Re: Understanding WSUS

Hi Rick

That is just a filtered view of your current updates. Each update has one
of four approval settings:

Install
Detect Only
Not Approved
Declined

The short story is that the only updates that are going to get installed on
your machines are the ones with their approval set to Install. By default,
WSUS automatically sets the approval level for new updates to Detect Only.
This allows the administrator to see what patches are needed, so you can
then review those patches and see if you want to approve those patches for
installation. The theory here is that if there are 15 new patches released,
but you only needed 3 on your network, why would you review and test the 13
that aren't needed (and thus won't be installed)?

SO - when you review the needed patches, you then change the approval status
as necessary, to Install if you want the update(s) installed, Declined if
you don't want to install the updates (and don't want to see them again) . .
.. think a patch gone bad that is replaced with an updated version, or a
non-critical Office patch that you find breaks some 'feature' that the users
can't live without, etc. Detect Only obviously detects if the patch is
needed, but doesn't install it, and Not Approved are patches that haven't
had anything done with them yet. SO - to change a patch's approval, on the
Updates screen, you can filter your view to show you the updates currently
set to Detect Only, click on an update, then click the Change Approval link
in the top left to change to either Install or Not Approved. You can
decline the update

Now, when go access the WSUS Options | Automatic Approval Options, you can
change what update classifications (Critical Update, Rollup, Drivers,
Service Packs, etc.) are automatically approved for detection, and which
ones are automatically approved for installation. I am currently not using
any automatic approval for installation - I want to control what updates I
approve for installation. But I am using automatic approval for detection,
so I can see at a glance what patches are needed by which machines.

SO - you can configure WSUS to not automate anything - where you manually
synchronize your WSUS server, manually set updates for Detect Only, then
manually set those updates to Install. Or, you can configure WSUS to
synchronize automatically, and automatically approve updates (based on
classification) for detection, but then manually approve updates for
installation. OR, you can configure WSUS to also automatically approve
updates for installation as well (which would be the same as manually
setting Automatic Updates on a PC to install everything automatically). But
it all comes back to the approval setting for the individual updates - which
have to be set to 'Install' to be installed . . . it's just a matter of
whether you manually approve updates for installation, or allow WSUS to
automatically approve updates for installation.

WSUS is definitely different than Shavlik. While there are things I really
like about Shavlik, WSUS is growing on me. Specifically, I like the idea
that WSUS effectively lets me create an update policy on the network - so if
there is a random patch that we don't want installed for whatever reason, I
can decline that on the WSUS console and never have to worry about that
patch being installed by accident. If I rebuild a PC, I don't have to worry
about remembering what patch(es) I don't want, etc. Drop that puppy on the
network, it picks up the GPO, checks in with WSUS and installs all necessary
patches (and none of the ones I don't want), without any additional effort
on my part. That is where I see the real benefit of WSUS . . .

The only thing I would change with WSUS is to include some sort of mechanism
to force / push an update, so if there is something really nasty that comes
out, I can install it everywhere ASAP . . .

--

Chad A. Gross - SBS MVP
SBS ROCKS!

http://msmvps.com/cgross


.

Relevant Pages

  • Re: Understanding WSUS
    ... I want WSUS to automatically approve and install ... So why aren't the critical updates installing on the workstations but only ... > SO - you can configure WSUS to not automate anything - where you manually ...
    (microsoft.public.windows.server.sbs)
  • Re: 794 detected updates in WSUS
    ... Most of the updates have been superceded, so do things like approve XP SP3 and then run the cleanup agent. ... Any comments on the installation? ... > rather than to a Organisational Unit. ...
    (microsoft.public.windows.server.sbs)
  • Re: MSDN R2 -- WSUS -- Auto Approve Defender Defs?
    ... Approval Options, Approve for Installation, Classifications. ... Critical Updates, Definition Updates, and Security Updates. ... auto-approved, or can I change something to auto-approve them? ...
    (microsoft.public.windows.server.sbs)
  • RE: Rollout Version 6 automatically
    ... To take it a step further, I actually automate the installation of the ... updates as well. ... Rob ...
    (microsoft.public.windowsupdate)
  • MSDN R2 -- WSUS -- Auto Approve Defender Defs?
    ... I'm having to go in every other day to approve them. ... auto-approved, or can I change something to auto-approve them? ... Computers set to High -- Approve all security updates, ... Service Packs for installation. ...
    (microsoft.public.windows.server.sbs)