Microsoft. If this sounds familiar, what you need is an automatic approval rule that addresses the Microsoft products in your environment, but leaves out any third-party products, which typically require more attention.

The Solution

The solution to the WSUS patching problem I just described is to create a more specific automatic approval rule. For example, you could create a rule that says something more like, "Automatically approve all Critical and Security updates in these Microsoft products for the All Computers group." That way, you can publish critical and security updates from third parties to your WSUS server, but still retain control over which updates you approve for which computer groups.

To create an automatic approval rule for specific Microsoft products in WSUS:

  1. In the WSUS console, create a new rule (or edit your existing rule) in Options > Automatic Approval Rules.
  2. In the rule, select the option, When an update is in a specific product.
  3. In the bottom pane, click any product. This should be a blue hyperlink.
  4. In the window that lists all of the Microsoft products, clear the check boxes next to any product that does not apply to your environment. The resulting list should contain all of the Microsoft products for which you want WSUS to automatically approve updates. If you leave all of the products selected, the rule will continue to apply to any product.
  5. Click OK.
  6. If you are creating this rule from scratch, select the appropriate options to define the classifications for which you wish to automatically approve updates and specify the applicable computer group(s).
  7. Click OK to save the rule.

After you have this rule in place, WSUS will only automatically approve the Microsoft updates that meet the specific criteria you defined in your rule. WSUS patch management simplified!

pastedImage_0.png

0 Kudos
1 Comment
karl_f
Level 8
‎06-05-2015 10:14 AM

Is there any hope of incorporating the ability to create third-party specific approval rules when using WSUS? The "work around" described above seems to be only an all-or-nothing type of rule, so either most, or all, or my third party software updates are automatically approved, or I have to approve them all one by one.

0 Kudos
About the Author
Phil3 is a self-proclaimed resident of Cascadia. He also feels like George Costanza when he writes in 3rd person: "Phil3's getting upset!"

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
© 2021 SolarWinds Worldwide, LLC. All Rights Reserved.