One of the main functions of WSUS Administrator (Windows Server Update Services) is to manage the approval of updates to be installed on Windows computers and servers. In this article, we’ll show you how to manually approve updates, configure auto-approval rules, and reject assigned updates using the WSUS console and PowerShell.
Configure target computer group in WSUS
The WSUS service on a Windows Server, once installed and configured, begins to regularly download updates for selected products from the Microsoft Update Server. Before computers on your network can download and install new updates, they must be approved (or rejected) by a WSUS administrator.
To organize testing and installation of updates on domain computers and servers, WSUS administrators must create the Target Computers group. Depending on the type of business functions, user workstations, and servers, you can create different groups of computers. In general, in the WSUS console computer , all computers section, it makes sense to create the following computer groups:
- Test_Srv_WSUS – a set of test servers (non-business-critical servers or dedicated servers with the same test environment as production);
- Test_Wks_WSUS – test workstations;
- Product_Srv_WSUS – Production Windows Server;
- Product_Wks_WSUS – All user workstations.
You can manually add computers or servers to WSUS groups, or you can assign computers and servers to WSUS groups Enable client-side targeting Group Policy Options.
After you create a WSUS group, you can approve updates for them. There are two ways to approve updates for installation on a computer: manually or automatically.
How to manually approve and deploy updates in WSUS?
Open the WSUS (Update Services) console and select Update section. It displays a summary report of all available updates. By default, there are 4 subsections: all updates, Important Updates, security update, And WSUS Updates, You can approve the installation of a specific update by locating it in one of these sections (you can search for it by KB name in the Update Search Console, or by sorting updates by release date).
You can apply various filters in the WSUS console. Display a list of updates that are not yet approved (use the filter: Approval=Unapproved, Status=Any) Find the update you want, right-click on it and select approve from menu.
You can select multiple updates at once by using the CTRL and SHIFT keys.
Select the WSUS computer group for which you want to approve the update installation (for example, Test_Srv_WSUS). to select approve to install, You can select and approve updates for all computer groups at once all computers, or for each group individually. For example, you can approve the update installation on a test group, and after 4-7 days, if no problems occur, approve it on all computers.
A window with the updated approval results appears. Message if the update has been approved successfully Result: Success will be displayed. close the window.
As you can see, this is how a specific update is approved manually. This takes a long time as you have to approve each update individually. If you don’t want to approve updates manually, you can create auto-approval for updates.
Configure automatic update approval rules in WSUS
Automatic approval allows you to approve new updates that appear on your WSUS server and assign them for installation on target computers automatically without administrator intervention. Automatic approval of WSUS updates is based on approval rules.
In the WSUS Management Console, go to alternative choose more automatic approval,
In the next window, there is only one rule with the name default automatic approval rule (it is disabled by default) on update rule tab.
To create a new rule, click New Rules,
The approval rule consists of 3 steps. You must select the update property, the target group of WSUS computers on which you want to install the update, and the rule name.
If you click on the blue link, the corresponding properties window will appear.
For example, you can enable automatic security update approval for your test server. To do this, select Important Updates, security update, definition update below Choose Update Classification section (uncheck all other options). Then select the WSUS group named Test_Srv_WSUS in approve updates for Dialogue
set deadline for approval The option allows you to specify whether this update should be forcibly installed on target computers (regardless of Windows Update settings). In this case, the computers can be rebooted automatically, even if the GPO option ‘No auto-restart with logged-on users for scheduled automatic update installations‘ Is enabled.
Feather advanced In the tab, you can choose whether to automatically approve updates for WSUS and whether to additionally approve updates that have been changed by Microsoft. It is recommended to enable all checkboxes on this tab.
Now, when your WSUS server downloads new updates on the next second Tuesday of the month (or if you import them manually), they will be approved and automatically installed on the test computer group.
By default, Window clients scan your WSUS server for new updates every 22 hours. To ensure that critical devices receive new updates as quickly as possible, you can increase the frequency of synchronization by using Automatic Update Detection Frequency Group Policy Parameters (see case WSUS Error: Too many servers round trip). You can also manually scan for updates using the PSWindowsUpdate PowerShell module.
After you have installed and tested the updates on your set of test computers and verified that there are no problems (testing usually takes 3-6 days), you can approve the new update on the production computers Huh.
How to Deny and Remove Updates on WSUS Server?
If one of the approved updates has caused a problem on the computer or server, the WSUS administrator can reject it. To do this, find Updates in the WSUS console, right-click on it, and select Downfall,
Then select the WSUS group for which you want to uninstall and select Approved for deletion. After a while, the update will be removed on the WSUS client (this process is described in more detail in the article “How to uninstall Windows Update?”).
Approve WSUS Updates with PowerShell
You can use PowerShell to manage the approval of WSUS updates. To connect to a WSUS host from the PowerShell console, you can use the following code:
$WsusServerFqdn='mont-wsus.woshub.com'
[void][reflection.assembly]::LoadWithPartialName( «Microsoft.UpdateServices.Administration)
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer( $WsusServerFqdn, $False, '8530')
You can now perform various tasks on your WSUS server. For example, to run update synchronization:
$wsus.GetSubscription().StartSynchronization();
List of WSUS computer groups:
$wsus.GetComputerTargetGroups()
Select a specific group of computers:
$group = $wsus.GetComputerTargetGroups() | ? {$_.Name -eq "Test_WKS_WSUS"}
You can use GetUpdates method to get list of latest updates. For example, you want to select the latest Windows and Office security updates in a specific time frame:
$updates = $wsus.GetUpdates() | ? {($_.CreationDate -gt "6/1/2022" -and $_.CreationDate -lt "7/1/2022" -and $_.Title -notmatch ".net Framework" -and $_.PublicationState -ne "Expired" ) -and ($_.ProductFamilyTitles -eq "Windows" -or $_.ProductFamilyTitles -eq "Office") -and ($_.UpdateClassificationTitle -eq "Security Updates" -or $_.UpdateClassificationTitle -eq "Critical Updates")}
You can now approve selected updates for installation on the specified WSUS group:
foreach ($update in $updates)
{
$update.Approve("Install",$group)
}
you can also use UpdateServices Module to manage WSUS.
For example, you can use the following PowerShell script to approve the latest security updates for a target group:
$data = (Get-Date).adddays(-30)
$wsus= Get-WSUSServer -Name wsusservername -Port 8530
Get-WsusUpdate -UpdateServer $wsus -Approval Unapproved -Status Needed
Get-WsusUpdate -Classification All -Approval Unapproved | Where-Object { ($_.Update.CreationDate -lt $data) -and ($_.update.isdeclined -ne $true) and {$_.update.title -ilike "*Windows*" -or $_.update.title -ilike "*Office*"} | | Approve-WsusUpdate -Action Install -TargetGroupName "Test_WKS_WSUS"
How to copy accepted updates between WSUS target groups?
Unfortunately, you will not be able to copy approved updates from one WSUS computer group to another using the WSUS console. You can discover new updates one by one and manually approve them for installation on production groups of servers and computers. This is time consuming.
I’ve written a simple powershell script that collects a list of approved updates for a test group and automatically approves similar updates for the production computer group. I run the script 7 days after the update is installed on the test groups.
$WsusServerFqdn='mont-wsus.woshub.com'
$WsusSourceGroup = 'Workstation_Test'
$WsusTargetGroup = 'WorkstationProduction'
[void][reflection.assembly]::LoadWithPartialName( “Microsoft.UpdateServices.Administration”)
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer( $WsusServerFqdn, $False, ‘8530’)
$Groups = $wsus.GetComputerTargetGroups()
$WsusSourceGroupObj = $Groups | Where {$_.Name -eq $WsusSourceGroup}
$WsusTargetGroupObj = $Groups | Where {$_.Name -eq $WsusTargetGroup}
$Updates = $wsus.GetUpdates()
$i = 0
ForEach ($Update in $Updates)
{
if ($Update.GetUpdateApprovals($WsusSourceGroupObj).Count -ne 0 -and $Update.GetUpdateApprovals($WsusTargetGroupObj).Count -eq 0)
{
$i ++
Write-Host (“Approving ” + $Update.Title)
$Update.Approve(‘Install’,$WsusTargetGroupObj) | Out-Null
}
}
Write-Output (“Approved {0} updates for target group {1}” -f $i, $WsusTargetGroup)
This powershell script loops through all approved updates in the source WSUS group and approves the installation if the update is not approved in the target group. This sample logs accepted updates directly to the PowerShell console. You can output the powershell script log to a text file.
Leave a Comment